Package request - Stubby/DNS over TLS

Entware / Entware-ng

Entware-ng

GNU General Public License v2.0

1.21k stars 152 forks source link

Package request - Stubby/DNS over TLS #841

Closed jackyaz closed 6 years ago

jackyaz commented 6 years ago

Package: https://github.com/getdnsapi/stubby

For new package to be added:

To replace now abandoned dnscrypt-proxy

Platform:

RT-AC87U running AsusWRT - Merlin

ryzhovau commented 6 years ago

Did you tried to configure unboud to use DNS over TLS? What's the killer feature of stubby?

jackyaz commented 6 years ago

I hadn't looked into unbound and the configuration thereafter, as Stubby looked to be a more "install and go" solution.

paway commented 6 years ago

Unbound can work with dns over TLS. But only works on one of my device, others not. I don't know why.

https://dnsprivacy.org/wiki/plugins/servlet/mobile?contentId=1278021#content/view/1277989

Stubby is recommended by dnsprivacy.org

D1n0Bot commented 6 years ago

Quoted from the link provided above. “Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries). “

As this is a solution that can install and use immediately. I support adding into entware please. Thanks

ryzhovau commented 6 years ago

I'm going sit on this and wait for reaction on this PR to avoid doing the same job twice.

We'll port it here during next LEDE sync if it will be accepted,
Or make our own package if rejected.

iamperson347 commented 6 years ago

Hey Everyone,

The main reason I personally wanted to try stubby (and getdns) was because of some of the connection features. You can see a table here: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status

I tried Unbound but it seemed somewhat slow (on my device at least). It also seemed like DNS requests would time out during regular browsing. It could have just been my connection.... but results with stubby have been pretty good for me so far. At times there is some minor latency on initial connection for lookups (somewhat expected), but nothing drastic. Using DNS Bench, once stubby has some connections open, it almost keeps up with an unecrypted connection to the same resolver.

I should mention I still use unbound, but it just sends unencrypted DNS queries locally to stubby (to then be sent out to quad9).

ryzhovau commented 6 years ago

Merged in OpenWrt. Just wait for the next sync.