search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.2k stars 99 forks source link

Computer is still using ISP's DNS service after setting up Stubby (likely has to do with my connection management program) #313

Closed tristanbay closed 1 year ago

tristanbay commented 2 years ago

I installed Stubby, as well as the required init script for my init system (OpenRC), and then modified my etc/stubby/stubby.yml file to change the DNS servers I'm using, as well as a couple other related settings. After starting the Stubby service, running stubby -i, restarting the service, refreshing a tab in my browser, and then running a DNS leak test in that browser tab, it still says that I'm using my ISP's DNS servers.

I think it may have to do with the fact that I'm handling my network connections with ConnMan, and I think that it uses a proxy to direct DNS queries sent to 127.0.0.1 and 0::1 to use the DNS server(s) of whatever router I'm connected to, and I think it locally caches the results of each query if the proxy is turned on.

What may be happening is that ConnMan is directing the queries before they reach Stubby, so Stubby won't be able to direct them to the DNS servers that I set instead. I've also tried turning this proxy off by modifying ConnMan's init script so that it'll start with the proxy disabled, but instead of automatically overwriting my etc/resolv.conf file to 127.0.0.1 and 0::1, it overwrites it to some of the addresses of my ISP's DNS servers, which then means that the queries don't even touch the local addresses that Stubby listens to.

So how do I get ConnMan to play nicely with Stubby?

saradickinson commented 2 years ago

I'm sorry I don't have any experience with ConnMan but a quick read up indicates it is a very low level integration with the OS that may be difficult to bypass

@wtoorop do you know anything more about ConnMan/OpenRC?

wtoorop commented 2 years ago

@wtoorop do you know anything more about ConnMan/OpenRC?

Not yet, but I'm willing to setup a vm with it and have a look. I find arch linux convenient for such things b.t.w., they have excellent documentation on all the different ways to configure your linux. See: https://wiki.archlinux.org/title/ConnMan Maybe @Philip-NLnetLabs can work with me on this. I have only time after RIPE84 b.t.w.

Philip-NLnetLabs commented 2 years ago

ConnMan seems to have an option to disable the local proxy, see the section titled "Avoiding conflicts with local DNS server"

I have no experience with OpenRC or ConnMan

saradickinson commented 1 year ago

I'm closing this issue as no further updates in over 6 months but I'm going to mark is as a known issue because it wasn't resolved.