search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.19k stars 99 forks source link

missing config, for local nameservers #32

Open ThomasCr opened 6 years ago

ThomasCr commented 6 years ago

Hi, I miss a option, to forward requests to specified domains to a local nameserver. eg. *.fritz.box or speedport.ip to my router or mydom.local to my local domain name server and also 0.0.168.192.in-addr.arpa and so on...

saradickinson commented 6 years ago

A workaround for this is to run Unbound as a local caching forwarder listening on port 53, configured with stub zones as you need and then forwarding all other zones to Stubby on a different port.

An Unbound config file something like the following:

   interface: 127.0.0.1
   do-not-query-localhost:  no
stub-zone:
    name: "example.com"
    stub-addr: 192.0.2.68
forward-zone:
  name: "."
    forward-addr: 127.0.0.1@8053

Combined with an updated stubby.yml that uses:

listen_addresses:
  - 127.0.0.1@8053

Should work. A more detailed description on this kind of setup will be on dnsprivacy.org soon....

ArchangeGabriel commented 6 years ago

For a more complete example, my configuration is: – unbound.conf

server:
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  root-hints: "/etc/unbound/root.hints"
  do-not-query-localhost:  no
forward-zone:
  name: "."
    forward-addr: 127.0.0.1@8053
    forward-addr: ::1@8053

– stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@8053
  -  0::1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 145.100.185.15
    tls_port: 443
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
  - address_data: 145.100.185.16
    tls_port: 443
    tls_auth_name: "dnsovertls1.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
  - address_data: 2001:610:1:40ba:145:100:185:15
    tls_port: 443
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
  - address_data: 2001:610:1:40ba:145:100:185:16
    tls_port: 443
    tls_auth_name: "dnsovertls1.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
  - address_data: 80.67.188.188
    tls_port: 443
    #tls_auth_name: "ns0.ldn-fai.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
  - address_data: 2001:913::8
    tls_port: 443
    #tls_auth_name: "ns0.ldn-fai.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
  - address_data: 89.234.186.112
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
  - address_data: 2a00:5884:8209::2
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
  - address_data: 2001:470:1c:76d::53
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

I’m only using port 443 servers since port 853 is quite often blocked, while 443 is almost never (at least never encountered any case where 443 was blocked but not 853).

saradickinson commented 6 years ago

Thanks for this - I've used this example on the website https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients