getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.2k stars 100 forks source link

About Stubby

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!

Stubby provides DNS Privacy by:

Stubby is developed by the getdns team.

Stubby can be used as a command line tool requiring the user to manually modify the system DNS resolvers. A development version of a Stubby Manager GUI is also available for Windows, see Stubby Mananger GUI.

Documentation

See Stubby Homepage for more details

Dependencies

Stubby uses getdns and requires the 1.5.0 release of getdns or later.

It also requires yaml.

Installing Using a Package Manager

Check to see if stubby, getdns and yaml are available via a package manager for your system: https://repology.org/metapackage/stubby/versions https://repology.org/metapackage/getdns/versions https://repology.org/metapackage/libyaml/versions

If you need to install getdns from source, see the section at the end of this document.

Build Stubby from source

A Dockerfile is provided in the contrib directory to build a Docker image from source. See Docker usage docs.

Get the code:

git clone https://github.com/getdnsapi/stubby.git

Build and install (NOTE: from release 0.3.0 stubby uses cmake)

cd stubby
cmake .
make

If you get an error Could NOT find Getdns (missing: GETDNS_LIBRARIES GETDNS_INCLUDE_DIR) then you need to set the following 2 variable as arguements to cmake:

cmake -DGETDNS_LIBRARY=<path to libgetdns> -DGETDNS_INCLUDE_DIR=<path to getdns.h header file> .

A quick start guide to using cmake with getdns is here.

Configure Stubby

It is recommended to use the default configuration file provided which will use 'Strict' privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses. This file is installed on *nix systems as /usr/local/etc/stubby/stubby.yml

The configuration file format is a YAML like format and the name of the file must have an extension of .yml. Essentially the configuration options available are the same as the options that can be set on a getdns context - Doxygen documentation for which is available here. To aid with creating a custom configuration file, an example is given below.

NOTE: As of the 0.1.3 release of Stubby the YAML format replaces the JSON like format used in earlier versions of the configuration file for getdns/stubby. The YAML format is more human readable and supports comments allowing options to be easily enabled and disabled. The JSON format is that which is used internally in getdns (it is the same as the output returned by stubby -i) and is still available by directly specifying a file with the name 'stubby.conf' on the command line using the -C option.

Create Custom Configuration File

Alternatively the configuration file location can be specified on the command line using the -C flag. Changes to the configuration file require a restart of Stubby.

The config file below will configure Stubby in the following ways:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list: 
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 185.49.141.38
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      digest: "sha256"
       value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

Additional privacy servers can be specified by adding more entries to the upstream_recursive_servers list above (note a separate entry must be made for the IPv4 and IPv6 addresses of a given server. More DNS Privacy test servers are listed here.

A custom port can be specified by adding the tls_port: attribute to the upstream_recursive_server in the config file.

More details can be found in the comments in the default configuration file and at https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby

Run Stubby

Simply invoke Stubby on the command line. By default it runs in the foreground, the -g flag runs it in the background.

> sudo stubby

Or, to let it run as an unprivileged user:

> sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/stubby
> stubby

Platform specific management

The Windows and macOS installers include scripts to run stubby as a managed daemon. We have basic support for using systemd to manage Stubby, see systemd

Test Stubby

A quick test can be done by using dig (or your favourite DNS tool) on the loopback address

> dig @127.0.0.1 www.example.com
> getdns_query -s @127.0.0.1 www.example.com

Modify your upstream resolvers

!!! Once this change is made your DNS queries will be re-directed to Stubby and sent over TLS!
(You may need to restart some applications to have them pick up the network settings).

You can monitor the traffic using Wireshark watching on port 853.

For Stubby to re-send outgoing DNS queries over TLS the system stub resolvers on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening. This depends on the operating system being run. It is useful to note your existing default nameservers before making this change!

Linux/Unix systems

OS X

A script is provided with Stubby for easier configuration. From the command line you can do the following to switch all your queries to use Stubby

> sudo /usr/local/sbin/stubby-setdns-macos.sh

If you want to reset, just use:

> sudo /usr/local/sbin/stubby-setdns-macos.sh -r

which should pick up the default DHCP nameservers.

You can add /usr/local/sbin to your path to avoid having to type it above by doing

export PATH=/usr/local/sbin:$PATH

Or via the macOs System Settings GUI:

Windows 8 and later

See the file windows/README.txt for a detailed description of building and using Stubby on windows.

Powershell scripts are provided in the the windows directory of the source code that can be used to update the system resolvers. Instructions for how to update the resolvers manually are provided are also provided - see https://dnsprivacy.org/wiki/display/DP/Windows+installer+for+Stubby Stubby has been reported to work on Windows 7, but we don't officially support it.

Notes:

Building getdns from source

Note that from getdns 1.1.3 stubby is included in the getdns code as a git submodule. Therefore stubby and getdns can be built together by following the instructions in the getdns README and setting the BUILD_STUBBY option.

Logging/debugging when building from source

--enable-debug-stub If you do want to see very detailed debug information as messages are processed then add the --enable-debug-stub option to the configure line above (not recommended for use with Stubby)

Contributions

The contrib directory contains code kindly contributed by various people:

vapniks Tom Matthews CameronNemo