local encrypted DNS stub resolver
Hi everyone,
it is a good practice, for privacy and security, to use a local encrypted DNS stub resolver, so I wanted to share with you how I do it.
It is as simple as doing a copy/paste of the few following lines of code.
Code: Select all
apt install stubbystubby.yml is the stubby configuration file.
See the attachment below, configure it to your liking (mainly the last part with the addresses of your chosen DNS resolver).
After configuring it to your liking, its place has to be into
Code: Select all
/etc/stubby/stubby.yml Now you can launch the follow bash command to manually set it up to run it at boot time.
PS you can alternatively also use your OS GUI software to do so.
Code: Select all
echo "stubby >/dev/null 2>&1 &" >> /etc/rc.d/rc.localstubby runs on your local machine as a server, so you need to set your network manager' DNS to point to 127.0.0.1 to use your choosen DNS resolver specified into stubby.yml
So configure network manager's nameserver to 127.0.0.1
eg open connman, go to the NIC you "use to surf the internet" , click DNS settings, under "name servers set 127.0.0.1 and APPLY/SAVE the changes.
See also image attached below.
Now you can run it
Code: Select all
stubby &
below an example of stubby.yml attached. Rename removing the fake .gz extention part.
This example uses mullvad DNS resolver , with the quad9 ones commented out (not in use).
Each different DNS resolver have their own IP addresses and auth name addresses. See "Note 2" below.
Note 1: make sure you respect the spaces in stubby.yml lines of code otherwise you will encounter errors when running it. Do not amend the spaces, just replace the IP addresses and auth name addresses if you wish to change them with your chosen DNS resolver provider.
Note 2: you can choose and use your favorite DNS resolver, a nice list of private & secure provider can be found here.
Note 3: this solution will let your OS use DoT (DNS over TLS) whenever resolving a domain name. DoT and DoH are two different protocols with two similar yet different use cases. You can google them to learn more about them.
Note 4: for a full explanation on stubby.yml please refer to its github page
Note 5: you can use dnsleaktest.sh to test stubby.
An example of the output of
Code: Select all
~$ dnsleaktest.sh
Your IP:
blablabla
You use 2 DNS servers:
89.238.154.6 [United Kingdom AS9009 M247 Europe SRL]
2001:ac8:31:f010::2 [United Kingdom AS9009 M247 Europe SRL]
Conclusion:
DNS may be leaking.
it confirms you are using mullvad encrypted DNS.
The "Conclusion: DNS may be leaking." can be ignored as its goal does not apply in our case scenario.