Installing Stubby on Fedora Linux 27
DNS-over-TLS Part 1: Stubby
Stubby (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is a DNS privacy stub resolver. Stubby, among other things, does support DNS-over-TLS (RFC 7858 "Specification for DNS over Transport Layer Security (TLS)" https://tools.ietf.org/html/rfc7858).
- Stubby availability in pre-compiled form (status December 2017)
- Homebrew (MacOS X)
- Chocolatey (Windows)
- Manjaro-Linux
- Arch-Linux
- Windows Installer https://dnsprivacy.org/wiki/display/DP/Windows+installer+for+Stubby
This document describes the installation from source on Fedora Linux 27:
Install the dependencies
sudo dnf install -y make gcc libtool libyaml-devel openssl-devel wget
Building Stubby from source
Below are the commands to check-out the stubby source code and compile and install stubby. This has been tested on Fedora Linux 27, but it might work also on other recent Linux versions:
mkdir ~/src cd ~/src git clone https://github.com/getdnsapi/getdns.git cd getdns git checkout develop git submodule update --init libtoolize -ci autoreconf -fi mkdir build cd build ../configure --without-libidn --enable-stub-only \ --with-ssl --with-stubby make sudo make install
SELinux fixes
Fedora Linux uses SELinux by default. To be able to use stubby, the security label on the binary needs to be set:
sudo restorecon -v /usr/local/bin/stubby
review the Stubby default configuration
Stubby configuration is written in YAML (https://en.wikipedia.org/wiki/YAML). Review the default configuration and adapt where needed:
sudo $EDITOR /usr/local/etc/stubby/stubby.yml
Stubby testrun
This command will start Stubby on the commandline in foreground. This is a test if the configuration is valid. After the test, terminate Stubby with CTRL+C.
sudo /usr/local/bin/stubby -l
change stub-resolver configuration
Stubby is listening on port 53 on the loopback IP-Address for
DNS-queries from applications. The resolver configuration in
/etc/resolv.conf
must point to the loopback address.
In this example a very direct way is used by re-writing
/etc/resolv.conf
and making it immutable with an extended
attribute. In production environments, it is cleaner to change the
resolver information in Network-Manager
echo "nameserver 127.0.0.1" > /etc/resolv.conf chattr +i /etc/resolv.conf
test DNS queries
dig dnsworkshop.org a
Systemd-Startunit
Now that Stubby has been successfully tested, stop the running
stubby
process with CTRL+C
and create a new unit configuration for
systemd in /etc/systemd/system/stubby.service
[Unit] Description=Stubby DNS-over-TLS Stub-Resolver After=network.target [Service] ExecStart=/usr/local/bin/stubby -l [Install] WantedBy=multi-user.target
start end enable Stubby
register the new unit file in systemd and start Stubby
systemctl daemon-reload systemctl enable --now stubby systemctl status stubby
Now the enhanced security of privacy of stubby
is available for all
applications on the system.