14 Feb 2018

Installing Stubby on Fedora Linux 27

DNS-over-TLS Part 1: Stubby

Stubby (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is a DNS privacy stub resolver. Stubby, among other things, does support DNS-over-TLS (RFC 7858 "Specification for DNS over Transport Layer Security (TLS)" https://tools.ietf.org/html/rfc7858).

This document describes the installation from source on Fedora Linux 27:

Install the dependencies

sudo dnf install -y make gcc libtool libyaml-devel openssl-devel wget 

Building Stubby from source

Below are the commands to check-out the stubby source code and compile and install stubby. This has been tested on Fedora Linux 27, but it might work also on other recent Linux versions:

mkdir ~/src
cd ~/src
git clone https://github.com/getdnsapi/getdns.git
cd getdns
git checkout develop
git submodule update --init
libtoolize -ci
autoreconf -fi
mkdir build
cd build
../configure --without-libidn --enable-stub-only \
   --with-ssl --with-stubby
sudo make install

SELinux fixes

Fedora Linux uses SELinux by default. To be able to use stubby, the security label on the binary needs to be set:

sudo restorecon -v /usr/local/bin/stubby

review the Stubby default configuration

Stubby configuration is written in YAML (https://en.wikipedia.org/wiki/YAML). Review the default configuration and adapt where needed:

sudo $EDITOR /usr/local/etc/stubby/stubby.yml

Stubby testrun

This command will start Stubby on the commandline in foreground. This is a test if the configuration is valid. After the test, terminate Stubby with CTRL+C.

sudo /usr/local/bin/stubby -l

change stub-resolver configuration

Stubby is listening on port 53 on the loopback IP-Address for DNS-queries from applications. The resolver configuration in /etc/resolv.conf must point to the loopback address.

In this example a very direct way is used by re-writing /etc/resolv.conf and making it immutable with an extended attribute. In production environments, it is cleaner to change the resolver information in Network-Manager

echo "nameserver" > /etc/resolv.conf
chattr +i /etc/resolv.conf

test DNS queries

dig dnsworkshop.org a


Now that Stubby has been successfully tested, stop the running stubby process with CTRL+C and create a new unit configuration for systemd in /etc/systemd/system/stubby.service

Description=Stubby DNS-over-TLS Stub-Resolver

ExecStart=/usr/local/bin/stubby -l


start end enable Stubby

register the new unit file in systemd and start Stubby

systemctl daemon-reload
systemctl enable --now stubby
systemctl status stubby

Now the enhanced security of privacy of stubby is available for all applications on the system.

Other posts
Creative Commons License
strotmann.de by Carsten Strotmann is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License .