DNS Stubby in his current status

Stubby is yet another young project which want to compete against the known ones e.g. Unbound.

Picture: IETF

What is Stubby?

DNS Stubby encrypts DNS queries by using DNS-over-TLS as standardised in the IETF DPRIVE working group. This work focusses on encryption of DNS traffic between the end-point (end-user) and the resolver. DNSCrypt achieves similar encryption of DNS traffic, but is not being standardised in the IETF. Some resolvers support both DNS-over-TLS and DNSCrypt, e.g. Unbound.

For more information on Stubby and how it relates to DNSCrypt, see the official FAQ section.


Stubby is still beta and there only a handful of servers which are really working. Port 853 will be used to handle the DNS-over-TLS traffic. At this point it is planned (without giving any date) to implement a basic GUI for Windows but the priority right now is on MacOS. There is also a beta version for Android planned which allows you to choose between privacy mode, opportunistic mode or privacy-off mode. The default mode will not work with any encryption unless you change it’s status.

Some developers are not really happy with Stubby, which I can understand it’s not enough to tunnel the requests between PC and resolver, an alternative could be DNS over Dedicated QUIC Connections. It combines RFC 7858

In my opinion DNS over QUIC seems the most promising upcoming thing, it needs more supporter and a lot of work but it has potential, the questions is still about resolvers, Google wants to bring it under their control by forcing the user to use their own DNS server but some advance users simply don’t want it, and this argument is totally understandable. I think we need to good compromise to fill the known holes, especially between server and apps to prevent leakages and to prevent that someone can abuse the data. On the other side it shouldn’t break existent mechanism which is really challenging here.