DNS-over-TLS rcently got hyped and I want to talk a little bit about it, the RFC exist since 2011 and there is nothing special about it, however there exist several clients to get it working on server or client side.
As you can see in the picture above, Stubby (aka getdns), Knot and digit are the Clients which supporting the most recent TLS/TCP features.
The picture looks totally different on the server side, Unbound, BIND and Knot are dominating. Well, Unbound can be tricky to configurate even if it’s well documented and there is no GUI same like with Knot. Stubby want to fix this, but as time of writing the article the Windows GUI wasn’t done, because the guys still working on the macOS GUI version right now, Stubby is together with all other mentioned software fully open source.
The biggest weakness (for now) is that there are only a handful of server available. You can take a look on the server status page to get an overview how many servers are there to test. Some of the server logging others claim to not log anything, which is hard to believe especially because once someone abused their resolvers I doubt that there will be no blacklist – well but okay I believe it as long as I can’t proof it.
As you can see most servers using Unbound, BIND or Knot as software to get the resolver running, again there is nothing wrong with it but if you just want to use it as Client, use Stubby and you’re good to go, Unbound is right now only a good solution if you want to run your own server or if you want ‘gimmicks’ like DNS based ad-blocking – which can be a good thing but it requires once again more configuration on your end.
Well, I wrote already about Stubby and their goals and I’m not gonna re-write the same stuff again here, take a look at their page over here. The project is far away from been finished and these guys working hard on it.
- Download the Stubby.msi Installer from this page.
- The installer is unspectacular, install it, and you’re almost done, it basically extract all files into C:\Program Files\Stubby.
- Now you have several powershell script and a executable among several utils.
- The stubby.bat file is what starts the deamon.
PowerShell -ExecutionPolicy bypass -
"C:\Program Files\Stubby\stubby_setdns_windows.ps1"needs to be executed to change the default DNS entry.
In case the deaom won’t start ensure that you executed the “stubby_setdns_windows.ps1” script, you can also manually set the 127.0.0.1 / 0::1 in your network adapter if you want, but the script does the same.
Once this is done, the Deamon should run a ipconfig /flushdns might also help (just in case).
Check if everything is running
Checking if everything is running is very easy,
"C:\Program Files\Stubby\getdns_query” -s
You should see a status of GETDNS_RESPSTATUS_GOOD and and rcode of GETDNS_RCODE_NOERROR in the getdns_query output. You should also see a connection being made in the stubby logs.
If you encounter problems or want to turn Stubby off for any reason then reverse this change to restore the default network settings (no DNS Privacy) by running:
PowerShell -ExecutionPolicy bypass -
Tweaking the config and capturing the traffic
So that’s basically it but you might want to tweak the configuration file and monitor the traffic via Wireshark to ensure it’s really listening on port 853.
To configure Stubby you work with stubby.yml file which can be opened with e.g. Notepad++ or windows own notepad. The default settings are usually fine so you only want to change the servers, some default servers are activated, to use others you have to comment out the default ones and uncomment the ones you like to use.
That’s it, you could now launch Whireshark on Port 853 to see if everything is going trough the port. It’s normally not needed because the setup is waterproof by default.
If you want Stubby to always start when you boot your system, you can create a Scheduled task for this. A template for the task is provided, to create the task just run:
Stubby is as easy to use as DNSCrypt, there is currently no fancy GUI but it’s not needed in my opinion, we will get a GUI for Windows anyway which could help beginners and that’s a good thing. Stubby currently won’t allow you to work with a DNS Blacklist but we might get such a feature in the near future. The local DNS Privacy stub resolver makes sense, and it’s a good successor of DNSCrypt for those who care about privacy. Of course it doesn’t solve all the other tracking problems but we might see more of such features this year, Google is adopting similar feature in Android Oreo 8.1 and if the big ones adopting such important things I have higher hopes it get its way faster into the mainstream market. As long as everyone can create and choose their own servers I see no problem, sadly Google and Facebook doesn’t seen it that way there want you to use their own server to get more control over the market and to analyze your traffic.
In my test stubby is right now to unstable to use it on a daily basis but this might get fixed, the problem is that the resolver often gets confused and it ends up with a timeout. This is also listed under the known problems and really the own reason to currently prefer Unbound, Knot or other solutions over Stubby but again once if that is fixed there is no reason to not use Stubby. The server can run on a RaspberryPI and it wouldn’t consume much energy over the year, of course it’s depending on how public your resolver is, the more user it has the more energy is needed together with better hardware but everyone can decide to publish his address or not.
I like the idea of Stubby and the community is trying to improve the project, there plenty of good ideas out there and once there is a GUI really everyone from beginner to expert could use it.
- Oblivious DNS: Plugging the Internet’s Biggest Privacy Hole (circleid.com)