Install Stubby on Linux
According to Linuxbabe.com, Stubby can protect DNS queries. Why make DNS queries more secure? By default, DNS queries are weak because they are not encrypted and are easily known by other parties such as ISPs or other providers.
In some countries, the government mandates that ISPs use DNS injections for users. Therefore, even if we change the DNS settings on our devices, it remains ineffective. DNS injection forces users to use the ISP’s DNS. The purpose is to allow the ISP to filter the domains accessed by users.
DNS over TLS
Meaning of DNS over TLS: DNS queries are securely (encrypted) sent over TLS. This prevents third parties from knowing the content of DNS queries because they are encrypted. TLS is an encryption technology for HTTP traffic. Along with HTTPS and encrypted SNI (Server Name Indication), browsing activities are secure because they are encrypted. Therefore, users often use DNS over TLS to avoid domain blocking by ISPs.
| Before using DNS over TLS: | After using DNS over TLS: |
|---|---|
The user accesses google.com through the ISP’s DNS resolver. Depending on the ISP, the domain may or may not be blocked. If blocked, an error message will appear, or the ISP will redirect the user to a specific page. If not blocked, the ISP forwards the request to Google’s IP, and the user can access the Google website. | The user accesses google.com. The query for google.com goes to the Stubby DNS resolver (e.g., Cloudflare) and is encrypted. The Cloudflare DNS resolver then directs the request to Google’s IP, and the user can access the Google website. |
Install Stubby on Linux
Stubby is already available in the repository for Ubuntu-based distributions from 18.04 onwards. Therefore, the installation is quite easy. Type the command:
sudo apt install stubbyHow to run Stubby
Automatically, Stubby will run in the background after the installation of Stubby is complete. You can check the status of Stubby by typing the command:
systemctl status stubbyIt will show a summary indicating that Stubby is active.
Stubby will run on UDP and TCP localhost (127.0.0.1) on port 53. You can see it by typing the command:
sudo netstat -lnptu | grep stubby
Meanwhile, the stub resolver by systemd-resolv runs on TCP and UDP port 53 at IP 127.0.0.53
sudo netstat -lnptu | grep systemd-resolv
Configuration
The configuration file for Stubby is located at /etc/stubby/stubby.yml. Let’s view the Stubby configuration by typing:
sudo nano /etc/stubby/stubby.ymlCheck this part:
listen_addresses:
– 127.0.0.1
– 0::1In that section, it explains the IP used by Stubby. The first line of IP is for IPv4, while the second line of IP is for IPv6. These IPs will later serve as the DNS server. For installation instructions, please follow the tutorial in the “Using Stubby” section below.
Check this part:
round_robin_upstreams: 1In this section, you can change the number between 0 and 1.
- Number 1: Using the round-robin parameter. This means that Stubby will always use all upstream servers in a repeating cycle.
- Number 0: Does not use the round-robin parameter. This means that Stubby will only use one upstream server from the top of the list until it fails. If it fails, it will use the next upstream server in the list.
Check this part:
upstream_recursive_serversIn that section, there is a list of upstream servers. By default, several servers are already prepared for use. If you want to add Google and Cloudflare servers, add this code at the top or bottom of the existing server list.
#CloudFlare servers
address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
#Google
address_data: 8.8.8.8
tls_auth_name: "dns.google"
address_data: 8.8.4.4
tls_auth_name: "dns.google"Then press <Ctrl+o> and then <enter> to save the file, and <Ctrl+x> to exit the nano editor.
Using Stubby
At the top, it has already discussed how to run Stubby. However, it cannot be used directly. We need to configure the DNS in the network settings using the Stubby DNS IP.
Below is an example of setting up DNS stubby on Elementary OS. The setup process is almost the same for other distributions.
Step 1: Open the Network Settings
Step 2: Choose which network that using the connection of Stubby
In the example, I use Wi-Fi (number 1). Then select SSID. Then Settings.
Step 3: Choose the IPv4 tab Settings.
Then select ‘Automatic (DHCP) addresses only’. Enter the IP 127.0.0.1 in the DNS servers section. Click Save.
Step 4 (optional): Choose IPv6 tab Settings.
Then select ‘Automatic, addresses only’. Then enter ::1 in the DNS servers section. Click Save.
Step 5: Type the command below to restart the network manager.
sudo systemctl restart NetworkManagerCheck if Stubby works or not
Type the command:
systemd-resolve --statusIf text like the one below appears and there is a line of text ‘DNS Servers: 127.0.0.1’, it means stubby is working well.
Link 3 (wlp2s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 127.0.0.1Another way is by visiting the blocked website. If successful, the blocked website will be accessible.
