💾 Archived View for tilde.team › ~supernova › gemlog › 2020-09-21-stubby-part-2.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
This week I installed Stubby[1] to have DNS over TLS. By default there are some servers configured however these may not be the closest or fastest depending on your location. Also not all servers are setup to work correctly with all of Stubby's features, so it takes a bit of trial and error to get the best server enabled for DoT.
1: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
I found a great list of potential servers in a post at forum.opnsense.org[2]. I also found the Project dnsprivacy-monitoring[3] page at dnsprivacy.org which tests servers for compatibility, but I haven't really figured out what exactly needs to be green to work with Stubby.
2: https://forum.opnsense.org/index.php?topic=15884.msg85285
3: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
So the best way I found to get the best servers is to take the list from the opnsense forum and first ping all of them to get the response time for each from your location. Then you can take a whole bunch of the fastest servers and add them to your stubby.yml config file. Restart stubby and watch the log file for any errors with servers, and remove these servers from your config file. Restart stubby again and make sure all the servers you have enabled are working.
With the default setup stubby with use "round robin" to use each DNS server you have enabled in sequence, so be sure all your servers have a good response time.
Here are the servers I use:
## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) 40ms
## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
## DNSSEC.
* address_data: 199.58.81.218
* tls_auth_name: "dns.cmrg.net"
* tls_pubkey_pinset:
* digest: "sha256"
* value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
* digest: "sha256"
* value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) 110ms
* address_data: 185.213.26.187
* tls_auth_name: "dot.eastus.pi-dns.com"
* tls_port: 853
* tls_pubkey_pinset:
* digest: "sha256"
* value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4=
tags: stubby, dns, dot timestamp: 2020-09-21 21:15:14