RISCi_ATOM 181dbb04e2 Fresh pull from upstream (might have missed some non-free things). | 6 years ago | |
---|---|---|
.. | ||
README.md | 6 years ago | |
stubby.init | 6 years ago | |
stubby.yml | 6 years ago |
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Stubby is developed by the getdns project.
For more background and FAQ see our About Stubby page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
You must have a ca cert bundle installed on your device for stubby to make the TLS enabled connections.
This package has some modifications that makes it differ from the default upstream configuration. They are outlined below.
Comments are removed, etc.
The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc.
To give a more "comparable" DNS experience similar to google/opendns, this package disables this option.
The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby.
Additionally, due to the slight overhead involved with DNS-over-TLS, it is recommended to have a caching name server on the network.
The default stubby config list multiple upstream resolvers, and because of this, it makes sense to "load balance" between them. However, in this package's default stubby config, the only upstream service listed is quad9. One entry is for ipv6 and one for ipv4.
By setting the "round_robin_upstreams" value to 0, we are simply forcing stubby to try and use ipv6 connectivity to quad9 first, and if not available, simply use the ipv4 service.
quad9 is an Anycast DNS service. This should take care of any needed "failover" in the event that one of quad9's nodes goes down.
Most of the default resolvers for stubby are in Europe. To provide a better experience for a larger number of users, this package defaults to using quad9's DNS service.
Note: quad9 has multiple IPs available for their service. The "features" applied are based on the endpoint your DNS client connects to. For this package, the default resolvers are set to the non-filtering, EDNS Client-Subnet capable endpoints.
https://www.quad9.net/faq/#Does_Quad9_support_DNS_over_TLS
# IPv6 addresses
# Quad 9 IPv6
- address_data: 2620:fe::10
tls_auth_name: "dns.quad9.net"
# IPv4 addresses
# Quad 9 service
- address_data: 9.9.9.10
tls_auth_name: "dns.quad9.net"