RISCi_ATOM 181dbb04e2 Fresh pull from upstream (might have missed some non-free things). %!s(int64=6) %!d(string=hai) anos
..
README.md 181dbb04e2 Fresh pull from upstream (might have missed some non-free things). %!s(int64=6) %!d(string=hai) anos
stubby.init 181dbb04e2 Fresh pull from upstream (might have missed some non-free things). %!s(int64=6) %!d(string=hai) anos
stubby.yml 181dbb04e2 Fresh pull from upstream (might have missed some non-free things). %!s(int64=6) %!d(string=hai) anos

README.md

Stubby for OpenWRT

Stubby Description

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

Stubby is developed by the getdns project.

For more background and FAQ see our About Stubby page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!

Prerequisites

You must have a ca cert bundle installed on your device for stubby to make the TLS enabled connections.

  • You can install this by running the following: opkg install ca-certificates
  • You can also install this through the LUCI web interface

Package Overview

This package has some modifications that makes it differ from the default upstream configuration. They are outlined below.

General Cleanup

Comments are removed, etc.

EDNS Client-Subnet Option Changed to 0

The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc.

To give a more "comparable" DNS experience similar to google/opendns, this package disables this option.

Default Listening Ports Changed

The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby.

Additionally, due to the slight overhead involved with DNS-over-TLS, it is recommended to have a caching name server on the network.

Round Robin Upstream Setting Changed

The default stubby config list multiple upstream resolvers, and because of this, it makes sense to "load balance" between them. However, in this package's default stubby config, the only upstream service listed is quad9. One entry is for ipv6 and one for ipv4.

By setting the "round_robin_upstreams" value to 0, we are simply forcing stubby to try and use ipv6 connectivity to quad9 first, and if not available, simply use the ipv4 service.

quad9 is an Anycast DNS service. This should take care of any needed "failover" in the event that one of quad9's nodes goes down.

Upstream Resolvers Changed

Most of the default resolvers for stubby are in Europe. To provide a better experience for a larger number of users, this package defaults to using quad9's DNS service.

Note: quad9 has multiple IPs available for their service. The "features" applied are based on the endpoint your DNS client connects to. For this package, the default resolvers are set to the non-filtering, EDNS Client-Subnet capable endpoints.

https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security

https://www.quad9.net/faq/#Does_Quad9_support_DNS_over_TLS


# IPv6 addresses 
# Quad 9 IPv6
  - address_data: 2620:fe::10
    tls_auth_name: "dns.quad9.net"

# IPv4 addresses
# Quad 9 service
  - address_data: 9.9.9.10
    tls_auth_name: "dns.quad9.net"