The Homebrew formula currently installs the 0.4.0 version of stubby, based on libgetdns 1.6.1
See this issue for details of problems with homebrew on BigSur: https://github.com/getdnsapi/stubby/issues/272#issuecomment-738622312
1. Install Homebrew if you don’t aleady have it:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
2. Install stubby
brew install stubby
sudo /usr/local/opt/bin/stubby -C /usr/local/etc/stubby/stubby.yml -l
-l flag enables loggingThe logging is currently crude and simply writes to a file. (We are working on making this better!) To see the logs
sudo tail -f /usr/local/var/log/stubby/stubby.log
A quick test can be done by using dig (or your favourite DNS tool) on the loopback address
> dig @127.0.0.1 www.example.com
Running stubby like this will mean it runs continually in the background
sudo brew services start stubby
Once this change is made your DNS queries will be re-directed to Stubby
and sent over TLS!
(You may need to restart some applications to have them pick up the
network settings).
For Stubby to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening.
To switch to use Stubby for DNS resolution run:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh
To switch back to your default DNS config (no privacy) use:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh -r
It is recommended to use the default configuration file provided which will use ‘Strict’ privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses. The file is installed in:
/usr/local/etc/stubby/stubby.yml
More information on how to customise the configuration can be found here.