'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

Stubby is developed by the getdns project.

For more background and FAQ see our About Stubby page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!

Why Use Stubby?

Read about the problem with DNS Privacy and how Stubby helps


Key Features:

  • Runs as a daemon listening on the loopback  addresses (, ::0) 
  • Sends all outgoing DNS queries received on those addresses out over TLS
  • Uses a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers

Stubby uses getdns, it is recommended to use at lleast the 1.2 release of getdns, and preferably the latest getdns stable release.


As of August 2017 Stubby has moved to its own repository and getdns is a library dependancy!

Source code is available on github: https://github.com/getdnsapi/stubby

Lastest release

See the Stubby github repo for the latest release tarball or the getdns releases page.


Packages are available:

Packaging status

Note1: A debian package is also available but doesn't show up in the above because the version number is currently incorrect. Working to fix this!

Note2: The chocolatey package above is not for stubby but for a package named stubby4net. We are working on creating a stubby chocolatey package too.

Installation Guides

Docker Images:


We hope to have support on mobile platforms in the future:

Note that Android has announced that it will support a native implementation of DNS-over-TLS in an upcoming official release (it is already available in developer releases). This does not share any code with Stubby but we applaud Android for this development!


See our Stubby configuration guide.

Note that some users use stubby in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections). And example configuration is available on this page.


Bugs or feature requests can be directed to either

How can I contribute to the getdns/Stubby projects?

Other options

Other ways to run a privacy daemon are: 

  • Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries). 
  • Work is in progress to enable knot resolver to work in this mode too
  • As mentioned above, official support for a native Android implemenation of DNS-over-TLS is expected soon.

  • No labels


  1. Anonymous

    Does it still make sense to use dnsmasq? I use dnsmasq + dnscrypt right now but would like to switch over.

  2. The combination of dnsmasq and DNSCrypt is an alternative solution for local stub resolution with encryption of queries. This page provides some more background on the difference between DNSCrypt and DNS-over-TLS:

    DNS Privacy - The Solutions

    Stubby provides a single solution that can resolve and encrypt queries over port 853. If you can get service over port 853 then it may be a better solution for you.