'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

Stubby is developed by the getdns project, has it's own github repo and issue tracker but dnsprivacy.org hosts the online documentation for Stubby. For more background and FAQ see our About Stubby page.

Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!

Why Use Stubby?

Read about the problem with DNS Privacy and how Stubby helps

 

Key Features

  • Runs as a daemon listening on the loopback  addresses (127.0.0.1, ::0) 
  • Sends all outgoing DNS queries received on those addresses out over TLS
  • Uses a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers
  • Has additional servers available for activation in the configuration file (e.g. Cloudflare, Quad9)

Packaging status

Stubby uses getdns, it is recommended to use at least the 1.2 release of getdns, and preferably the latest getdns stable release.

The next release of Stubby (v0.3, getdns v1.5) is expected to support the following:

  • DNS-over-HTTPS (DOH)
  • Configuration of servers using authentication name only

Source Code

As of August 2017 Stubby has moved to its own repository and getdns is a library dependancy!

Source code is available on github: https://github.com/getdnsapi/stubby

Lastest release

See the Stubby github repo for the latest release tarball or the getdns releases page.

Installation

Packages

Various packages are available, see repology for Stubby.

Note1: A debian package is also available but doesn't show up in the above because the version number is currently incorrect (it picks up the getdns version, not the stubby version). Working to fix this!

Note2: The chocolatey package above is not for stubby but for a package named stubby4net. We are working on creating a stubby chocolatey package too.

Installation Guides

Docker Images

Mobile

We hope to have support on mobile platforms in the future:

Note that Android has announced that it will support a native implementation of DNS-over-TLS in an upcoming official release (it is already available in developer releases). This does not share any code with Stubby but we applaud Android for this development!

Configuration

See our Stubby configuration guide.

Note that some users use stubby in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections). And example configuration is available on this page.

Support

Bugs or feature requests can be directed to either

How can I contribute to the getdns/Stubby projects?

Other options

See DNS Privacy Clients.

  • No labels

2 Comments

  1. Anonymous

    Does it still make sense to use dnsmasq? I use dnsmasq + dnscrypt right now but would like to switch over.

  2. The combination of dnsmasq and DNSCrypt is an alternative solution for local stub resolution with encryption of queries. This page provides some more background on the difference between DNSCrypt and DNS-over-TLS:

    DNS Privacy - The Solutions

    Stubby provides a single solution that can resolve and encrypt queries over port 853. If you can get service over port 853 then it may be a better solution for you.