'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Stubby is developed by the getdns project.
For more background and FAQ see our About Stubby page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
Why Use Stubby?
- Runs as a daemon listening on the loopback addresses (127.0.0.1, ::0)
- Sends all outgoing DNS queries received on those addresses out over TLS
- Uses a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers
Stubby uses getdns, it is recommended to use at lleast the 1.2 release of getdns, and preferably the latest getdns stable release.
As of August 2017 Stubby has moved to its own repository and getdns is a library dependancy!
Source code is available on github: https://github.com/getdnsapi/stubby
See the Stubby github repo for the latest release tarball.
Stubby is supported on several platforms.
Packages are available:
Note1: A debian package is also available but doesn't show up in the above because the version number is currently incorrect. Working to fix this!
Note2: The chocolatey package above is not for stubby but for a package named stubby4net. We are working on creating a stubby chocolatey package too.
- See this tweet for an example of using Stubby + Quad9
- See this link for an example of using BIND as a local caching forwarder and stubby for upstream TLS
We hope to have support on mobile platforms in the future:
Note that Android has announced that it will support a native implementation of DNS-over-TLS in an upcoming official release (it is already available in developer releases). This does not share any code with Stubby but we applaud Android for this development!
See our Stubby configuration guide.
Note that some users use stubby in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections). And example configuration is available on this page.
Bugs or feature requests can be directed to either
How can I contribute to the getdns/Stubby projects?
- Run and test stubby. Give feedback and report bugs!
- Contribute code to or https://github.com/getdnsapi/stubby or https://github.com/getdnsapi/getdns
- Running a DNS privacy resolver
Other ways to run a privacy daemon are:
- Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries).
- Work is in progress to enable knot resolver to work in this mode too
- As mentioned above, official support for a native Android implemenation of DNS-over-TLS is expected soon.