DNS Privacy Project

Skip to end of metadata
Go to start of metadata

Overview

This package install the command line interface for Stubby. A future release will include a Graphical Interface to manage Stubby.

We consider Windows support for the Stubby CLI to be Beta at this time. It has been tested on Windows 10 and Windows 8. There is limited support for Windows 7 - see below.

User testing reports, bug reports and patches/pull requests are all welcomed via the Stubby github issue tracker!


Installation

The installer currently overwrites all existing files so if you have made changes to the stubby.yml then you should create a backup of this file before upgrading!


Download and run the 0.0.2 installer: 
  Stubby.msi

SHA256 Checksum: 5a3ea837174be848fd296eaa1d5910aa24001c634cf32e478d007cca05e49d9d


This installs the following files in C:\Program Files\Stubby\

  • README.txt - containing these instructions
  • stubby.exe    - binary
  • stubby.yml    - configuration file
  • getdns_query.exe - tool for testing stubby
  • Powershell scripts for modifying system resolvers:
    • stubby_setdns_windows.ps1
    • stubby_resetdns_windows.ps1
    • Windows 7 versions of Powershell scripts (see below)

      • stubby_setdns_windows7.ps1

      • stubby_resetdns_windows7.ps1

  • Scripts to enable Stubby to be configured as a Scheduled Task

    • stubby.bat

    • stubby.xml

This version of the installer (0.0.2) is built from:

  • getdns version: 1.2.1rc-1 (with minor fixes)

  • stubby version: 0.2.0

Configuration

It is recommended to use the default configuration file provided which will use 'Strict' privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses. It installed in "C:\Program Files\Stubby\stubby.yml"

More information on how to customise the configuration can be found here.

Run Stubby

Simply invoke Stubby on the command line from a command prompt window (To get a command prompt go to the Windows search box and type 'cmd' and then choose the 'Command prompt' option)

> "C:\Program Files\Stubby\stubby.exe" -C "C:\Program Files\Stubby\stubby.yml" -l

The -l flag enables full logging. Alternatively a specific logging level can be controlled by using the -v flag (run '"C:\Program Files\Stubby\stubby.exe" - h'  for details of available levels).

We are working on support for running Stubby as a service on Windows 10. Instructions for setting up a Scheduled task are below.


Test Stubby

A quick test can be done by opening a separate Command prompt window and using getdns_query (or your favourite DNS tool) on the loopback address:

> "C:\Program Files\Stubby\getdns_query" -s @127.0.0.1 www.example.com

You should see a status of GETDNS_RESPSTATUS_GOOD and and rcode of GETDNS_RCODE_NOERROR in the getdns_query output. You should also see a connection being made in the stubby logs.


Modify your upstream resolvers

Once this change is made all your DNS queries will be re-directed to Stubby and sent over TLS! 
(You may need to restart some applications to have them pick up the network settings).

For Stubby to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening.

In most cases your system will use the 'default' DNS servers that are provided by whatever network you are on at the time. Using the two Powershell comands will be all you need to switch back and forth from Stubby to the default DNS settings for the network you are on. (The scripts don't store any DNS config information because it can change dynamically). If you want to double check what servers you are using right now you can use then follow the instructions below to inspect your system settings. If you have reason to think your system uses specific servers on all networks it might be useful to note your existing default nameservers before making this change so you can use the same instructions to reset them!

To set your nameservers to use Stubby

  • From Windows search box type 'cmd' and on the 'Command prompt' option that appears right click and select 'run as Administrator'

  • In the command prompt window that appears type

    PowerShell -ExecutionPolicy bypass -file  "C:\Program Files\Stubby\stubby_setdns_windows.ps1"

    to switch the system DNS resolvers to use Stubby. 

You can monitor the DNS traffic using Wireshark watching on port 853.

If you encounter problems or want to turn Stubby off for any reason then reverse this change to restore the default network settings (no DNS Privacy) by running

PowerShell -ExecutionPolicy bypass -file  "C:\Program Files\Stubby\stubby_resetdns_windows.ps1


Modify your upstream resolvers (Windows 7)

Follow the procedure above, but use the scripts:

  • C:\Program Files\Stubby\stubby_setdns_windows7.ps1 and
  • C:\Program Files\Stubby\stubby_resetdns_windows7.ps1

    WARNING: These scripts can only update DNS servers on the IPv4 service. IPv6 will still use the default DNS servers, sending queries in clear text so one option is to disable IPv6, the other is to manually update the IPv6 addessses (see below).

Create a Scheduled Task

If you want Stubby to always start when you boot your system, you can create a Scheduled task for this. A template for the task is provided.

To create the task just run

schtasks /create /tn Stubby /XML "C:\Program Files\Stubby\stubby.xml" /RU <you_user_name>


Known Issues

  • We are aware of occasional issues when Windows sleeps and resumes when stubby must be restarted to work correctly. 

  • If you get an error when trying to run Stubby that includes the words "Could not bind on given address" then retry the command from an 'Administrator' Command prompt window

  • The '-h' output of stubby.exe shows the wrong path for the installed configuration file. An issue has been opened for this.

  • The installer currently overwrites the stubby.yml file so if changes have been made a backup should be created before upgrading

  • We have had reports of an issue on Windows 7 where one of the latest optional updates is required for certificate verification to work: see this issue.

Manual update of system revolvers on Windows

If you need to manually inspect or change your system revolvers on Windows through the GUI then do the following:

  1. Open the Control Panel
  2. Choose 'Network and Internet'
  3. Choose 'View network status and tasks' under 'Network and Sharing Center' 
  4. Choose 'Change adapter settings' from the left hand menu
  5. Then choose your interface - most likely either 'Wi-fi' or 'Ethernet'
  6. In the dialog that appears, click on the 'Properties' button at the bottom
  7. In the list that appears double click on 'Internet Protocol Version 4 (TCP/IPv4)'
    1. You can toggle your DNS between using the default DNS servers provided by the network you are on and setting specific servers using the botton radio buttons on this page
    2. Be sure to press OK and then Close to apply the settings. 
  8. Repeat step 7 for  'Internet Protocol Version 6 (TCP/IPv6)' if you have IPv6 enabled

A helpful screenshot (in German):

Opportunistic mode

If you have changed the default config in the stubby.yml file and are running in Opportunistic mode then you may want to add an alternative DNS server in here for robustness. However DNS queries sent to this server will be sent clear text over UDP/TCP, so this is NOT recommended for Strict mode unless required for bootstrapping (e.g. in a corporate network).


  • No labels

32 Comments

  1. Anonymous

    I can't wait!

  2. Anonymous

    Interested!

  3. Anonymous

    Waiting for the release

  4. Anonymous

    I don't like the idea of ISPs can now snop on your data attached with your name and sell all that to third parties. DNS over TLS with the help of Stubby is needed!

  5. Anonymous

    Interested, too. I'm a Win7 user. 

  6. Anonymous

    Critical typo in "Manual update of system revolvers on Windows" Step 7 (or Step 8).

    Both of them refer to IPv6. One of them should be "IPv4".

  7. Anonymous

    dnssec does not work on windows ?


    1. It is not turned on by default. It should work if you set up your trust anchor and manually change the configuration:

      Configuring Stubby#DNSSEC

      1. Anonymous

        i have changed the configuration, after restart -> 'server not found' error in different browsers

        Sara Dickinson: I edited this comment (and the one below) to remove the debug output for readability. I've created an issue in the github issue tracker instead: https://github.com/getdnsapi/stubby/issues/40

        Please use that issue for follow up!

        1. I just tested and this is working for me on Windows 10.

          • Is this an intermittent problem or do all sites fail?
          • Can you double check your configuration by running

          "C:\Program Files\Stubby\stubby.exe" -C "C:\Program Files\Stubby\stubby.yml" -i

          • What happens if you run this command
          "C:\Program Files\Stubby\getdns_query" -s -a -l L @185.49.141.37 getdnsapi.net -C "C:\Program Files\Stubby\stubby.yml"
  8. Anonymous

    • all sites failed

    • C:\Users\test>"C:\Program Files\Stubby\getdns_query" -s -a -l L @185.49.141.37 getdnsapi.net -C "C:\Program Files\Stubby\stubby.yml"

    <snip>Content removed for readability. Please refer to issue https://github.com/getdnsapi/stubby/issues/40 for follow up </snip>

    1. Thanks for output. Config looks OK. I would try re-running the powershell script to set the dns servers. If that doesn't work please contact me directly at sara@sinodun.com so we can do some more debugging?



  9. Anonymous

    I miss a option to pass request to local domain services (e.g. router/local domain/local reverse dns) to a local nameserver.

  10. Anonymous

    Reported an issue for use on Windows 7 here.

    1. Anonymous

      In the manual setup section there´s some info missing: In the first property tab, switch the second section to manual and enter IP 127.0.0.1, but don´t forget to also add your current DNS resolver under the alternative DNS server, otherwise you might be in trouble when rebooting in a corporate network.

  11. Anonymous

    instead of service, try a scheduled task:


    create a stubby.bat with e.g.:

    "C:\Program Files\Stubby\stubby.exe" -C "C:\Program Files\Stubby\stubby.yml" -l


    create a stubby.vbs to hide the cmd window with:

    Dim WinScriptHost
    Set WinScriptHost = CreateObject("WScript.Shell")
    WinScriptHost.Run Chr(34) & "C:\Program Files\Stubby\stubby.bat" & Chr(34), 0
    Set WinScriptHost = Nothing


    create a scheduled task and use the stubby.vbs script, run at boot. ready.

    now you should have stubby running at boot.

  12. Anonymous

    Thanks for creating this!!! I'm running a Windows 7 System and being not so advanced, awaiting your "clear for Windows 7".

  13. Anonymous

    stubby works fine with windows 7 prof. the powershell-command doesnt works but the manual update of system revolvers works fine.
    install stubby → manual update → start .bat → feeling good (smile)

    thank you all very much for this masterpiece of innovation.

    greeetz 

    1. Thanks for the report - I've added some text about Windows 7 support.

  14. Anonymous

    You can't download Stubby.msi if you accessing the wiki with your current aliasdomain dnsprivacy.net. This is also true for all attachment downloads from the wiki.

    Please add 302 http redirection dnsprivacy.net → dnsprivacy.org.


    1. Thanks for the report - this should be fixed now.

  15. Anonymous

    When will we get version 0.1.5? Stubby works wonderful so far, but running it as a service would be even better.

    1. I agree! We are doing what we can with limited resources.... we'll try to get a release out with at least a scheduled task included before the end of November. In the meantime, we welcome PR's to the Stubby github repo. 

  16. Anonymous

    Your solution in this section doesn't reset to the windows default dns-settings completly!

    "If you encounter problems or want to turn Stubby off for any reason then reverse this change to restore the default network settings (no DNS Privacy) by running"


    What is missing (on my system) was that the DNS-Adress was not recieved automaticly from DHCP. It was still set to localhost also on new/fresh wlan profiles.

  17. Anonymous

    My, my, my - the Stubby configuration parser is not accepting backslashes in directory strings, such as in: 

    dnssec_trust_anchors: "C:\Program Files\Unbound\root.key"

    This should be fixed asap.

    (Everything apparently works if backslashes are replaced by forward slashes)



    1. Thanks for the report - will investigate. Please create an issue on the stubby github issue tracker if you find any other such bugs!

  18. Anonymous

    Is it possible to have an updated stubby with the updated powershell scripts compatible with windows 7, there's a pull request

    1. Yes, my goal is to update the Windows installer before the holidays as there are several small updates to do and a new release of stubby due out this week.

  19. Anonymous

    We should think about adding stubby for windows to the chocolatey repository. Chocolatey is a opensource tool for deploy software on windows, like brew on macos.

    If you do so you have call the package maybe stubby-dns or getdns-stubby because stubby is already used by an old package, see chocolatey website

    1. Thanks - will look at this for the next release too!

  20. Anonymous

    The installer isn't working for me. I open the installer and it immediately closes.