It is recommended to use the default configuration file provided which will use 'Strict' privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses.
Note also that this file only enables a small subset of the available servers by default. Users can choose to use additional servers by uncommenting the relevant sections in the file. See DNS Privacy Test Servers for details of the available servers.
Create Custom Configuration File
Alternatively the configuration file location can be specified on the command line using the
-C flag. Changes to the configuration file require a restart of Stubby.
Note that using DNSSEC can add a small performance overhead because it increases the number of queries required to resolve a DNS request.
Opportunistic DoT to your local resolver
Some users may want to have a configuration for Stubby that will always use the resolver from the system configuration (most likely but not always on the local network), but with encryption used where possible. This is an Opportunistic mode which does not authenticate the DoT server. To configure Stubby in this mode:
Set the transport list and authentication parameter in the configuration to:
dns_transport_list: - GETDNS_TRANSPORT_TLS - GETDNS_TRANSPORT_UDP - GETDNS_TRANSPORT_TCP tls_authentication: GETDNS_AUTHENTICATION_NONE
- Remove (or comment out) all the upstream_resolvers. This will cause Stubby to fallback to using the system resolvers only.
Note: a future version of Stubby will most likely support a mixed mode of system resolvers and configured resolvers.
In the 0.1.2 release of stubby there is runtime logging, which can be turned on by using the '-l' flag.