The Homebrew formula currently installs the 0.2.2 version of stubby, based on libgetdns 1.4.1

Installation

1. Install Homebrew if you don't aleady have it:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"


2. Install stubby

brew install stubby

Running Stubby on the command line

sudo /usr/local/opt/bin/stubby -C /usr/local/etc/stubby/stubby.yml -l
  • The -l flag enables logging

Logging from the stubby service

The logging is currently crude and simply writes to a file. (We are working on making this better!) To see the logs

sudo tail -f /usr/local/var/log/stubby/stubby.log

Test Stubby

A quick test can be done by using dig (or your favourite DNS tool) on the loopback address

> dig @127.0.0.1 www.example.com

Running Stubby as a service

Running stubby like this will mean it runs continually in the background

sudo brew services start stubby

Modify your upstream resolvers

Once this change is made your DNS queries will be re-directed to Stubby and sent over TLS! 
(You may need to restart some applications to have them pick up the network settings).

For Stubby to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening.

To switch to use Stubby for DNS resolution run:

sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh

To switch back to your default DNS config (no privacy) use:

sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh -r

Configuring stubby

It is recommended to use the default configuration file provided which will use 'Strict' privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses. The file is installed in:

/usr/local/etc/stubby/stubby.yml


More information on how to customise the configuration can be found here.


  • No labels

17 Comments

  1. Anonymous

    Small fix:


    > dig @127.0.0.1www.example.com

    > dig @127.0.0.1 www.example.com

  2. Anonymous

    The command:

    sudo /usr/local/opt/sbin/stubby-setdns-macos.sh

    does not work.

    sudo: /usr/local/opt/sbin/stubby-setdns-macos.sh: command not found
    1. Anonymous

      One reason could be a wrong file path

      I installed from homebrew and the correct file path for the above bash script on my machine is:

      /usr/local/opt/stubby/sbin/

      If that doesn't work, you might try to cd to the correct directory and run the script from there

      1. The latest formula (v0.1.5) now does install the file and it is installed in /usr/local/opt/stubby/sbin as you pointed out. I've updated the page to have the correct paths now. Thanks. 

  3. Anonymous

    I worked around the problem with downloading it from:

    https://github.com/getdnsapi/stubby

  4. Anonymous

    What is the right way to install?

    add the missing file to the Cellar and create a link in ../sbin/

    1. The formula should install in automatically when stubby is build - I'll look into it. Thanks for the report!

      1. The latest formula (v0.1.5) now does install the file and it is installed in /usr/local/opt/stubby/sbin as you pointed out. I've updated the page to have the correct paths now. Thanks.

        1. Anonymous

          Thx. It works now.

  5. Anonymous

    /usr/local/opt/etc/stubby/stubby.conf→ /usr/local/opt/etc/stubby/stubby.yml on topic "Configuring stubby".

  6. Anonymous

    Maybe we can add Quad9?

       - address_data: 9.9.9.9
         tls_auth_name: "dns.quad9.net"
         tls_pubkey_pinset:
           - digest: "sha256"
             value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

    -BartM

    1. Yes - We'll likely add the info for this service in the next Stubby release

  7. Anonymous

    Is there a way to configure stubby so that all DNS queries for our internal domain (eg *.xyz.com) go to our local DNS server, but all external go via DNS-TLS?  We've got AD and other DNS entries that's not exposed outside.

    1. Not yet, but some folks are running Unbound as a local caching forwarder with Stubby (see about a third of the way down this blog post) and it is possible to configure forward zones in Unbound. I'm planning on documenting this in detail on this site as we have a separate request for this:https://github.com/getdnsapi/stubby/issues/32

  8. Anonymous

    "Configuring stubby", above, states that the config file is at:

    /usr/local/opt/etc/stubby/stubby.yml

    On my homebrew install to macOS the config file is:

    /usr/local/etc/stubby/stubby.yml