The Homebrew formula currently installs the 0.3.0 version of stubby, based on libgetdns 1.6.0
See this issue for details of problems with homebrew on BigSur: https://github.com/getdnsapi/stubby/issues/272#issuecomment-738622312
Installation
1. Install Homebrew if you don't aleady have it:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
2. Install stubby
brew install stubby
Running Stubby on the command line
sudo /usr/local/opt/bin/stubby -C /usr/local/etc/stubby/stubby.yml -l
- The
-l
flag enables logging
Logging from the stubby service
The logging is currently crude and simply writes to a file. (We are working on making this better!) To see the logs
sudo tail -f /usr/local/var/log/stubby/stubby.log
Test Stubby
A quick test can be done by using dig (or your favourite DNS tool) on the loopback address
> dig @127.0.0.1 www.example.com
Running Stubby as a service
Running stubby like this will mean it runs continually in the background
sudo brew services start stubby
Modify your upstream resolvers
Once this change is made your DNS queries will be re-directed to Stubby and sent over TLS!
(You may need to restart some applications to have them pick up the network settings).
For Stubby to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries to the loopback interface on which Stubby is listening.
To switch to use Stubby for DNS resolution run:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh
To switch back to your default DNS config (no privacy) use:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh -r
Configuring stubby
It is recommended to use the default configuration file provided which will use 'Strict' privacy mode and spread the DNS queries among several of the current DNS Privacy test servers. Note that this file contains both IPv4 and IPv6 addresses. The file is installed in:
/usr/local/etc/stubby/stubby.yml
More information on how to customise the configuration can be found here.
17 Comments
Anonymous
Small fix:
> dig
@127
.0.
0.1
www.example.com
→
> dig
@127
.0.
0.1
www.example.com
Anonymous
The command:
does not work.
Anonymous
One reason could be a wrong file path
I installed from homebrew and the correct file path for the above bash script on my machine is:
/usr/local/opt/stubby/sbin/
If that doesn't work, you might try to cd to the correct directory and run the script from there
Sara Dickinson
The latest formula (v0.1.5) now does install the file and it is installed in /usr/local/opt/stubby/sbin as you pointed out. I've updated the page to have the correct paths now. Thanks.
Anonymous
I worked around the problem with downloading it from:
https://github.com/getdnsapi/stubby
Anonymous
What is the right way to install?
add the missing file to the Cellar and create a link in ../sbin/
Sara Dickinson
The formula should install in automatically when stubby is build - I'll look into it. Thanks for the report!
Sara Dickinson
The latest formula (v0.1.5) now does install the file and it is installed in /usr/local/opt/stubby/sbin as you pointed out. I've updated the page to have the correct paths now. Thanks.
Anonymous
Thx. It works now.
Anonymous
/usr/local/opt/etc/stubby/stubby.conf→ /usr/local/opt/etc/stubby/stubby.yml on topic "Configuring stubby".
Sara Dickinson
Thanks - fixed!
Anonymous
Maybe we can add Quad9?
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
tls_pubkey_pinset:
- digest: "sha256"
value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=
-BartM
Sara Dickinson
Yes - We'll likely add the info for this service in the next Stubby release
Anonymous
Is there a way to configure stubby so that all DNS queries for our internal domain (eg *.xyz.com) go to our local DNS server, but all external go via DNS-TLS? We've got AD and other DNS entries that's not exposed outside.
Sara Dickinson
Not yet, but some folks are running Unbound as a local caching forwarder with Stubby (see about a third of the way down this blog post) and it is possible to configure forward zones in Unbound. I'm planning on documenting this in detail on this site as we have a separate request for this:https://github.com/getdnsapi/stubby/issues/32
Anonymous
"Configuring stubby", above, states that the config file is at:
On my homebrew install to macOS the config file is:
Sara Dickinson
Thanks - fixed!