This documentation is a Work in progress while the Stubby docs move home to dnsprivacy.org, for the latest complete documentation see https://getdnsapi.net/blog/dns-privacy-daemon-stubby/
'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Stubby is developed by the getdns project.
For more background and FAQ see our About Stubby page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way!
Why Use Stubby?
Read about the problem with DNS Privacy and how Stubby helps
Key Features:
- Runs as a daemon listening on the loopback addresses (127.0.0.1, ::0)
- Sends all outgoing DNS queries received on those addresses out over TLS
- Uses a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers
Stubby uses getdns, it is recommended to use the 1.1.1 release or later of getdns, and preferably the latest getdns stable release.
Installation
At the moment Stubby lives with the getdns code, but Stubby is being moved to its own home on github so keep an eye on this page for updates on how to install the latest version!
Stubby is supported on several platforms:
- Linux
- Build from source
- Packages
- macOS
- Build from source
- Homebrew Tap
- Installer including prototype GUI on the way!
- Windows
We hope to have support on mobile platforms in the future
Configuration
See our Stubby configuration guide.
Support
Bugs or feature requests can be directed to either
- MAILING LIST: the getdns users mailing list
- BUG TRACKER: the getdns github issue tracker
- or directly to sara@sinodun.com
How can I contribute to the getdns/Stubby projects?
- Run and test stubby. Give feedback and report bugs!
- Contribute code to https://github.com/getdnsapi/getdns
- Running a DNS privacy resolver
Other options
Other ways to run a privacy daemon are:
- Run Unbound as a local forwarder using the ssl_upstream option to encrypt outgoing queries. This is provides a local caching resolver but at the moment Unbound doesn't fully support RFC7766 as a client and so you may not see the same performance as from Stubby (which pipelines queries).
- Work is in progress to enable knot resolver to work in this mode too