Supernova's tildeblog

Nothing fancy. Available via gemini at gemini://tilde.team/~supernova/blog

Stubby Part 2

September 21, 2020 — ~supernova

This week I installed Stubby to have DNS over TLS. By default there are some servers configured however these may not be the closest or fastest depending on your location. Also not all servers are setup to work correctly with all of Stubby’s features, so it takes a bit of trial and error to get the best server enabled for DoT.

I found a great list of potential servers in a post at forum.opnsense.org. I also found the Project dnsprivacy-monitoring page at dnsprivacy.org which tests servers for compatibility, but I haven’t really figured out what exactly needs to be green to work with Stubby.

So the best way I found to get the best servers is to take the list from the opnsense forum and first ping all of them to get the response time for each from your location. Then you can take a whole bunch of the fastest servers and add them to your stubby.yml config file. Restart stubby and watch the log file for any errors with servers, and remove these servers from your config file. Restart stubby again and make sure all the servers you have enabled are working.

With the default setup stubby with use “round robin” to use each DNS server you have enabled in sequence, so be sure all your servers have a good response time.

Here are the servers I use:

## 5 - The dns.cmrg.net DNS TLS Server  A+ ( CAN ) 40ms
## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
## DNSSEC.
  - address_data: 199.58.81.218
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
      - digest: "sha256"
        value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) 110ms
  - address_data: 185.213.26.187
    tls_auth_name: "dot.eastus.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4=

tags: stubby, dns, dot

timestamp: 2020-09-21 21:15:14