How to use DNS-over-TLS with Stubby?

Following the announcement of DNS over TLS for Google DNS (8.8.8.8), we examine how to configure DNS-over-TLS on our computers by using Stubby.

First, let’s install Stubby from the Ubuntu 18 software repository;

sudo apt install stubby

Stubby will start working directly with pre-defined configuration. To add Google DNS 8.8.8.8, add the following lines to the configuration file;

/etc/stubby/stubby.yml
# Google
- address_data: 8.8.8.8
  tls_auth_name: "dns.google"
  tls_pubkey_pinset:
    - digest: "sha256"
      value: nxmRHK4Oq08HNWWYZwakeCHmiKvsDsEaBPS3blQ+nSE=
- address_data: 8.8.4.4
  tls_auth_name: "dns.google"
  tls_pubkey_pinset:
    - digest: "sha256"
      value: nxmRHK4Oq08HNWWYZwakeCHmiKvsDsEaBPS3blQ+nSE=

Pinset verification can be done by running the following command;

openssl s_client -connect '8.8.8.8:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

After making sure that Stubby listens port 53, we can start using cryptic DNS by changing the DNS definition to 127.0.0.1 in our network settings.

sudo netstat -lnptu | grep stubby



Leave a Reply

(required)