Build Stubby from source
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy
1. Create stubby user account:
sudo useradd -M stubby && sudo usermod -L stubby && sudo usermod -a -G stubby stubby
2. Download needed packages and library components:
sudo apt install -y libyaml-dev && sudo apt install -y libuv1-dev && sudo apt install -y check && sudo apt install -y git && sudo apt install -y cmake && sudo apt install -y libidn2-dev && sudo apt install -y libsystemd-dev && sudo apt install -y libev-dev && sudo apt install -y libssl-dev && sudo apt install -y libunbound-dev
- Need to download this library according to system architecture:
(Check:dpkg --print-architecture)
sudo apt install -y libuv1-dev:arm64
sudo apt install -y libuv1-dev:armhf
sudo apt install -y libuv1-dev:amd64
sudo apt install -y libuv1-dev:i386
3. Download getdns repo:
git clone https://github.com/getdnsapi/getdns.git
4. Enter working subdirectory:
cd getdns && git checkout master && git submodule update --init
5. Create a build directory:
mkdir build && cd build
6. Build latest Stubby package:
cmake -DBUILD_STUBBY=ON ..
7. Make and install:
make && sudo make install
8. Remove and re-create stubby yml file and copy&paste these settings[click here] and save (control+x then y then enter):
sudo rm /usr/local/etc/stubby/stubby.yml && sudo nano /usr/local/etc/stubby/stubby.yml
9. [OPTIONAL] Change location of dnssec_trust_anchors to unbound anchors on line 57
Stubby notice:
From release 1.2.0, getdns comes with built-in DNSSEC trust anchor management. External trust anchor management, for example with unbound-anchor, is no longer necessary and no longer recommended.
Previously installed trust anchors, in the default location will be preferred and used for DNSSEC validation, however getdns will fallback to trust-anchors obtained via built-in trust anchor management when the anchors from the default location fail to validate the root DNSKEY rrset.
If had build unbound from source, set location to /etc/unbound/root.key
Edit in file manually or add it from command line:
awk '{sub(/[/]var/,"") && sub(/lib/,"etc")}1' /usr/local/etc/stubby/stubby.yml > stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/
Or disable and use built-in DNSSEC:
awk '{sub(/dnssec_trust/,"#dnssec_trust")}1' /usr/local/etc/stubby/stubby.yml > stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/
(if you do not set path or disable, it will output a error in logs)
10. Forward Stubby address in Unbound upstreams. Open nano /etc/unbound/unbound.conf and uncomment Stubby addresses(remove # infront of lines 169&170)
Or do it from command line:
awk '{sub(/[#]forward-addr: 127.0.0.1@8053/,"forward-addr: 127.0.0.1@8053") || sub(/[#]forward-addr: ::1@8053/,"forward-addr: ::1@8053")}1' /etc/unbound/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/
sudo nano /lib/systemd/system/stubby.service
Copy and save:
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target
[Service]
User=stubby
DynamicUser=yes
CacheDirectory=stubby
WorkingDirectory=/var/cache/stubby
ExecStart=/usr/local/bin/stubby
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Restart=on-failure
RestartSec=1
[Install]
WantedBy=multi-user.targetEnable and start stubby service:
sudo systemctl enable stubby && sudo systemctl start stubby
Reboot
Check status:
sudo systemctl status stubby
