################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # # This format does not fully support all yaml features - the restrictions are: # - the outer-most data structure must be a yaml mapping # - mapping keys must be yaml scalars # - plain scalars will be converted to json unchanged # - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted # as json strings, i.e. double quoted. # - yaml tags are not supported # - IPv6 addresses ending in :: are not yet supported (use ::0) # # Also beware that yaml is sensitive to the indentation at the start of each # line so if you encounter errors when parsing the config file then please check # that. We will add better checking but a useful online tool to check yaml # format is here (it also converts yaml to json) # https://yaml-online-parser.appspot.com/ # # Note that we plan to introduce a more compact format for defining upstreams # in future: https://github.com/getdnsapi/stubby/issues/79 ################################### LOGGING #################################### # Define at which level messages will be logged to stdout. Can be one of: # GETDNS_LOG_EMERG, GETDNS_LOG_ALERT, GETDNS_LOG_CRIT, GETDNS_LOG_ERR, # GETDNS_LOG_WARNING, GETDNS_LOG_NOTICE, GETDNS_LOG_INFO or GETDNS_LOG_DEBUG # where GETDNS_LOG_EMERG is the least and GETDNS_LOG_DEBUG the most verbose. log_level: GETDNS_LOG_NOTICE ########################## BASIC & PRIVACY SETTINGS ############################ # Specifies whether to run as a recursive or stub resolver # For stubby this MUST be set to GETDNS_RESOLUTION_STUB resolution_type: GETDNS_RESOLUTION_STUB # Ordered list composed of one or more transport protocols: # GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS # If only one transport value is specified it will be the only transport used. # Should it not be available basic resolution will fail. # Fallback transport options are specified by including multiple values in the # list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS. dns_transport_list: - GETDNS_TRANSPORT_TLS # Selects Strict or Opportunistic Usage profile as described in # https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ # ONLY for the case when TLS is the one and only transport specified above. # Strict mode requires that authentication information for the upstreams is # specified below. Opportunistic may fallback to clear text DNS if UDP or TCP # is included in the transport list above. # For Strict use GETDNS_AUTHENTICATION_REQUIRED # For Opportunistic use GETDNS_AUTHENTICATION_NONE tls_authentication: GETDNS_AUTHENTICATION_REQUIRED # EDNS0 option to pad the size of the DNS query to the given blocksize # 128 is currently recommended by # https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 tls_query_padding_blocksize: 128 # EDNS0 option for ECS client privacy as described in Section 7.1.2 of # https://tools.ietf.org/html/rfc7871 # If you really want to use a resolver that sends ECS (such as Google or one of # the Quad9 ones) in order to gain better geo-location of content, then be aware # that this will expose a portion of your IP address in queries to some # authoritative servers. You will need to configure that server and also set this # parameter to 0 to fully enable ECS. edns_client_subnet_private : 1 ############################# CONNECTION SETTINGS ############################## # Set to 1 to instruct stubby to distribute queries across all available name # servers - this will use multiple simultaneous connections which can give # better performance in most (but not all) cases. # Set to 0 to treat the upstreams below as an ordered list and use a single # upstream until it becomes unavailable, then use the next one. round_robin_upstreams: 1 # EDNS0 option for keepalive idle timeout in milliseconds as specified in # https://tools.ietf.org/html/rfc7828 # This keeps idle TLS connections open to avoid the overhead of opening a new # connection for every query. Note that if a given server doesn't implement # EDNS0 keepalive and uses an idle timeout shorter than this stubby will backoff # from using that server because the server is always closing the connection. # This can degrade performance for certain configurations so reducing the # idle_timeout to below that of that lowest server value is recommended. idle_timeout: 10000 # Control the maximum number of connection failures that will be permitted # before Stubby backs-off from using an individual upstream (default 2) # tls_connection_retries: 2 # Control the maximum time in seconds Stubby will back-off from using an # individual upstream after failures under normal circumstances (default 3600) # tls_backoff_time: 3600 # Specify the location for CA certificates used for verification purposes are # located - this overrides the OS specific default location. # tls_ca_path: "/etc/ssl/certs/" # Limit the total number of outstanding queries permitted on one TCP/TLS # connection (default is 0, no limit) # limit_outstanding_queries: 0 # Specify the timeout in milliseconds on getting a response to an individual # request (default 5000) # timeout: 5000 # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the # tls_ciphersuites option. This option can also be given per upstream. # (default as shown) # tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. # (default as shown) # tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. (default is 1.2) # tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. (default is 1.3) # tls_max_version: GETDNS_TLS1_3 ################################ LISTEN ADDRESS ################################ # Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4 # and IPv6. It will listen on port 53 by default. Use @ to # specify a different port. (Note that due to restrictions within the config # file parser, IPv6 address cannot start with `::` ) listen_addresses: - 127.0.0.1 - 0::1 ############################### DNSSEC SETTINGS ################################ # Require DNSSEC validation. This will withhold answers with BOGUS DNSSEC # status and answers that could not be validated (i.e. with DNSSEC status # INDETERMINATE). Beware that if no DNSSEC trust-anchor is provided, or if # stubby is not able to fetch and validate the DNSSEC trust-anchor itself, # (using Zero configuration DNSSEC) stubby will not return answers at all. # If DNSSEC validation is required, a trust-anchor is also required. # (default is no DNSSEC validation) # dnssec: GETDNS_EXTENSION_TRUE # Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly # when needed (Zero configuration DNSSEC), but only if it can store then # somewhere. The default location to store these files is the ".getdns" # subdirectory in the user's home directory on Unixes, and the %appdata%\getdns # directory on Windows. If there is no home directory, or # the required subdirectory could not be created (or is not present), Stubby # will fall back to the current working directory to try to store the # trust-anchor files. # # When stubby runs as a special system-level user without a home directory # however (such as in setups using systemd), it is recommended that an explicit # location for storing the trust-anchor files is provided that is writable (and # readable) by that special system user. # appdata_dir: "/var/cache/stubby" # When Zero configuration DNSSEC failed, because of network unavailability or # failure to write to the appdata directory, stubby will backoff trying to # refetch the DNSSEC trust-anchor for a specified amount of time expressed # in milliseconds (which defaults to two and a half seconds). # trust_anchors_backoff_time: 2500 # Specify the location of the installed trust anchor files to override the # default location (see above) # dnssec_trust_anchors: # - "/etc/unbound/getdns-root.key" ################################## UPSTREAMS ################################ # Specify the list of upstream recursive name servers to send queries to # In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset # so the upstream can be authenticated. # The list below includes various public resolvers and some of the available test # servers but only has the getdns developer operated upstream enabled by default. ############################################################################### #### Users are recommended to use more than one upstream for robustness ##### ############################################################################### # You can enable other resolvers by uncommenting the relevant # section below or adding their information directly. Also see this list for # other test servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers # If you don't have IPv6 then comment then out those upstreams. # In Opportunistic mode they only require an IP address in address_data. # The information for an upstream can include the following: # - address_data: IPv4 or IPv6 address of the upstream # port: Port for UDP/TCP (default is 53) # tls_auth_name: Authentication domain name checked against the server # certificate # tls_pubkey_pinset: An SPKI pinset verified against the keys in the server # certificate # - digest: Only "sha256" is currently supported # value: Base64 encoded value of the sha256 fingerprint of the public # key # tls_port: Port for TLS (default is 853) # To always use the DHCP resolvers provided by the local network in Opportunistic # mode then # 1) In the dns_transport_list after TLS add UDP then TCP # 2) Change to tls_authentication: GETDNS_AUTHENTICATION_NONE # 3) Remove all the upstream_recursive_servers listed below upstream_recursive_servers: ############################ DEFAULT UPSTREAM ################################ ####### IPv4 addresses ###### ### Test servers ### # The getdnsapi.net server - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ####### IPv6 addresses ###### ### Test servers ### # The getdnsapi.net server - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ############################ OPTIONAL UPSTREAMS ############################### ####### IPv4 addresses ###### ### Anycast services ### ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS # - address_data: 9.9.9.9 # tls_auth_name: "dns.quad9.net" # - address_data: 149.112.112.112 # tls_auth_name: "dns.quad9.net" ## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS ## See the entry for `edns_client_subnet_private` for more details on ECS # - address_data: 9.9.9.11 # tls_auth_name: "dns11.quad9.net" # - address_data: 149.112.112.11 # tls_auth_name: "dns11.quad9.net" ## Quad 9 'insecure' service - No filtering, no DNSSEC, doesn't send ECS # - address_data: 9.9.9.10 # tls_auth_name: "dns10.quad9.net" # - address_data: 149.112.112.10 # tls_auth_name: "dns10.quad9.net" ## Cloudflare 1.1.1.1 and 1.0.0.1 ## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare) # - address_data: 1.1.1.1 # tls_auth_name: "cloudflare-dns.com" # - address_data: 1.0.0.1 # tls_auth_name: "cloudflare-dns.com" ## The Uncensored DNS servers # - address_data: 91.239.100.100 # tls_auth_name: "anycast.censurfridns.dk" # tls_pubkey_pinset: ####### pin for "deic-ore.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg= ####### pin for "deic-ore.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs= ####### pin for "deic-lgb.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8= ####### pin for "deic-lgb.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M= ####### pin for "kracon.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0= ####### pin for "kracon.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY= ####### pin for "rgnet-iad.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4= ####### pin for "rgnet-iad.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM= ## Google # - address_data: 8.8.8.8 # tls_auth_name: "dns.google" # - address_data: 8.8.4.4 # tls_auth_name: "dns.google" ## Adguard Default servers # - address_data: 176.103.130.130 # tls_auth_name: "dns.adguard.com" # - address_data: 176.103.130.131 # tls_auth_name: "dns.adguard.com" ## Adguard Family Protection servers # - address_data: 176.103.130.132 # tls_auth_name: "dns-family.adguard.com" # - address_data: 176.103.130.134 # tls_auth_name: "dns-family.adguard.com" ## Comcast # - address_data: 96.113.151.145 # tls_auth_name: "dot.xfinity.com" ### A few unicast test servers ### ## The Uncensored DNS servers # - address_data: 89.233.43.71 # tls_auth_name: "unicast.censurfridns.dk" # tls_pubkey_pinset: ####### pin for "unicast.censurfridns.dk RSA" # - digest: "sha256" # value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= ####### pin for "unicast.censurfridns.dk ECDSA" # - digest: "sha256" # value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs= ## dns.neutopia.org # - address_data: 89.234.186.112 # tls_auth_name: "dns.neutopia.org" # tls_pubkey_pinset: # - digest: "sha256" # value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## Fondation RESTENA (NREN for Luxembourg) # - address_data: 158.64.1.29 # tls_auth_name: "dnspub.restena.lu" # tls_pubkey_pinset: # - digest: "sha256" # value: aC/vKm0neSr3uDucVsYO62RPZ4ETWjoI0Gw8uWjGdLg= ## NIC Chile # - address_data: 200.1.123.46 # tls_pubkey_pinset: # - digest: "sha256" # value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= ## Foundation for Applied Privacy # - address_data: 146.255.56.98 # tls_auth_name: "dot1.applied-privacy.net" ####### IPv6 addresses ####### ### Anycast services ### ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS # - address_data: 2620:fe::fe # tls_auth_name: "dns.quad9.net" # - address_data: 2620:fe::9 # tls_auth_name: "dns.quad9.net" ## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS ## See the entry for `edns_client_subnet_private` for more details on ECS # - address_data: 2620:fe::11 # tls_auth_name: "dns11.quad9.net" # - address_data: 2620:fe::fe:11 # tls_auth_name: "dns11.quad9.net" ## Quad 9 'insecure' service - No filtering, does DNSSEC, doesn't send ECS # - address_data: 2620:fe::10 # tls_auth_name: "dns10.quad9.net" # - address_data: 2620:fe::fe:10 # tls_auth_name: "dns10.quad9.net" ## Cloudflare servers ## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare) # - address_data: 2606:4700:4700::1111 # tls_auth_name: "cloudflare-dns.com" # - address_data: 2606:4700:4700::1001 # tls_auth_name: "cloudflare-dns.com" ## The Uncensored DNS servers # - address_data: 2001:67c:28a4::0 # tls_auth_name: "anycast.censurfridns.dk" # tls_pubkey_pinset: ####### pin for "deic-ore.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg= ####### pin for "deic-ore.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs= ####### pin for "deic-lgb.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8= ####### pin for "deic-lgb.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M= ####### pin for "kracon.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0= ####### pin for "kracon.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY= ####### pin for "rgnet-iad.anycast.censurfridns.dk RSA" # - digest: "sha256" # value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4= ####### pin for "rgnet-iad.anycast.censurfridns.dk ECDSA" # - digest: "sha256" # value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM= ## Google # - address_data: 2001:4860:4860::8888 # tls_auth_name: "dns.google" # - address_data: 2001:4860:4860::8844 # tls_auth_name: "dns.google" ## Adguard Default servers # - address_data: 2a00:5a60::ad1:0ff # tls_auth_name: "dns.adguard.com" # - address_data: 2a00:5a60::ad2:0ff # tls_auth_name: "dns.adguard.com" ## Adguard Family Protection servers # - address_data: 2a00:5a60::bad1:0ff # tls_auth_name: "dns-family.adguard.com" # - address_data: 2a00:5a60::bad2:0ff # tls_auth_name: "dns-family.adguard.com" ## Comcast # - address_data: 2001:558:fe21:6b:96:113:151:145 # tls_auth_name: "dot.xfinity.com" ### A few unicast test servers ### ## The Uncensored DNS server # - address_data: 2a01:3a0:53:53::0 # tls_auth_name: "unicast.censurfridns.dk" # tls_pubkey_pinset: ####### pin for "unicast.censurfridns.dk RSA" # - digest: "sha256" # value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= ####### pin for "unicast.censurfridns.dk ECDSA" # - digest: "sha256" # value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs= ## Fondation RESTENA (NREN for Luxembourg) # - address_data: 2001:a18:1::29 # tls_auth_name: "kaitain.restena.lu" # tls_pubkey_pinset: # - digest: "sha256" # value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= ## dns.neutopia.org # - address_data: 2a00:5884:8209::2 # tls_auth_name: "dns.neutopia.org" # tls_pubkey_pinset: # - digest: "sha256" # value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## NIC Chile # - address_data: 2001:1398:1:0:200:1:123:46 # tls_pubkey_pinset: # - digest: "sha256" # value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= ## Foundation for Applied Privacy # - address_data: 2a02:1b8:10:234::2 # tls_auth_name: "dot1.applied-privacy.net" ####### Servers that listen on port 443 (IPv4 and IPv6) ####### ### Test servers ### ## The getdnsapi.net server # - address_data: 185.49.141.37 # tls_port: 443 # tls_auth_name: "getdnsapi.net" # tls_pubkey_pinset: # - digest: "sha256" # value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## The getdnsapi.net server (IPv6 address) # - address_data: 2a04:b900:0:100::38 # tls_port: 443 # tls_auth_name: "getdnsapi.net" # tls_pubkey_pinset: # - digest: "sha256" # value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## dns.neutopia.org # - address_data: 89.234.186.112 # tls_port: 443 # tls_auth_name: "dns.neutopia.org" # tls_pubkey_pinset: # - digest: "sha256" # value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## dns.neutopia.org # - address_data: 2a00:5884:8209::2 # tls_port: 443 # tls_auth_name: "dns.neutopia.org" # tls_pubkey_pinset: # - digest: "sha256" # value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ### A few unicast test servers ### ## Foundation for Applied Privacy # - address_data: 146.255.56.98 # tls_port: 443 # tls_auth_name: "dot1.applied-privacy.net" # - address_data: 2a02:1b8:10:234::2 # tls_port: 443 # tls_auth_name: "dot1.applied-privacy.net"