-
-
Save alanbuxey/8713073e232adfd56198e8cd8ee1258b to your computer and use it in GitHub Desktop.
# | |
# This is a yaml version of the stubby configuration file (it replaces the | |
# json based stubby.conf file used in earlier versions of getdns/stubby). | |
# | |
# For more information see | |
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby | |
# | |
# This format does not fully support all yaml features - the restrictions are: | |
# - the outer-most data structure must be a yaml mapping | |
# - mapping keys must be yaml scalars | |
# - plain scalars will be converted to json unchanged | |
# - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted | |
# as json strings, i.e. double quoted. | |
# - yaml tags are not supported | |
# - IPv6 addresses ending in :: are not yet supported (use ::0) | |
# | |
# Note that we plan to introduce a more compact format for defining upstreams | |
# in future: https://github.com/getdnsapi/stubby/issues/79 | |
# Logging is currently configured at runtime using command line arguments. See | |
# > stubby -h | |
# for details. | |
# Specifies whether to run as a recursive or stub resolver | |
# For stubby this MUST be set to GETDNS_RESOLUTION_STUB | |
resolution_type: GETDNS_RESOLUTION_STUB | |
# Ordered list composed of one or more transport protocols: | |
# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS | |
# If only one transport value is specified it will be the only transport used. | |
# Should it not be available basic resolution will fail. | |
# Fallback transport options are specified by including multiple values in the | |
# list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS. | |
dns_transport_list: | |
- GETDNS_TRANSPORT_TLS | |
# Selects Strict or Opportunistic Usage profile as described in | |
# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ | |
# Strict mode requires that authentication information for the upstreams is | |
# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP | |
# is included in the transport list above. | |
# For Strict use GETDNS_AUTHENTICATION_REQUIRED | |
# For Opportunistic use GETDNS_AUTHENTICATION_NONE | |
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED | |
# EDNS0 option to pad the size of the DNS query to the given blocksize | |
# 128 is currently recommended by | |
# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 | |
tls_query_padding_blocksize: 128 | |
# EDNS0 option for ECS client privacy as described in Section 7.1.2 of | |
# https://tools.ietf.org/html/rfc7871 | |
edns_client_subnet_private : 1 | |
# EDNS0 option for keepalive idle timeout in ms as specified in | |
# https://tools.ietf.org/html/rfc7828 | |
# This keeps idle TLS connections open to avoid the overhead of opening a new | |
# connection for every query. | |
idle_timeout: 10000 | |
# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4 | |
# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to | |
# specify a different port | |
listen_addresses: | |
- 127.0.0.1 | |
- 0::1 | |
# Instructs stubby to distribute queries across all available name servers. | |
# Set to 0 to treat the upstreams below as an ordered list and use a single | |
# upstream until it becomes unavailable, then use the next one. | |
round_robin_upstreams: 1 | |
# Require DNSSEC validation. For releases earlier than 1.2 a trust anchor must | |
# be configured configured manually. This can be done with unbound-anchor. | |
# dnssec_return_status: GETDNS_EXTENSION_TRUE | |
# Specify the location of the installed trust anchor file (leave commented out | |
# for zero configuration DNSSEC) | |
# dnssec_trust_anchors: "/etc/unbound/getdns-root.key" | |
# Control the maximum number of connection failures that will be permitted | |
# before Stubby backs-off from using an individual upstream (default 2) | |
# tls_connection_retries: 5 | |
# Control the maximum time in seconds Stubby will back-off from using an | |
# individual upstream after failures under normal circumstances (default 3600) | |
# tls_backoff_time: 300 | |
# Limit the total number of outstanding queries permitted | |
# limit_outstanding_queries: 100 | |
# Specify the timeout on getting a response to an individual request | |
# (default 5s) | |
# timeout: 1 | |
# Specify the list of upstream recursive name servers to send queries to | |
# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset | |
# so the upstream can be authenticated. | |
# The list below includes all the available test servers but only has the subset | |
# operated the stubby/getdns developers enabled. You can enable any of the | |
# others you want to use by uncommenting the relevant section. See: | |
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers | |
# If you don't have IPv6 then comment then out those upstreams. | |
# In Opportunistic mode they only require an IP address in address_data. | |
# The information for an upstream can include the following: | |
# - address_data: IPv4 or IPv6 address of the upstream | |
# port: Port for UDP/TCP (default is 53) | |
# tls_auth_name: Authentication domain name checked against the server | |
# certificate | |
# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server | |
# certificate | |
# - digest: Only "sha256" is currently supported | |
# value: Base64 encoded value of the sha256 fingerprint of the public | |
# key | |
# tls_port: Port for TLS (default is 853) | |
upstream_recursive_servers: | |
- address_data: 1.1.1.1 | |
tls_auth_name: "cloudflare-dns.com" | |
tls_pubkey_pinset: | |
- digest: "sha256" | |
value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI= | |
- address_data: 1.0.0.1 | |
tls_auth_name: "cloudflare-dns.com" | |
tls_pubkey_pinset: | |
- digest: "sha256" | |
value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI= | |
- address_data: 2606:4700:4700::1111 | |
tls_auth_name: "cloudflare-dns.com" | |
tls_pubkey_pinset: | |
- digest: "sha256" | |
value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI= | |
- address_data: 2606:4700:4700::1001 | |
tls_auth_name: "cloudflare-dns.com" | |
tls_pubkey_pinset: | |
- digest: "sha256" | |
value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI= |
..and cloudflare have updated their cert - have updated the gist.
Public keys seem to be outdated again. Where and how are you getting them from?
after checking that the address still belongs to cloudflare....
echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Public keys seem to be outdated again. Where and how are you getting them from?
have updated the Gist again. some will say this is a problem with cert pinning but I'd rather know i'm really talking to the box i think i'm talking to . have updated the Gist
Thanks, this is really helpful
after checking that the address still belongs to cloudflare....
echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Public keys seem to be outdated again. Where and how are you getting them from?
have updated the Gist again. some will say this is a problem with cert pinning but I'd rather know i'm really talking to the box i think i'm talking to . have updated the Gist
I agree. Knowing how to get the public key is helpful. Please keep the gist up to date so others can confirm their public keys.
updated with new keys
I think I started with an .xml file - but anyway, the docs say a .yaml file or .yml file would represent a backwards compatible file. My config has not been checked for backwards compatibility. nor will it ever be