-
Notifications
You must be signed in to change notification settings - Fork 58
Build Stubby from source
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy
1. Create stubby user account:
sudo useradd -M stubby && sudo usermod -L stubby && sudo usermod -a -G stubby stubby
2. Download needed packages and library components:
sudo apt install -y libyaml-dev && sudo apt install -y libuv1-dev && sudo apt install -y check && sudo apt install -y git && sudo apt install -y cmake && sudo apt install -y libidn2-dev && sudo apt install -y libsystemd-dev && sudo apt install -y libev-dev && sudo apt install -y libssl-dev && sudo apt install -y libunbound-dev
- Need to download this library according to system architecture:
(Check:dpkg --print-architecture
)
sudo apt install -y libuv1-dev:arm64
sudo apt install -y libuv1-dev:armhf
sudo apt install -y libuv1-dev:amd64
sudo apt install -y libuv1-dev:i386
3. Download getdns repo:
git clone https://github.com/getdnsapi/getdns.git
4. Enter working subdirectory:
cd getdns && git checkout master && git submodule update --init
5. Create a build directory:
mkdir build && cd build
6. Build latest Stubby package:
cmake -DBUILD_STUBBY=ON ..
7. Make and install:
make && sudo make install
8. Download stubby.yaml file and move it to stubby folder:
sudo wget https://raw.githubusercontent.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/main/stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/
Stubby notice:
From release 1.2.0, getdns comes with built-in DNSSEC trust anchor management. External trust anchor management, for example with unbound-anchor, is no longer necessary and no longer recommended.
Previously installed trust anchors, in the default location will be preferred and used for DNSSEC validation, however getdns will fallback to trust-anchors obtained via built-in trust anchor management when the anchors from the default location fail to validate the root DNSKEY rrset.
OPTIONAL:
If you do not want to use unbound trust anchor, disable and use built-in DNSSEC:
awk '{sub(/dnssec_trust/,"#dnssec_trust")}1' /usr/local/etc/stubby/stubby.yml > stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/
9. Forward Stubby address in Unbound upstreams. Open nano /etc/unbound/unbound.conf.d/unbound.conf
and uncomment Stubby addresses(remove # infront of lines 169&170)
Or do it from command line:
awk '{sub(/[#]forward-addr: 127.0.0.1@8053/,"forward-addr: 127.0.0.1@8053") || sub(/[#]forward-addr: ::1@8053/,"forward-addr: ::1@8053")}1' /etc/unbound/unbound.conf.d/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/
sudo nano /lib/systemd/system/stubby.service
Copy and save:
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target
[Service]
User=stubby
DynamicUser=yes
CacheDirectory=stubby
WorkingDirectory=/var/cache/stubby
ExecStart=/usr/local/bin/stubby
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Restart=on-failure
RestartSec=1
[Install]
WantedBy=multi-user.target
Enable and start stubby service:
sudo systemctl enable stubby && sudo systemctl start stubby
Reboot
Check status:
sudo systemctl status stubby