Skip to content

Build Stubby from source

Jump to bottom
trinib edited this page Nov 9, 2022 · 18 revisions

STUBBY

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy


1. Create stubby user account:

sudo useradd -M stubby && sudo usermod -L stubby && sudo usermod -a -G stubby stubby

2. Download needed packages and library components:

sudo apt install -y libyaml-dev && sudo apt install -y libuv1-dev && sudo apt install -y check && sudo apt install -y git && sudo apt install -y cmake && sudo apt install -y libidn2-dev && sudo apt install -y libsystemd-dev && sudo apt install -y libev-dev && sudo apt install -y libssl-dev && sudo apt install -y libunbound-dev
  • Need to download this library according to system architecture:
    (Check: dpkg --print-architecture)

sudo apt install -y libuv1-dev:arm64
sudo apt install -y libuv1-dev:armhf
sudo apt install -y libuv1-dev:amd64
sudo apt install -y libuv1-dev:i386

3. Download getdns repo:

git clone https://github.com/getdnsapi/getdns.git

4. Enter working subdirectory:

cd getdns && git checkout master && git submodule update --init

5. Create a build directory:

mkdir build && cd build

6. Build latest Stubby package:

cmake -DBUILD_STUBBY=ON ..

7. Make and install:

make && sudo make install

8. Download stubby.yaml file and move it to stubby folder:

sudo wget https://raw.githubusercontent.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/main/stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/

Stubby notice:
From release 1.2.0, getdns comes with built-in DNSSEC trust anchor management. External trust anchor management, for example with unbound-anchor, is no longer necessary and no longer recommended.
Previously installed trust anchors, in the default location will be preferred and used for DNSSEC validation, however getdns will fallback to trust-anchors obtained via built-in trust anchor management when the anchors from the default location fail to validate the root DNSKEY rrset.

OPTIONAL: If you do not want to use unbound trust anchor, disable and use built-in DNSSEC:

awk '{sub(/dnssec_trust/,"#dnssec_trust")}1' /usr/local/etc/stubby/stubby.yml > stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/

9. Forward Stubby address in Unbound upstreams. Open nano /etc/unbound/unbound.conf.d/unbound.conf and uncomment Stubby addresses(remove # infront of lines 169&170)
Or do it from command line:

awk '{sub(/[#]forward-addr: 127.0.0.1@8053/,"forward-addr: 127.0.0.1@8053") || sub(/[#]forward-addr: ::1@8053/,"forward-addr: ::1@8053")}1' /etc/unbound/unbound.conf.d/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/

Create service to boot at startup:

sudo nano /lib/systemd/system/stubby.service

Copy and save:

[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target

[Service]
User=stubby
DynamicUser=yes
CacheDirectory=stubby
WorkingDirectory=/var/cache/stubby
ExecStart=/usr/local/bin/stubby
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Restart=on-failure
RestartSec=1

[Install]
WantedBy=multi-user.target

Enable and start stubby service:

sudo systemctl enable stubby && sudo systemctl start stubby

Reboot

Check status:

sudo systemctl status stubby

image

Clone this wiki locally