- 
                Notifications
    You must be signed in to change notification settings 
- Fork 64
Build Stubby from source
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy
1. Create stubby user account:
sudo useradd -M stubby && sudo usermod -L stubby && sudo usermod -a -G stubby stubby2. Download needed packages and library components:
sudo apt install -y libyaml-dev && sudo apt install -y libuv1-dev && sudo apt install -y check && sudo apt install -y git && sudo apt install -y cmake && sudo apt install -y libidn2-dev && sudo apt install -y libsystemd-dev && sudo apt install -y libev-dev && sudo apt install -y libssl-dev && sudo apt install -y libunbound-dev- Need to download this library according to system architecture:
 (Check:dpkg --print-architecture)
sudo apt install -y libuv1-dev:arm64
sudo apt install -y libuv1-dev:armhf
sudo apt install -y libuv1-dev:amd64
sudo apt install -y libuv1-dev:i386
3. Download getdns repo:
git clone https://github.com/getdnsapi/getdns.git4. Enter working subdirectory:
cd getdns && git checkout master && git submodule update --init5. Create a build directory:
mkdir build && cd build6. Build latest Stubby package:
cmake -DBUILD_STUBBY=ON ..7. Make and install:
make && sudo make install8. Download stubby.yaml file and move it to stubby folder:
sudo wget https://raw.githubusercontent.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/main/stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/Stubby notice:
From release 1.2.0, getdns comes with built-in DNSSEC trust anchor management. External trust anchor management, for example with unbound-anchor, is no longer necessary and no longer recommended.
Previously installed trust anchors, in the default location will be preferred and used for DNSSEC validation, however getdns will fallback to trust-anchors obtained via built-in trust anchor management when the anchors from the default location fail to validate the root DNSKEY rrset.
OPTIONAL: If you do not want to use unbound trust anchor, disable and use built-in DNSSEC:
awk '{sub(/dnssec_trust/,"#dnssec_trust")}1' /usr/local/etc/stubby/stubby.yml > stubby.yml && sudo mv stubby.yml /usr/local/etc/stubby/9. Forward Stubby address in Unbound upstreams. Open nano /etc/unbound/unbound.conf.d/unbound.conf and uncomment Stubby addresses(remove # infront of lines 169&170)
Or do it from command line:
awk '{sub(/[#]forward-addr: 127.0.0.1@8053/,"forward-addr: 127.0.0.1@8053") || sub(/[#]forward-addr: ::1@8053/,"forward-addr: ::1@8053")}1' /etc/unbound/unbound.conf.d/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/sudo nano /lib/systemd/system/stubby.serviceCopy and save:
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target
[Service]
User=stubby
DynamicUser=yes
CacheDirectory=stubby
WorkingDirectory=/var/cache/stubby
ExecStart=/usr/local/bin/stubby
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Restart=on-failure
RestartSec=1
[Install]
WantedBy=multi-user.targetEnable and start stubby service:
sudo systemctl enable stubby && sudo systemctl start stubbyReboot
Check status:
sudo systemctl status stubby