Setting up DNS over TLS (DOT) Queries and DNS cache using Stubby and DNSMASQ

[t42]

By default DNS traffic runs unencrypted over port 53. Here you'll find how to configure Stubby DNS resolver in the DNS over TLS mode and how to configure dnsmasq as a caching DNS server.
These instructions are relevant for Linux Mint 19, 20 and later, Xubuntu, Ubuntu 18.04 and later, Debian 10 (Buster) and later, and other distributions with Stubby in its repositories. Otherwise you need to compile Stubby from source.

Part 1
stubby installation and setup

[1]

Code: Select all

sudo apt install stubby

[2]
Verify the status of installed service:

Code: Select all

systemctl status stubby

Code: Select all

stubby.service - DNS Privacy Stub Resolver
Loaded: loaded (/lib/systemd/system/stubby.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-01 19:28:26 EET; 34s ago

[3]
Check that stubby is listening on TCP and UDP ports both on IPv4 and IPv6:

Code: Select all

sudo netstat -lnptu | grep stubby

Code: Select all

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      8705/stubby         
tcp6       0      0 ::1:53                  :::*                    LISTEN      8705/stubby         
udp        0      0 127.0.0.1:53            0.0.0.0:*                           8705/stubby         
udp6       0      0 ::1:53                  :::*                                8705/stubby    

If netstat command is not found in your system, install net-tools:

Code: Select all

sudo apt install net-tools

[4]
Do NOT edit /etc/resolv.conf file to change name server - leave it in its original state.
Note: /etc/resolv.conf may be a symbolic link to the file /run/NetworkManager/resolv.conf, generated by NetworkManager

[5]
Left-click the Network Manager icon on the panel and open Network settings. Select your current network (for example Wired) and click settings icon.
Select IPv4 tab.
To prevent the system from getting DNS server address from your router, switch DNS Automatic to OFF.
Enter 127.0.0.1 in the DNS Server field and click Apply button.

Repeat the same for all other used connections (WI-FI and Wired).

Note for Linux Mint XFCE and MATE : On the IPv4 tab set DHCP Method: to Automatic (DHCP) addresses only:

[6]
Restart Network Manager

Code: Select all

sudo systemctl restart NetworkManager

[7]
Right click Network icon and then Network Settings (for Cinnamon, interface of Mate or XFCE may differ a little). DNS should indicate 127.0.0.1

dns127+.png (19.51 KiB) Viewed 8619 times

Stubby by default is spreading the DNS queries among several DNS Privacy servers provided in the the default configuration file stubby.yml (round robin mode is ON).
Note that stubby.yml contains both IPv4 and IPv6 addresses. For the sake of this post, IPv6 was set to OFF in the NetworkManger settings. IPv6 set up is similar in its own section of stubby.yml

[8]
Edit the stubby.yml configuration file to add the DNS server that you intend to use.
To add the Cloudflare DNS over TLS server:

Code: Select all

xed admin:///etc/stubby/stubby.yml

Note: change xed to gedit or pluma or featherpad or use nano editior in the terminal sudo nano /etc/stubby/stubby.yml for other desktop environments.

Scroll to the line upstream_recursive_servers: and add the following belowthat line and above other DNS servers:

Code: Select all

#CloudFlare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

To use Google secure DNS servers, place this code as the first one after upstream_recursive_servers:

Code: Select all

## Google
  - address_data: 8.8.8.8
    tls_auth_name: "dns.google"
  - address_data: 8.8.4.4
    tls_auth_name: "dns.google"

Then change the line:

Code: Select all

round_robin_upstreams: 1

to

Code: Select all

round_robin_upstreams: 0

Save the file. If this option is set to 1 the servers are loadbalanced, if round_robin_upstreams set 0 only the first dns server in the list is used.

[9]
Restart stubby:

Code: Select all

sudo systemctl restart stubby

[10] - Optional
To be sure we are using port 853 and 1.1.1.1 install Wireshark

Code: Select all

sudo apt install wireshark
sudo adduser your_user_name wireshark

Log out and log in to apply the changes.
Start Wireshark, select the curent network interface, enter "port 853" in the filter field and click the left icon on the toolbar to start the capture.
Enter in the terminal:

Code: Select all

dig A linuxmint.com

You can see in the Wireshark main window that request and answer are encrypted and we are using intended server.

Part 2
dnsmasq installation and setup

[1]

Code: Select all

sudo apt install dnsmasq

[2]

Code: Select all

xed admin:///etc/default/dnsmasq

Verify these two lines are uncommented and save the file:

Code: Select all

ENABLED=1
IGNORE_RESOLVCONF=yes

[3]

Code: Select all

sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

Code: Select all

xed admin:///etc/dnsmasq.conf

Delete all content of dnsmasq.conf and insert instead these lines:

Code: Select all

#
# Configuration file for dnsmasq acting as a caching nameserver.
#
# no-hosts = to ignore /etc/hosts
#
no-hosts
#
# no-resolv = not to use /etc/resolv.conf
# no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces

[4]

Code: Select all

xed admin:///etc/stubby/stubby.yml

Change two lines under listen_addresses line and save the file:
before:

Code: Select all

listen_addresses:
  - 127.0.0.1
  -  0::1

after:

Code: Select all

listen_addresses:
- 127.0.0.1@53000
- 0::1@53000

[5]

Code: Select all

sudo systemctl restart stubby.service

[6]

Code: Select all

sudo systemctl restart dnsmasq.service

[TEST]
Check the listening ports:

Code: Select all

sudo netstat -lnptu | grep stubby

Expected output:

Code: Select all

tcp        0      0 127.0.0.1:53000         0.0.0.0:*               LISTEN      888/stubby          
tcp6       0      0 ::1:53000               :::*                    LISTEN      888/stubby          
udp        0      0 127.0.0.1:53000         0.0.0.0:*                           888/stubby          
udp6       0      0 ::1:53000               :::*                                888/stubby

[DNS cache test]
Enter the command:

Code: Select all

dig A linuxmint.com

Repeat this command again:

Code: Select all

dig A linuxmint.com

Note how the query time changes.

[Cloudfare test page]
In order to get the Cloudfare test Cloudflare ESNI Checker you need to set the browser about:config setting network.trr.mode to 2 or 3 and restart browser. For me 3 does work. This is caused by the Firefox current version development problems. Please keep in mind that Cloudfare test page is promoting a Cloudfare - Mozilla cooperation and may be unreliable with other DNS providers and browsers.

[t42]

Just citing a snippet in red at the top of this page:

Please don't add support questions to tutorials, start your own thread in the appropriate sub-forum instead.