These instructions are relevant for Linux Mint 19, 20 and later, Xubuntu, Ubuntu 18.04 and later, Debian 10 (Buster) and later, and other distributions with Stubby in its repositories. Otherwise you need to compile Stubby from source.
Part 1
stubby installation and setup
[1]
Code: Select all
sudo apt install stubby
Verify the status of installed service:
Code: Select all
systemctl status stubby
Code: Select all
stubby.service - DNS Privacy Stub Resolver
Loaded: loaded (/lib/systemd/system/stubby.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-01 19:28:26 EET; 34s ago
Check that stubby is listening on TCP and UDP ports both on IPv4 and IPv6:
Code: Select all
sudo netstat -lnptu | grep stubby
Code: Select all
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 8705/stubby
tcp6 0 0 ::1:53 :::* LISTEN 8705/stubby
udp 0 0 127.0.0.1:53 0.0.0.0:* 8705/stubby
udp6 0 0 ::1:53 :::* 8705/stubby
Code: Select all
sudo apt install net-tools
Do NOT edit /etc/resolv.conf file to change name server - leave it in its original state.
Note: /etc/resolv.conf may be a symbolic link to the file /run/NetworkManager/resolv.conf, generated by NetworkManager
[5]
Left-click the Network Manager icon on the panel and open Network settings. Select your current network (for example Wired) and click settings icon.
Select IPv4 tab.
To prevent the system from getting DNS server address from your router, switch DNS Automatic to OFF.
Enter 127.0.0.1 in the DNS Server field and click Apply button. Repeat the same for all other used connections (WI-FI and Wired).
Note for Linux Mint XFCE and MATE : On the IPv4 tab set DHCP Method: to Automatic (DHCP) addresses only:
[6]
Restart Network Manager
Code: Select all
sudo systemctl restart NetworkManager
Right click Network icon and then Network Settings (for Cinnamon, interface of Mate or XFCE may differ a little). DNS should indicate 127.0.0.1
Stubby by default is spreading the DNS queries among several DNS Privacy servers provided in the the default configuration file stubby.yml (round robin mode is ON).
Note that stubby.yml contains both IPv4 and IPv6 addresses. For the sake of this post, IPv6 was set to OFF in the NetworkManger settings. IPv6 set up is similar in its own section of stubby.yml
[8]
Edit the stubby.yml configuration file to add the DNS server that you intend to use.
To add the Cloudflare DNS over TLS server:
Code: Select all
xed admin:///etc/stubby/stubby.yml
sudo nano /etc/stubby/stubby.yml
for other desktop environments.Scroll to the line upstream_recursive_servers: and add the following belowthat line and above other DNS servers:
Code: Select all
#CloudFlare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
Code: Select all
## Google
- address_data: 8.8.8.8
tls_auth_name: "dns.google"
- address_data: 8.8.4.4
tls_auth_name: "dns.google"
Code: Select all
round_robin_upstreams: 1
Code: Select all
round_robin_upstreams: 0
[9]
Restart stubby:
Code: Select all
sudo systemctl restart stubby
To be sure we are using port 853 and 1.1.1.1 install Wireshark
Code: Select all
sudo apt install wireshark
sudo adduser your_user_name wireshark
Start Wireshark, select the curent network interface, enter "port 853" in the filter field and click the left icon on the toolbar to start the capture.
Enter in the terminal:
Code: Select all
dig A linuxmint.com
Part 2
dnsmasq installation and setup
[1]
Code: Select all
sudo apt install dnsmasq
Code: Select all
xed admin:///etc/default/dnsmasq
Code: Select all
ENABLED=1
IGNORE_RESOLVCONF=yes
Code: Select all
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Code: Select all
xed admin:///etc/dnsmasq.conf
Code: Select all
#
# Configuration file for dnsmasq acting as a caching nameserver.
#
# no-hosts = to ignore /etc/hosts
#
no-hosts
#
# no-resolv = not to use /etc/resolv.conf
# no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces
Code: Select all
xed admin:///etc/stubby/stubby.yml
before:
Code: Select all
listen_addresses:
- 127.0.0.1
- 0::1
Code: Select all
listen_addresses:
- 127.0.0.1@53000
- 0::1@53000
Code: Select all
sudo systemctl restart stubby.service
Code: Select all
sudo systemctl restart dnsmasq.service
Check the listening ports:
Code: Select all
sudo netstat -lnptu | grep stubby
Code: Select all
tcp 0 0 127.0.0.1:53000 0.0.0.0:* LISTEN 888/stubby
tcp6 0 0 ::1:53000 :::* LISTEN 888/stubby
udp 0 0 127.0.0.1:53000 0.0.0.0:* 888/stubby
udp6 0 0 ::1:53000 :::* 888/stubby
Enter the command:
Code: Select all
dig A linuxmint.com
Code: Select all
dig A linuxmint.com
[Cloudfare test page]
In order to get the Cloudfare test Cloudflare ESNI Checker you need to set the browser
about:config
setting network.trr.mode
to 2
or 3
and restart browser. For me 3
does work. This is caused by the Firefox current version development problems. Please keep in mind that Cloudfare test page is promoting a Cloudfare - Mozilla cooperation and may be unreliable with other DNS providers and browsers.