summaryrefslogtreecommitdiff
path: root/stuff/dnsforge-dot-mac.html
diff options
context:
space:
mode:
Diffstat (limited to 'stuff/dnsforge-dot-mac.html')
-rw-r--r--stuff/dnsforge-dot-mac.html232
1 files changed, 119 insertions, 113 deletions
diff --git a/stuff/dnsforge-dot-mac.html b/stuff/dnsforge-dot-mac.html
index 1fd9777..035e155 100644
--- a/stuff/dnsforge-dot-mac.html
+++ b/stuff/dnsforge-dot-mac.html
@@ -3,156 +3,171 @@
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
- <title>subh.space</title>
+ <title>DNS over TLS on mac - subh.space</title>
<style>
+ /* Gruvbox Dark Hard Palette */
:root {
- --bg0: #282828;
- --bg1: #3c3836;
+ --bg-outer: #1d2021;
+ --bg-inner: #282828;
--fg: #ebdbb2;
--gray: #928374;
--yellow: #fabd2f;
- --green: #b8bb26;
- --orange: #fe8019;
--aqua: #8ec07c;
+ --blue: #83a598;
+ --orange: #fe8019;
+ --line: #3c3836;
}
body {
- font-family: 'Iosevka Nerd Font Propo', Iosevka;
- line-height: 1.7;
+ background-color: var(--bg-outer);
color: var(--fg);
- background-color: var(--bg0);
- max-width: 780px;
- margin: 40px auto;
- padding: 0 20px;
- -webkit-font-smoothing: antialiased;
+ font-family: 'Iosevka Nerd Font Propo';
+ margin: 0;
+ padding: 0;
+ display: flex;
+ flex-direction: column;
+ align-items: center;
+ min-height: 100vh;
+ }
+
+ header {
+ padding: 2.5rem 1rem;
+ display: flex;
+ gap: 1.5rem;
+ justify-content: center;
+ flex-wrap: wrap;
+ }
+
+ header a {
+ color: var(--aqua);
+ text-decoration: none;
+ font-weight: bold;
+ }
+
+ header a:hover {
+ text-decoration: underline;
+ }
+
+ .container {
+ background-color: var(--bg-inner);
+ width: 90%;
+ max-width: 750px;
+ padding: 3rem;
+ border-radius: 4px;
+ box-shadow: 0 4px 15px rgba(0,0,0,0.5);
}
h1 {
- font-size: 2.2em;
color: var(--yellow);
- border-bottom: 2px solid var(--bg1);
- padding-bottom: 15px;
- margin-bottom: 30px;
+ font-size: 1.8rem;
+ margin-top: 0;
+ margin-bottom: 1rem;
+ line-height: 1.2;
}
h2 {
- font-size: 1.5em;
- color: var(--aqua);
- margin-top: 35px;
- margin-bottom: 15px;
- font-weight: 600;
+ color: var(--orange);
+ font-size: 1.3rem;
+ margin-top: 2rem;
+ margin-bottom: 0.8rem;
}
- p { margin-bottom: 1.2em; }
+ p {
+ line-height: 1.6;
+ margin-bottom: 1rem;
+ }
- code {
- font-family: 'Fira Code', 'JetBrains Mono', 'Courier New', monospace;
- background-color: var(--bg1);
- color: var(--orange);
- padding: 3px 6px;
- border-radius: 4px;
- font-size: 0.9em;
+ strong {
+ color: var(--yellow);
}
+ /* Code Block Styling */
pre {
- background-color: #1d2021;
- padding: 20px;
- border-radius: 8px;
+ background-color: var(--bg-outer);
+ padding: 1.2rem;
+ border-radius: 4px;
+ border: 1px solid var(--line);
overflow-x: auto;
- border: 1px solid var(--bg1);
- margin-bottom: 1.5em;
+ margin: 1.5rem 0;
}
- pre code {
- background-color: transparent;
- padding: 0;
- color: var(--fg);
- color-scheme: dark;
+ code {
+ color: var(--blue);
+ font-size: 0.9rem;
+ font-family: 'JetBrains Mono', Courier, monospace;
}
- .language-toml { color: var(--fg); }
- .toml-key { color: var(--green); }
-
- ol, ul { margin-bottom: 1.5em; padding-left: 25px; }
- li { margin-bottom: 0.8em; }
- li pre { margin-top: 10px; margin-bottom: 10px; }
+ .comment {
+ color: var(--gray);
+ }
+
+ footer {
+ margin: 3rem 0;
+ color: var(--gray);
+ font-size: 0.85rem;
+ text-align: center;
+ }
+
+ ol {
+ padding-left: 1.2rem;
+ }
+ li {
+ margin-bottom: 1rem;
+ line-height: 1.6;
+ }
</style>
</head>
<body>
-<h1>DNS over TLS (DoT) on mac with stubby and dnsforge</h1>
+ <header>
+ <a href="../index.html">home</a>
+ <a href="https://git.subh.space">git</a>
+ <a href="https://github.com/5epi0l">github</a>
+ <a href="https://notes.subh.space">notes</a>
+ <a href="https://www.hackthebox.com">hackthebox</a>
+ </header>
-<p>This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby</p>
+ <main class="container">
+ <h1>DNS over TLS (DoT) on mac with stubby and dnsforge</h1>
+
+ <p>This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby.</p>
+
+ <h2>1. Install Stubby</h2>
+ <p>Install stubby on your mac with homebrew:</p>
+ <pre><code>brew install stubby</code></pre>
-<h2>1. Install Stubby</h2>
-<p>Install stubby on your mac with homebrew</p>
-<pre><code class="language-shell">brew install stubby
-</code></pre>
+ <h2>2. Configure stubby</h2>
+ <p>Write the following config to <code>/opt/homebrew/etc/stubby/stubby.yml</code>. This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.</p>
-<h2>2. Configure stubby</h2>
-<p>write the following config to <code>/opt/homebrew/etc/stubby/stubby.yml</code></p>
-<p>This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.</p>
-<pre><code class="language-yml">
-################################################################################
+ <pre><code><span class="comment">################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
-################################################################################
+################################################################################</span>
-################################### LOGGING ####################################
log_level: GETDNS_LOG_NOTICE
-########################## BASIC & PRIVACY SETTINGS ############################
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
-# Strict mode - TLS auth REQUIRED, no plaintext fallback
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
-
-# Pad queries to 128 bytes to prevent size-based traffic analysis
tls_query_padding_blocksize: 128
-
-# Hide client subnet from upstream resolvers
edns_client_subnet_private: 1
-############################# CONNECTION SETTINGS ##############################
-# Distribute queries across all upstreams
round_robin_upstreams: 1
-
-# Keep TLS connections alive for 10s to reduce handshake overhead
idle_timeout: 10000
-
-# Retry/backoff settings
tls_connection_retries: 3
tls_backoff_time: 300
-
-# Per-query timeout (ms)
timeout: 5000
-
-# Force TLS 1.3 minimum
tls_min_version: GETDNS_TLS1_3
-################################ LISTEN ADDRESS ################################
-# Stubby listens locally on port 53
-# Point your system DNS to 127.0.0.1
listen_addresses:
- 127.0.0.1
- 0::1
-############################### DNSSEC SETTINGS ################################
-# dnsforge.de performs DNSSEC validation upstream (ad flag confirmed)
-# Uncomment below to enforce DNSSEC locally as well
-# dnssec: GETDNS_EXTENSION_TRUE
-
-################################## UPSTREAMS #################################
-# dnsforge.de - no-log, DNSSEC-validating, ad-free resolver (DE)
-# PIN verified via: kdig -d @<ip> +tls-ca +tls-host=dnsforge.de example.com
-###############################################################################
-
upstream_recursive_servers:
-
- ## dnsforge.de - IPv4 primary
+ <span class="comment">## dnsforge.de - IPv4</span>
- address_data: 49.12.67.122
tls_port: 853
tls_auth_name: "dnsforge.de"
@@ -160,38 +175,29 @@ upstream_recursive_servers:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
- ## dnsforge.de - IPv4 secondary
- address_data: 91.99.154.175
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
- value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+ value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=</code></pre>
- ## dnsforge.de - IPv6 primary
- - address_data: 2a01:4f8:c013:29d::122
- tls_port: 853
- tls_auth_name: "dnsforge.de"
- tls_pubkey_pinset:
- - digest: "sha256"
- value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+ <h2>3. Run stubby as a service</h2>
+ <p>To make sure stubby runs on startup, run it as a service:</p>
+ <pre><code>sudo brew services start stubby</code></pre>
- ## dnsforge.de - IPv6 secondary
- - address_data: 2a01:4f8:c013:29d::175
- tls_port: 853
- tls_auth_name: "dnsforge.de"
- tls_pubkey_pinset:
- - digest: "sha256"
- value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
-</code></pre>
+ <h2>4. Change default DNS Server</h2>
+ <p>
+ Navigate to <strong>Settings -> Network -> Wi-Fi</strong>. Click on details for your wifi and navigate to <strong>DNS</strong>.
+ Remove any present IPs or hostnames, and add two IPs: <code>127.0.0.1</code> and <code>::1</code>.
+ </p>
+
+ <p>And you're all set!</p>
+ </main>
-<h2>3. Run stubby as a service</h2>
-<p>To make sure stubby runs on startup, run it as a service</p>
-<pre><code class="language-shell">sudo brew services start stubby
-</code></pre>
+ <footer>
+ © 2026 subh.space
+ </footer>
-<h2>4. Change default DNS Server</h2>
-<p>Navigate to <code>Settings</code> -> <code>Network</code> -> <code>Wi-Fi.</code> Click on <code>details</code> for your wifi and navigate to <code>DNS.</code> Remove any present IPs or hostnames, and add two IPs <code>127.0.0.1</code> and <code>::1</code></p>
-<p>And you're all set!</p>
</body>
</html>
© 2026 subh.space