This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby

DNS over TLS (DoT) on mac with stubby and dnsforge

+ +

This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby.

+ +

1. Install Stubby

Install stubby on your mac with homebrew:

brew install stubby

1. Install Stubby

Install stubby on your mac with homebrew

brew install stubby
-

2. Configure stubby

Write the following config to /opt/homebrew/etc/stubby/stubby.yml. This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.

2. Configure stubby

write the following config to /opt/homebrew/etc/stubby/stubby.yml

This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.


-################################################################################
+        ################################################################################
 ######################## STUBBY YAML CONFIG FILE ###############################
-################################################################################
+################################################################################
 
-################################### LOGGING ####################################
 log_level: GETDNS_LOG_NOTICE
 
-########################## BASIC & PRIVACY SETTINGS ############################
 resolution_type: GETDNS_RESOLUTION_STUB
 
 dns_transport_list:
   - GETDNS_TRANSPORT_TLS
 
-# Strict mode - TLS auth REQUIRED, no plaintext fallback
 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
-
-# Pad queries to 128 bytes to prevent size-based traffic analysis
 tls_query_padding_blocksize: 128
-
-# Hide client subnet from upstream resolvers
 edns_client_subnet_private: 1
 
-############################# CONNECTION SETTINGS ##############################
-# Distribute queries across all upstreams
 round_robin_upstreams: 1
-
-# Keep TLS connections alive for 10s to reduce handshake overhead
 idle_timeout: 10000
-
-# Retry/backoff settings
 tls_connection_retries: 3
 tls_backoff_time: 300
-
-# Per-query timeout (ms)
 timeout: 5000
-
-# Force TLS 1.3 minimum
 tls_min_version: GETDNS_TLS1_3
 
-################################ LISTEN ADDRESS ################################
-# Stubby listens locally on port 53
-# Point your system DNS to 127.0.0.1
 listen_addresses:
   - 127.0.0.1
   - 0::1
 
-############################### DNSSEC SETTINGS ################################
-# dnsforge.de performs DNSSEC validation upstream (ad flag confirmed)
-# Uncomment below to enforce DNSSEC locally as well
-# dnssec: GETDNS_EXTENSION_TRUE
-
-##################################  UPSTREAMS  #################################
-# dnsforge.de - no-log, DNSSEC-validating, ad-free resolver (DE)
-# PIN verified via: kdig -d @ +tls-ca +tls-host=dnsforge.de example.com
-###############################################################################
-
 upstream_recursive_servers:
-
-  ## dnsforge.de - IPv4 primary
+  ## dnsforge.de - IPv4
   - address_data: 49.12.67.122
     tls_port: 853
     tls_auth_name: "dnsforge.de"
@@ -160,38 +175,29 @@ upstream_recursive_servers:
       - digest: "sha256"
         value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
 
-  ## dnsforge.de - IPv4 secondary
   - address_data: 91.99.154.175
     tls_port: 853
     tls_auth_name: "dnsforge.de"
     tls_pubkey_pinset:
       - digest: "sha256"
-        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
 
-  ## dnsforge.de - IPv6 primary
-  - address_data: 2a01:4f8:c013:29d::122
-    tls_port: 853
-    tls_auth_name: "dnsforge.de"
-    tls_pubkey_pinset:
-      - digest: "sha256"
-        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+        3. Run stubby as a service
+        To make sure stubby runs on startup, run it as a service:
+        sudo brew services start stubby
 
-  ## dnsforge.de - IPv6 secondary
-  - address_data: 2a01:4f8:c013:29d::175
-    tls_port: 853
-    tls_auth_name: "dnsforge.de"
-    tls_pubkey_pinset:
-      - digest: "sha256"
-        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
-

4. Change default DNS Server

+ Navigate to Settings -> Network -> Wi-Fi. Click on details for your wifi and navigate to DNS. + Remove any present IPs or hostnames, and add two IPs: 127.0.0.1 and ::1. +

+ +

And you're all set!

3. Run stubby as a service

4. Change default DNS Server

Navigate to Settings -> Network -> Wi-Fi. Click on details for your wifi and navigate to DNS. Remove any present IPs or hostnames, and add two IPs 127.0.0.1 and ::1

Encrypting a Drive with LUKS and cryptsetup

1. Get the drive name

2. Install cryptsetup

3. Format the drive

4. Encrypt the created partition

5. Decrypt and create filesystem

6. Re-encrypt after usage

Encrypting a Drive with LUKS and cryptsetup

+ +

1. Get the drive name

lsblk

+ +

2. Install cryptsetup

sudo pacman -S cryptsetup

+ +

3. Format the drive

To format the drive, you can use cfdisk or any other utility of your choice.

cfdisk /dev/sdaX

Now, delete all the signatures and partitions on the drive. Then, create a filesystem on the drive as follows:

mkfs.ext4 /dev/sdaX

After the FS has been created, create a partition on the drive with cfdisk. After the partition has been created, you can finally start encrypting the drive.

+ +

4. Encrypt the created partition

List the partition:

lsblk /dev/sdaX

Encrypt the partition:

cryptsetup luksFormat /dev/sda[0-9]

It will ask for a passphrase, make sure to provide a strong passphrase.

+ +

5. Decrypt and create filesystem

Decrypt the drive:

cryptsetup open /dev/sda[0-9] <name>

Make the FS:

mkfs.ext4 /dev/mapper/<name>

+ +

6. Re-encrypt after usage

cryptsetup close <name>

DNS over TLS (DoT) with mullvad

DNS over TLS (DoT) with Mullvad

+ +

This guide assumes that you're running a systemd-based operating system.

This guide assumes that you're running a systemd-based operating system

1. Configure systemd-resolved

Add the following block to your /etc/systemd/resolved.conf:

1. Configure systemd-resolved to use mullvad's DNS server

Add the following block to your /etc/systemd/resolved.conf

[Resolve]
+        [Resolve]
 DNS=194.242.2.4#base.dns.mullvad.net
 FallbackDNS=194.242.2.2#dns.mullvad.net
 DNSOverTLS=yes
 DNSSEC=yes
-Domains=~.
-
-Once the changes are saved, restart systemd-resolved
-sudo systemctl restart systemd-resolved
-
-
-2. Make systemd-resolve take precedence over resolve.conf
-To make sure your system uses systemd-resolved over resolv.conf, you need to create a symlink as follows:
-sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-
-
-3. Make sure DNS is working as intended
-Make sure you're able to resolve domain names as follows:
-resolvectl query google.com
-
-If you see output, you're golden!
-
-4. An Edge Cases:
-If you're using a service such as tailscale which overrides your resolv.conf upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your resolv.conf, do the following
-
-    Re-create the symlink as it was likely broken when tailscale started
-
-sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-
-
-    Restart tailscaled and systemd-resolved
-
-sudo systemctl restart tailscaled
+Domains=~.
+
+        Once the changes are saved, restart systemd-resolved:
+        sudo systemctl restart systemd-resolved
+
+        2. Symlink resolv.conf
+        To make sure your system uses systemd-resolved over the traditional resolv.conf, create a symlink:
+        sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+        3. Verify DNS resolution
+        Check if you are able to resolve domain names correctly:
+        resolvectl query google.com
+        If you see output, you're golden!
+
+        4. Edge Cases: Tailscale
+        If you're using a service such as Tailscale which overrides your resolv.conf with MagicDNS, it may break your DoT setup. To fix this:
+        
+        
+            Re-create the symlink: sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+            Restart the services:
+        
+        
+        sudo systemctl restart tailscaled
 sudo systemctl restart systemd-resolved
-sudo tailscale up --accept-dns=true
-
-
-    Check your resolve.conf
-
-If your resolve.conf looks as follows, you're all good!
-nameserver 127.0.0.53
+sudo tailscale up --accept-dns=true
+
+        If your resolve.conf looks like this, you're all good:
+        nameserver 127.0.0.53
 options edns0 trust-ad
-search tailxxxxx.ts.net
-
-
-5. Configure Browsers with DoT
-If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following
-
-    
-        For firefox based browsers:
-        
-            Navigate to settings -> Privacy and Security
-            Scroll down to DNS over HTTPS
-            Select Off
-        
-    
-    
-        For chromium based browsers:
-        
-            Navigate to settings -> Privacy and Security
-            Find Use Secure DNS
-            Toggle it Off
-        
-    
-
-And just like that, you've configured DoT for your system!
+search tailxxxxx.ts.net

+ +

5. Configure Browsers

If you were previously using DoH (DNS Over HTTPS) and want to shift to system-wide DoT:

+ +

+ Firefox-based browsers: +

Settings -> Privacy and Security -> DNS over HTTPS -> Off

+ +

+ Chromium-based browsers: +

Settings -> Privacy and Security -> Use Secure DNS -> Off

+ +

And just like that, you've configured DoT for your system!

Configuring USB notifications on Linux

If you want to receive a small notification as soon as a USB storage device is plugged in or plugged out. You're in the right place

Your system detects a USB device upon connection or disconnection using an utility named udev. udev allows for defining rules which can allow a user to perform a specific task when a USB device is connected or disconnected. This can be combined with notify-send to send notifications to a user as soon as a USB device is connected or disconnected

1. Creating a udev rule

Below is a rule file, which will trigger two scripts depending upon the connection or disconnection of a USB device

Configuring USB notifications on Linux

+ +

If you want to receive a small notification as soon as a USB storage device is plugged in or plugged out, you're in the right place.

save this as 99-usb-notify.rules file under /etc/udev/rules.d/.

Your system detects a USB device upon connection or disconnection using a utility named udev. It allows for defining rules to perform specific tasks. Combined with notify-send, you can trigger desktop notifications instantly.

2. Configuring the scripts

1. Creating a udev rule

Save the following as 99-usb-notify.rules under /etc/udev/rules.d/

Below are the scripts:

ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", RUN+="/usr/local/bin/usb-notify-add.sh '$env{ID_MODEL}'"
+ACTION=="remove", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", RUN+="/usr/local/bin/usb-notify-rem.sh '$env{ID_MODEL}'"

usb-notify-add.sh

2. Configuring the scripts

Save both scripts under /usr/local/bin/ and make them executable

#!/bin/bash
+        usb-notify-add.sh
+        #!/bin/bash
 DEVICE_NAME=${1:-"Unknown USB Device"}
 
 USER_ID=$(id -u <your-username>)
 export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$USER_ID/bus
 
-sudo -u <your-username> DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS /usr/bin/notify-send "USB Connected" "Device: $DEVICE_NAME"
-
+sudo -u <your-username> DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS /usr/bin/notify-send "USB Connected" "Device: $DEVICE_NAME"

usb-notify-rem.sh

- -

#!/bin/bash
+        usb-notify-rem.sh
+        #!/bin/bash
 DEVICE_NAME=${1:-"Unknown USB Device"}
 
 USER_ID=$(id -u <your-username>)
 export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$USER_ID/bus
 
-sudo -u <your-username> DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS /usr/bin/notify-send "USB Disconnected" "Device: $DEVICE_NAME"
-
-
-Save both the scripts under /usr/local/bin and make them executable with chmod
+sudo -u <your-username> DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS /usr/bin/notify-send "USB Disconnected" "Device: $DEVICE_NAME"

3. Reloading the udev rules

Once the files are saved, reload the udev configuration to apply the changes:

sudo udevadm control --reload-rules
+sudo udevadm trigger

Once all the files have been saved. Reload udev rules as follows:

And just like that, you've setup USB notifications. Give it a try! Plug in a device and check if your system sends a notification with the device name.

And just like that, you've setup USB notifications. Give it a try! Plug in a USB device and check whether your system sends you a notification with the name of the USB device.