1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>subh.space</title>
<style>
:root {
--bg0: #282828;
--bg1: #3c3836;
--fg: #ebdbb2;
--gray: #928374;
--yellow: #fabd2f;
--green: #b8bb26;
--orange: #fe8019;
--aqua: #8ec07c;
}
body {
font-family: 'Iosevka Nerd Font Propo', Iosevka;
line-height: 1.7;
color: var(--fg);
background-color: var(--bg0);
max-width: 780px;
margin: 40px auto;
padding: 0 20px;
-webkit-font-smoothing: antialiased;
}
h1 {
font-size: 2.2em;
color: var(--yellow);
border-bottom: 2px solid var(--bg1);
padding-bottom: 15px;
margin-bottom: 30px;
}
h2 {
font-size: 1.5em;
color: var(--aqua);
margin-top: 35px;
margin-bottom: 15px;
font-weight: 600;
}
p { margin-bottom: 1.2em; }
code {
font-family: 'Fira Code', 'JetBrains Mono', 'Courier New', monospace;
background-color: var(--bg1);
color: var(--orange);
padding: 3px 6px;
border-radius: 4px;
font-size: 0.9em;
}
pre {
background-color: #1d2021;
padding: 20px;
border-radius: 8px;
overflow-x: auto;
border: 1px solid var(--bg1);
margin-bottom: 1.5em;
}
pre code {
background-color: transparent;
padding: 0;
color: var(--fg);
color-scheme: dark;
}
.language-toml { color: var(--fg); }
.toml-key { color: var(--green); }
ol, ul { margin-bottom: 1.5em; padding-left: 25px; }
li { margin-bottom: 0.8em; }
li pre { margin-top: 10px; margin-bottom: 10px; }
</style>
</head>
<body>
<h1>DNS over TLS (DoT) on mac with stubby and dnsforge</h1>
<p>This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby</p>
<h2>1. Install Stubby</h2>
<p>Install stubby on your mac with homebrew</p>
<pre><code class="language-shell">brew install stubby
</code></pre>
<h2>2. Configure stubby</h2>
<p>write the following config to <code>/opt/homebrew/etc/stubby/stubby.yml</code></p>
<p>This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.</p>
<pre><code class="language-yml">
################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################
################################### LOGGING ####################################
log_level: GETDNS_LOG_NOTICE
########################## BASIC & PRIVACY SETTINGS ############################
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
# Strict mode - TLS auth REQUIRED, no plaintext fallback
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
# Pad queries to 128 bytes to prevent size-based traffic analysis
tls_query_padding_blocksize: 128
# Hide client subnet from upstream resolvers
edns_client_subnet_private: 1
############################# CONNECTION SETTINGS ##############################
# Distribute queries across all upstreams
round_robin_upstreams: 1
# Keep TLS connections alive for 10s to reduce handshake overhead
idle_timeout: 10000
# Retry/backoff settings
tls_connection_retries: 3
tls_backoff_time: 300
# Per-query timeout (ms)
timeout: 5000
# Force TLS 1.3 minimum
tls_min_version: GETDNS_TLS1_3
################################ LISTEN ADDRESS ################################
# Stubby listens locally on port 53
# Point your system DNS to 127.0.0.1
listen_addresses:
- 127.0.0.1
- 0::1
############################### DNSSEC SETTINGS ################################
# dnsforge.de performs DNSSEC validation upstream (ad flag confirmed)
# Uncomment below to enforce DNSSEC locally as well
# dnssec: GETDNS_EXTENSION_TRUE
################################## UPSTREAMS #################################
# dnsforge.de - no-log, DNSSEC-validating, ad-free resolver (DE)
# PIN verified via: kdig -d @<ip> +tls-ca +tls-host=dnsforge.de example.com
###############################################################################
upstream_recursive_servers:
## dnsforge.de - IPv4 primary
- address_data: 49.12.67.122
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
## dnsforge.de - IPv4 secondary
- address_data: 91.99.154.175
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
## dnsforge.de - IPv6 primary
- address_data: 2a01:4f8:c013:29d::122
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
## dnsforge.de - IPv6 secondary
- address_data: 2a01:4f8:c013:29d::175
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
</code></pre>
<h2>3. Run stubby as a service</h2>
<p>To make sure stubby runs on startup, run it as a service</p>
<pre><code class="language-shell">sudo brew services start stubby
</code></pre>
<h2>4. Change default DNS Server</h2>
<p>Navigate to <code>Settings</code> -> <code>Network</code> -> <code>Wi-Fi.</code> Click on <code>details</code> for your wifi and navigate to <code>DNS.</code> Remove any present IPs or hostnames, and add two IPs <code>127.0.0.1</code> and <code>::1</code></p>
<p>And you're all set!</p>
</body>
</html>
|
