blob: b2979e042cd1ef9aed1e1c00c8640cf739527c6a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>DNS over TLS on mac - subh.space</title>
<style>
/* Gruvbox Dark Hard Palette */
:root {
--bg-outer: #1d2021;
--bg-inner: #282828;
--fg: #ebdbb2;
--gray: #928374;
--yellow: #fabd2f;
--aqua: #8ec07c;
--blue: #83a598;
--orange: #fe8019;
--line: #3c3836;
}
body {
background-color: var(--bg-outer);
color: var(--fg);
font-family: 'Iosevka Nerd Font Propo';
margin: 0;
padding: 0;
display: flex;
flex-direction: column;
align-items: center;
min-height: 100vh;
}
header {
padding: 2.5rem 1rem;
display: flex;
gap: 1.5rem;
justify-content: center;
flex-wrap: wrap;
}
header a {
color: var(--aqua);
text-decoration: none;
font-weight: bold;
}
header a:hover {
text-decoration: underline;
}
.container {
background-color: var(--bg-inner);
width: 90%;
max-width: 750px;
padding: 3rem;
border-radius: 4px;
box-shadow: 0 4px 15px rgba(0,0,0,0.5);
}
h1 {
color: var(--yellow);
font-size: 1.8rem;
margin-top: 0;
margin-bottom: 1rem;
line-height: 1.2;
}
h2 {
color: var(--orange);
font-size: 1.3rem;
margin-top: 2rem;
margin-bottom: 0.8rem;
}
p {
line-height: 1.6;
margin-bottom: 1rem;
}
strong {
color: var(--yellow);
}
/* Code Block Styling */
pre {
background-color: var(--bg-outer);
padding: 1.2rem;
border-radius: 4px;
border: 1px solid var(--line);
overflow-x: auto;
margin: 1.5rem 0;
}
code {
color: var(--blue);
font-size: 0.9rem;
font-family: 'JetBrains Mono', Courier, monospace;
}
.comment {
color: var(--gray);
}
footer {
margin: 3rem 0;
color: var(--gray);
font-size: 0.85rem;
text-align: center;
}
ol {
padding-left: 1.2rem;
}
li {
margin-bottom: 1rem;
line-height: 1.6;
}
</style>
</head>
<body>
<header>
<a href="../index.html">home</a>
<a href="https://git.subh.space">git</a>
<a href="https://github.com/5epi0l">github</a>
<a href="https://notes.subh.space">notes</a>
<a href="https://www.hackthebox.com">hackthebox</a>
<a href="https://search.subh.space">search</a>
</header>
<main class="container">
<h1>DNS over TLS (DoT) on mac with stubby and dnsforge</h1>
<p>This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby.</p>
<h2>1. Install Stubby</h2>
<p>Install stubby on your mac with homebrew:</p>
<pre><code>brew install stubby</code></pre>
<h2>2. Configure stubby</h2>
<p>Write the following config to <code>/opt/homebrew/etc/stubby/stubby.yml</code>. This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.</p>
<pre><code><span class="comment">################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################</span>
log_level: GETDNS_LOG_NOTICE
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_connection_retries: 3
tls_backoff_time: 300
timeout: 5000
tls_min_version: GETDNS_TLS1_3
listen_addresses:
- 127.0.0.1
- 0::1
upstream_recursive_servers:
<span class="comment">## dnsforge.de - IPv4</span>
- address_data: 49.12.67.122
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
- address_data: 91.99.154.175
tls_port: 853
tls_auth_name: "dnsforge.de"
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=</code></pre>
<h2>3. Run stubby as a service</h2>
<p>To make sure stubby runs on startup, run it as a service:</p>
<pre><code>sudo brew services start stubby</code></pre>
<h2>4. Change default DNS Server</h2>
<p>
Navigate to <strong>Settings -> Network -> Wi-Fi</strong>. Click on details for your wifi and navigate to <strong>DNS</strong>.
Remove any present IPs or hostnames, and add two IPs: <code>127.0.0.1</code> and <code>::1</code>.
</p>
<p>And you're all set!</p>
</main>
<footer>
© 2026 subh.space
</footer>
</body>
</html>
|
