How to Improve Your DNS Privact with TLS on Ubuntu 18.04

The repeal of Net Neutrality has opened the door for ISP’s to offer a “tiered” access to websites you might commonly browse now for one cost. Meaning if they choose to restrict your access to Netflix; instead offering access to it with an additional cost of $5 a month they now can.

As it currently stands when you type Netflix.com into your browser this action is completed insecurely and through a public DNS like 1.1.1.1 from Cloudflare or 8.8.8.8 from Google. While the action from the Cloudflare DNS forward to Netflix is secure, the resolver request from your PC to the DNS server is not. Meaning your ISP can see what sites you are browsing and throttle or even limit access to them.

This is where Stubby comes into play; it acts as a local DNS Privacy stub resolver, using DNS-over-TLS. Stubby encrypts DNS queries sent from the local machine to a DNS Privacy resolver, increasing end user privacy. Stubby together with HTTPS and encrypted SNI will ensure that you are secure as possible from the eyes of your ISP.

Install and use on Ubuntu 18.04

1. Stubby is already apart of Ubuntu repository so all we have to do is run the following command to set it up.

sudo apt install stubby

2. Now lets check that Stubby is running and that it is listening.

systemctl status stubby

# Below checks that it is running on port 53 and localhost (127.0.0.1)

sudo netstat -lnptu | grep stubby

3. Out of the box Stubby needs no additional changes to work. Though below is a quick explanation of some of the key settings. You can find them by running sudo nano /etc/stubby/stubby.yml

# The following line makes stubby run as a stub resolver instead of a full recursive resolver, which is why it’s named stubby.
resolution_type: GETDNS_RESOLUTION_STUB
# The following configuration make stubby send DNS queries encrypted with TLS. It will not send quries in plain text.
dns_transport_list:
- GETDNS_TRANSPORT_TLS
# This following line requires a valid TLS certificate on the remote recursive resolver.
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
# The following lines set the listen addresses for the stubby daemon. By default, IPv4 and IPv6 are both enabled.
listen_addresses:
- 127.0.0.1
- 0::1
# These lines make stubby query recursive resolvers in a round-robin fashion. If set to 0, Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.
round_robin_upstreams: 1

4. Now lets change our DNS settings. Click Network Manager in your taskbar then the settings icon.

5. elect IPv4 settings tab, change method from

Automatic(DHCP)

to

Automatic(DHCP) addresses only

, which will prevent your Ubuntu system from getting DNS server address from your router. Then specify a DNS server (127.0.0.1). Stubby listens on 127.0.0.1.

6. Now run sudo systemctl restart NetworkManager then visit https://www.cloudflare.com/ssl/encrypted-sni/ and you should see DNSSEC in green.

(Visited 1 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *