Thursday, March 12, 2020

Securing DNS Queries using Stubby (DNS over TLS) and DNSMASQ (DNS cache)

stubby installation and setup

By default DNS traffic is insecure and runs unencrypted over port 53. Here you'll find detailed instructions about how to configure your Linux system with Stubby DNS resolver in the DNS over TLS mode and also how to configure dnsmasq as a caching DNS server.
It's relevant for Linux Mint Cinnamon, XFCE and Mate 19 and later, Xubuntu, Ubuntu 18.04 and later, Debian 10 (Buster) and later, and other distributions with Stubby in its repositories. Otherwise you need to compile Stubby from source.

Enter in the terminal:

sudo apt install stubby

Verify the status of the installed service:

systemctl status stubby

Verify that stubby is listening on TCP and UDP ports both on IPv4 and IPv6:

sudo netstat -lnptu | grep stubby

If the netstat command is not found in your system, install net-tools:

sudo apt install net-tools

Do NOT edit /etc/resolve.conf file to change the name server - leave it in its original state.
Note: /etc/resolve.conf may be a symbolic link to the file /run/NetworkManager/resolv.conf, generated by NetworkManager.

Click the Network Manager icon on the upper-right corner and select Network settings. Then click Wired settings icon (i.e. your current network).
Select IPv4 tab.
To prevent the system from getting DNS server address from your router, switch DNS Automatic button to OFF.
Enter in the DNS field and click Apply button.

Repeat the same for all working Wi-Fi connections.

Note for Linux Mint XFCE and MATE : On the IPv4 tab set DHCP Method: to Automatic (DHCP) addresses only


Restart NetworkManager

sudo systemctl restart NetworkManager

Check Network Settings. You'd see that DNS is

Stubby should spread the DNS queries among several DNS Privacy test servers,, and, provided in the the default configuration file stubby.yml. Note that this file contains both IPv4 and IPv6 addresses. For the sake of this post, IPv6 was set to OFF in the NetworkManger settings.

Edit the stubby.yml configuration file to add the DNS server that you want to use. 

sudo nano /etc/stubby/stubby.yml

Go to the line upstream_recursive_servers: and add the following after this line and above other DNS servers:

For Cloudflare DNS over TLS server:

#CloudFlare servers
- address_data:
tls_auth_name: ""
- address_data:
tls_auth_name: ""

For Google DNS over TLS server:

# Google
- address_data:
tls_auth_name: ""
- address_data:
tls_auth_name: ""

Note: The code copied from Blogspot pages can be corrupted (in spite of the code tag). Double-check copy-paste result. Anyway you can find these Cloudflare and Google lines further down in the stubby.yml commented out. Just move them up and remove the #.

Then change the line:
round_robin_upstreams: 1
round_robin_upstreams: 0

Save the file stubby.yml.
If round_robin_upstreams option set to '1' the servers are loadbalanced, if round_robin_upstreams set to '0' only the first DNS server is used.

Restart stubby:

sudo systemctl restart stubby

Cloudflare test page:

To be sure we are using port 853 and DNS server install Wireshark

sudo apt install wireshark
sudo adduser your_user_name wireshark

Log out and log in to apply the changes.
Start Wireshark, select curent network interface, enter "port 853" in the filter field and click the left icon on the toolbar to start the capture.
A quick test can be done by using dig. Enter in the terminal:

dig A

You can see in the Wireshark main window that request and answer are encrypted and we are using server and port 853:

All is working now and you can set up the DNS cache by installing and configuring a separate dns cacher, if any.

dnsmasq installation and setup

sudo apt install dnsmasq

sudo nano /etc/default/dnsmasq

Verify these two lines and save the file:


sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

sudo nano /etc/dnsmasq.conf

Delete the content of  dnsmasq.conf and insert in it these lines:

# Configuration file for dnsmasq acting as a caching nameserver.
# no-hosts = to ignore /etc/hosts
# no-resolv = not to use /etc/resolv.conf
# no-resolv

sudo nano /etc/stubby/stubby.yml

Change two lines under listen_addressesand save the file:

  -  0::1

- 0::1@53000

sudo systemctl restart stubby.service

sudo systemctl restart dnsmasq.service

Enter the command:

dig A

Repeat the command:

dig A

Note Query times: 12 msec and 0 msec