forked from getdnsapi/stubby
-
Notifications
You must be signed in to change notification settings - Fork 0
/
stubby.yml.example
300 lines (282 loc) · 11.8 KB
/
stubby.yml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
#
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).
#
# For more information see
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
#
# This format does not fully support all yaml features - the restrictions are:
# - the outer-most data structure must be a yaml mapping
# - mapping keys must be yaml scalars
# - plain scalars will be converted to json unchanged
# - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted
# as json strings, i.e. double quoted.
# - yaml tags are not supported
# - IPv6 addresses ending in :: are not yet supported (use ::0)
#
# Logging is currently configured at runtime using command line arguments. See
# > stubby -h
# for details.
# Specifies whether to run as a recursive or stub resolver
# For stubby this MUST be set to GETDNS_RESOLUTION_STUB
resolution_type: GETDNS_RESOLUTION_STUB
# Ordered list composed of one or more transport protocols:
# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS
# If only one transport value is specified it will be the only transport used.
# Should it not be available basic resolution will fail.
# Fallback transport options are specified by including multiple values in the
# list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.
dns_transport_list:
- GETDNS_TRANSPORT_TLS
# Selects Strict or Opportunistic Usage profile as described in
# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/
# Strict mode requires that authentication information for the upstreams is
# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP
# is included in the transport list above.
# For Strict use GETDNS_AUTHENTICATION_REQUIRED
# For Opportunistic use GETDNS_AUTHENTICATION_NONE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
# EDNS0 option to pad the size of the DNS query to the given blocksize
# 256 is currently recommended by
# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01
tls_query_padding_blocksize: 256
# EDNS0 option for ECS client privacy as described in Section 7.1.2 of
# https://tools.ietf.org/html/rfc7871
edns_client_subnet_private : 1
# EDNS0 option for keepalive idle timeout in ms as specified in
# https://tools.ietf.org/html/rfc7828
# This keeps idle TLS connections open to avoid the overhead of opening a new
# connection for every query.
idle_timeout: 10000
# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to
# specify a different port
listen_addresses:
- 127.0.0.1
- 0::1
# Instructs stubby to distribute queries across all available name servers.
# Set to 0 to treat the upstreams below as an ordered list and use a single
# upstream until it becomes unavailable, then use the next one.
round_robin_upstreams: 1
# Require DNSSEC validation. For releases earlier than 1.2 a trust anchor must
# be configured configured manually. This can be done with unbound-anchor.
# dnssec_return_status: GETDNS_EXTENSION_TRUE
# Specify the location of the installed trust anchor file (leave commented out
# for zero configuration DNSSEC)
# dnssec_trust_anchors: "/etc/unbound/getdns-root.key"
# Control the maximum number of connection failures that will be permitted
# before Stubby backs-off from using an individual upstream (default 2)
# tls_connection_retries: 5
# Control the maximum time in seconds Stubby will back-off from using an
# individual upstream after failures under normal circumstances (default 3600)
# tls_backoff_time: 300
# Limit the total number of outstanding queries permitted
# limit_outstanding_queries: 100
# Specify the timeout on getting a response to an individual request
# (default 5s)
# timeout: 1
# Specify the list of upstream recursive name servers to send queries to
# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset
# so the upstream can be authenticated.
# The list below includes all the available test servers but only has the subset
# operated the stubby/getdns developers enabled. You can enable any of the
# others you want to use by uncommenting the relevant section. See:
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
# If you don't have IPv6 then comment then out those upstreams.
# In Opportunistic mode they only require an IP address in address_data.
# The information for an upstream can include the following:
# - address_data: IPv4 or IPv6 address of the upstream
# port: Port for UDP/TCP (default is 53)
# tls_auth_name: Authentication domain name checked against the server
# certificate
# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
# certificate
# - digest: Only "sha256" is currently supported
# value: Base64 encoded value of the sha256 fingerprint of the public
# key
# tls_port: Port for TLS (default is 853)
upstream_recursive_servers:
# IPv4 addresses
# The Surfnet/Sinodun servers
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
# The getdnsapi.net server
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# IPv6 addresses
# The Surfnet/Sinodun servers
- address_data: 2001:610:1:40ba:145:100:185:15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
# The getdnsapi.net server
- address_data: 2a04:b900:0:100::38
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# Additional servers
# IPv4 addresses
## Quad 9 service
# - address_data: 9.9.9.9
# tls_auth_name: "dns.quad9.net"
## The Uncensored DNS servers
# - address_data: 89.233.43.71
# tls_auth_name: "unicast.censurfridns.dk"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used for
## DNSSEC
# - address_data: 145.100.185.17
# tls_auth_name: "dnsovertls2.sinodun.com"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
## DNSSEC. (This also listens on port 443)
# - address_data: 199.58.81.218
# tls_auth_name: "dns.cmrg.net"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# - digest: "sha256"
# value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
## dns1.darkmoon.is
# - address_data: 51.15.70.167
# tls_auth_name: "dns1.darkmoon.is"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: 8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=
## securedns.eu
# - address_data: 146.185.167.43
# tls_auth_name: "securedns.eu"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: 2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=
## dns-tls.bitwiseshift.net
# - address_data: 81.187.221.24
# tls_auth_name: "dns-tls.bitwiseshift.net"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: YmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
## ns1.dnsprivacy.at
# - address_data: 94.130.110.185
# tls_auth_name: "ns1.dnsprivacy.at"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
## ns2.dnsprivacy.at
# - address_data: 94.130.110.178
# tls_auth_name: "ns2.dnsprivacy.at"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
## Lorraine Data Network (self-signed cert). Also listens on port 443.
# - address_data: 80.67.188.188
# tls_pubkey_pinset:
# - digest: "sha256"
# value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## NIC Chile (self-signed cert)
# - address_data: 200.1.123.46
# tls_pubkey_pinset:
# - digest: "sha256"
# value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=
## # OARC. Note: this server currently doesn't support strict mode!
## - address_data: 184.105.193.78
## tls_auth_name: "tls-dns-u.odvr.dns-oarc.net"
## tls_pubkey_pinset:
## - digest: "sha256"
## value: pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
#IPv6 addresses
## The Uncensored DNS server
# - address_data: 2a01:3a0:53:53::0
# tls_auth_name: "unicast.censurfridns.dk"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used for
## DNSSEC
# - address_data: 2001:610:1:40ba:145:100:185:17
# tls_auth_name: "dnsovertls2.sinodun.com"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
## DNSSEC. (This also listens on port 443)
# - address_data: 2001:470:1c:76d::53
# tls_auth_name: "dns.cmrg.net"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# - digest: "sha256"
# value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
## securedns.eu
# - address_data: 2a03:b0c0:0:1010::e9a:3001
# tls_auth_name: "securedns.eu"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: 2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=
## dns-tls.bitwiseshift.net
# - address_data: 2001:8b0:24:24::24
# tls_auth_name: "dns-tls.bitwiseshift.net"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: YmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
## ns1.dnsprivacy.at
# - address_data: 2a01:4f8:c0c:3c03::2
# tls_auth_name: "ns1.dnsprivacy.at"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
## ns2.dnsprivacy.at
# - address_data: 2a01:4f8:c0c:3bfc::2
# tls_auth_name: "ns2.dnsprivacy.at"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
## Go6Lab
# - address_data: 2001:67c:27e4::35
# tls_auth_name: "privacydns.go6lab.si"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
## Lorraine Data Network (self-signed cert). Also listens on port 443.
# - address_data: 2001:913::8
# tls_pubkey_pinset:
# - digest: "sha256"
# value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## NIC Chile (self-signed cert)
# - address_data: 2001:1398:1:0:200:1:123:46
# tls_pubkey_pinset:
# - digest: "sha256"
# value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=
## Yeti. Note the servers use a different root trust anchor for DNSSEC!
# - address_data: 2001:4b98:dc2:43:216:3eff:fea9:41a
# tls_auth_name: "dns-resolver.yeti.eu.org"
# tls_pubkey_pinset:
# - digest: "sha256"
# value: YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=
## # OARC. Note: this server currently doesn't support strict mode!
## - address_data: 2620:ff:c000:0:1::64:25
## tls_auth_name: "tls-dns-u.odvr.dns-oarc.net"
## tls_pubkey_pinset:
## - digest: "sha256"
## value: pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=