Customize stubby.yml

lost_

New Around Here
I understand the privacy implication, but I'd like to send the subnet EDNS in the DoT queries. I'm using Quad9 9.9.9.11 (ECS enabled).

It seems that is controlled by this line in /etc/stubby/stubby.yml

edns_client_subnet_private: 1

How do I permanently either remove this line, or set it to 0?
 

lost_

New Around Here
Thanks Colin! Forgot about that directory.

For those who want to configure DoT the same way:

cat /jffs/scripts/stubby.postconf
Code:
#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG

With this, my subnet is provided to Quad9 (which I'm fine with and they don't log). The resolved hosts are now the ones closest to me. I've tested with and without EDNS. Without EDNS, facebook resolved to the one in California (33 ms), and with it, it's the one in Virginia (10 ms). YMMV.

(In WAN page, set DNS over TLS to 9.9.9.11 and hostname dns11.quad9.net. In LAN, set DNSFilter to router or however you need it)
 
Last edited:

bbunge

Part of the Furniture
In /jffs/scripts create file stubby.postconf with contents:
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG
Change properties of the file to 755

Here are changes I make:
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
The last line enables DNSSEC validation to be done by Stubby. With this enabled disable DNSSEC in the router WAN settings.
 
Similar threads
Thread starter Title Forum Replies Date
A asus merlin customize interface Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top