Customize stubby.yml

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

lost_

New Around Here
I understand the privacy implication, but I'd like to send the subnet EDNS in the DoT queries. I'm using Quad9 9.9.9.11 (ECS enabled).

It seems that is controlled by this line in /etc/stubby/stubby.yml

edns_client_subnet_private: 1

How do I permanently either remove this line, or set it to 0?
 

lost_

New Around Here
Thanks Colin! Forgot about that directory.

For those who want to configure DoT the same way:

cat /jffs/scripts/stubby.postconf
Code:
#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG

With this, my subnet is provided to Quad9 (which I'm fine with and they don't log). The resolved hosts are now the ones closest to me. I've tested with and without EDNS. Without EDNS, facebook resolved to the one in California (33 ms), and with it, it's the one in Virginia (10 ms). YMMV.

(In WAN page, set DNS over TLS to 9.9.9.11 and hostname dns11.quad9.net. In LAN, set DNSFilter to router or however you need it)
 
Last edited:

bbunge

Part of the Furniture
In /jffs/scripts create file stubby.postconf with contents:
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG
Change properties of the file to 755

Here are changes I make:
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
The last line enables DNSSEC validation to be done by Stubby. With this enabled disable DNSSEC in the router WAN settings.
 
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top