alanbuxey · April 23, 2023 10:23 · alanbuxey · Mar 31, 2022
diff --git a/stubby.xml b/stubby.xml
 #
 # This is a yaml version of the stubby configuration file (it replaces the 
 # json based stubby.conf file used in earlier versions of getdns/stubby).
 #
 # For more information see
 # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
 #
 # This format does not fully support all yaml features - the restrictions are:
 #   - the outer-most data structure must be a yaml mapping
 #   - mapping keys must be yaml scalars
 #   - plain scalars will be converted to json unchanged
 #   - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted
 #     as json strings, i.e. double quoted. 
 #   - yaml tags are not supported
 #   - IPv6 addresses ending in :: are not yet supported (use ::0)
 #
 # Note that we plan to introduce a more compact format for defining upstreams
 # in future: https://github.com/getdnsapi/stubby/issues/79

 # Logging is currently configured at runtime using command line arguments. See
 # > stubby -h
 # for details.

 # Specifies whether to run as a recursive or stub resolver 
 # For stubby this MUST be set to GETDNS_RESOLUTION_STUB
 resolution_type: GETDNS_RESOLUTION_STUB

 # Ordered list composed of one or more transport protocols: 
 # GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS
 # If only one transport value is specified it will be the only transport used. 
 # Should it not be available basic resolution will fail.
 # Fallback transport options are specified by including multiple values in the
 # list.  Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.
 dns_transport_list:
  - GETDNS_TRANSPORT_TLS

 # Selects Strict or Opportunistic Usage profile as described in
 # https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/
 # Strict mode requires that authentication information for the upstreams is
 # specified below. Opportunistic may fallback to clear text DNS if UDP or TCP
 # is included in the transport list above.
 # For Strict use        GETDNS_AUTHENTICATION_REQUIRED
 # For Opportunistic use GETDNS_AUTHENTICATION_NONE
 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

 # EDNS0 option to pad the size of the DNS query to the given blocksize
 # 128 is currently recommended by 
 # https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
 tls_query_padding_blocksize: 128

 # EDNS0 option for ECS client privacy as described in Section 7.1.2 of
 # https://tools.ietf.org/html/rfc7871
 edns_client_subnet_private : 1

 # EDNS0 option for keepalive idle timeout in ms as specified in
 # https://tools.ietf.org/html/rfc7828
 # This keeps idle TLS connections open to avoid the overhead of opening a new 
 # connection for every query.
 idle_timeout: 10000

 # Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
 # and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to 
 # specify a different port
 listen_addresses:
  - 127.0.0.1
  -  0::1

 # Instructs stubby to distribute queries across all available name servers. 
 # Set to 0 to treat the upstreams below as an ordered list and use a single
 # upstream until it becomes unavailable, then use the next one.
 round_robin_upstreams: 1

 # Require DNSSEC validation. For releases earlier than 1.2 a trust anchor must
 # be configured configured manually. This can be done with unbound-anchor.
 # dnssec_return_status: GETDNS_EXTENSION_TRUE

 # Specify the location of the installed trust anchor file (leave commented out
 # for zero configuration DNSSEC)
 # dnssec_trust_anchors: "/etc/unbound/getdns-root.key"

 # Control the maximum number of connection failures that will be permitted
 # before Stubby backs-off from using an individual upstream (default 2)
 # tls_connection_retries: 5

 # Control the maximum time in seconds Stubby will back-off from using an
 # individual upstream after failures under normal circumstances (default 3600)
 # tls_backoff_time: 300

 # Limit the total number of outstanding queries permitted
 # limit_outstanding_queries: 100

 # Specify the timeout on getting a response to an individual request
 # (default 5s)
 # timeout: 1

 # Specify the list of upstream recursive name servers to send queries to
 # In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset
 # so the upstream can be authenticated.
 # The list below includes all the available test servers but only has the subset
 # operated the stubby/getdns developers enabled. You can enable any of the
 # others you want to use by uncommenting the relevant section. See:
 # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
 # If you don't have IPv6 then comment then out those upstreams.
 # In Opportunistic mode they only require an IP address in address_data.
 # The information for an upstream can include the following:
 # - address_data: IPv4 or IPv6 address of the upstream
 #   port: Port for UDP/TCP (default is 53)
 #   tls_auth_name: Authentication domain name checked against the server
 #                  certificate
 #   tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
 #                      certificate
 #     - digest: Only "sha256" is currently supported
 #       value: Base64 encoded value of the sha256 fingerprint of the public
 #              key
 #   tls_port: Port for TLS (default is 853)
 upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
	#
	# This is a yaml version of the stubby configuration file (it replaces the
	# json based stubby.conf file used in earlier versions of getdns/stubby).
	#
	# For more information see
	# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
	#
	# This format does not fully support all yaml features - the restrictions are:
	# - the outer-most data structure must be a yaml mapping
	# - mapping keys must be yaml scalars
	# - plain scalars will be converted to json unchanged
	# - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted
	# as json strings, i.e. double quoted.
	# - yaml tags are not supported
	# - IPv6 addresses ending in :: are not yet supported (use ::0)
	#
	# Note that we plan to introduce a more compact format for defining upstreams
	# in future: https://github.com/getdnsapi/stubby/issues/79

	# Logging is currently configured at runtime using command line arguments. See
	# > stubby -h
	# for details.

	# Specifies whether to run as a recursive or stub resolver
	# For stubby this MUST be set to GETDNS_RESOLUTION_STUB
	resolution_type: GETDNS_RESOLUTION_STUB

	# Ordered list composed of one or more transport protocols:
	# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS
	# If only one transport value is specified it will be the only transport used.
	# Should it not be available basic resolution will fail.
	# Fallback transport options are specified by including multiple values in the
	# list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.
	dns_transport_list:
	- GETDNS_TRANSPORT_TLS

	# Selects Strict or Opportunistic Usage profile as described in
	# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/
	# Strict mode requires that authentication information for the upstreams is
	# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP
	# is included in the transport list above.
	# For Strict use GETDNS_AUTHENTICATION_REQUIRED
	# For Opportunistic use GETDNS_AUTHENTICATION_NONE
	tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

	# EDNS0 option to pad the size of the DNS query to the given blocksize
	# 128 is currently recommended by
	# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
	tls_query_padding_blocksize: 128

	# EDNS0 option for ECS client privacy as described in Section 7.1.2 of
	# https://tools.ietf.org/html/rfc7871
	edns_client_subnet_private : 1

	# EDNS0 option for keepalive idle timeout in ms as specified in
	# https://tools.ietf.org/html/rfc7828
	# This keeps idle TLS connections open to avoid the overhead of opening a new
	# connection for every query.
	idle_timeout: 10000

	# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
	# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to
	# specify a different port
	listen_addresses:
	- 127.0.0.1
	- 0::1

	# Instructs stubby to distribute queries across all available name servers.
	# Set to 0 to treat the upstreams below as an ordered list and use a single
	# upstream until it becomes unavailable, then use the next one.
	round_robin_upstreams: 1

	# Require DNSSEC validation. For releases earlier than 1.2 a trust anchor must
	# be configured configured manually. This can be done with unbound-anchor.
	# dnssec_return_status: GETDNS_EXTENSION_TRUE

	# Specify the location of the installed trust anchor file (leave commented out
	# for zero configuration DNSSEC)
	# dnssec_trust_anchors: "/etc/unbound/getdns-root.key"

	# Control the maximum number of connection failures that will be permitted
	# before Stubby backs-off from using an individual upstream (default 2)
	# tls_connection_retries: 5

	# Control the maximum time in seconds Stubby will back-off from using an
	# individual upstream after failures under normal circumstances (default 3600)
	# tls_backoff_time: 300

	# Limit the total number of outstanding queries permitted
	# limit_outstanding_queries: 100

	# Specify the timeout on getting a response to an individual request
	# (default 5s)
	# timeout: 1

	# Specify the list of upstream recursive name servers to send queries to
	# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset
	# so the upstream can be authenticated.
	# The list below includes all the available test servers but only has the subset
	# operated the stubby/getdns developers enabled. You can enable any of the
	# others you want to use by uncommenting the relevant section. See:
	# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
	# If you don't have IPv6 then comment then out those upstreams.
	# In Opportunistic mode they only require an IP address in address_data.
	# The information for an upstream can include the following:
	# - address_data: IPv4 or IPv6 address of the upstream
	# port: Port for UDP/TCP (default is 53)
	# tls_auth_name: Authentication domain name checked against the server
	# certificate
	# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
	# certificate
	# - digest: Only "sha256" is currently supported
	# value: Base64 encoded value of the sha256 fingerprint of the public
	# key
	# tls_port: Port for TLS (default is 853)
	upstream_recursive_servers:
	- address_data: 1.1.1.1
	tls_auth_name: "cloudflare-dns.com"
	tls_pubkey_pinset:
	- digest: "sha256"
	value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
	- address_data: 1.0.0.1
	tls_auth_name: "cloudflare-dns.com"
	tls_pubkey_pinset:
	- digest: "sha256"
	value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
	- address_data: 2606:4700:4700::1111
	tls_auth_name: "cloudflare-dns.com"
	tls_pubkey_pinset:
	- digest: "sha256"
	value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
	- address_data: 2606:4700:4700::1001
	tls_auth_name: "cloudflare-dns.com"
	tls_pubkey_pinset:
	- digest: "sha256"
	value: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=