Created
April 25, 2019 08:45
-
-
Save itsuki-hayashi/939e41271fd116cc2d037520812691b0 to your computer and use it in GitHub Desktop.
Stubby configuration for macOS (CloudFlare DNS + Google Public DNS).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ######################## STUBBY YAML CONFIG FILE ############################### | |
| ################################################################################ | |
| # This is a yaml version of the stubby configuration file (it replaces the | |
| # json based stubby.conf file used in earlier versions of getdns/stubby). | |
| # | |
| # For more information see | |
| # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby | |
| # | |
| # This format does not fully support all yaml features - the restrictions are: | |
| # - the outer-most data structure must be a yaml mapping | |
| # - mapping keys must be yaml scalars | |
| # - plain scalars will be converted to json unchanged | |
| # - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted | |
| # as json strings, i.e. double quoted. | |
| # - yaml tags are not supported | |
| # - IPv6 addresses ending in :: are not yet supported (use ::0) | |
| # | |
| # Also beware that yaml is sensitive to the indentation at the start of each | |
| # line so if you encounter errors when parsing the config file then please check | |
| # that. We will add better checking but a useful online tool to check yaml | |
| # format is here (it also converts yaml to json) | |
| # https://yaml-online-parser.appspot.com/ | |
| # | |
| # Note that we plan to introduce a more compact format for defining upstreams | |
| # in future: https://github.com/getdnsapi/stubby/issues/79 | |
| ################################### LOGGING #################################### | |
| # Logging is currently configured at runtime using command line arguments. See | |
| # > stubby -h | |
| # for details. | |
| ########################## BASIC & PRIVACY SETTINGS ############################ | |
| # Specifies whether to run as a recursive or stub resolver | |
| # For stubby this MUST be set to GETDNS_RESOLUTION_STUB | |
| resolution_type: GETDNS_RESOLUTION_STUB | |
| # Ordered list composed of one or more transport protocols: | |
| # GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS | |
| # If only one transport value is specified it will be the only transport used. | |
| # Should it not be available basic resolution will fail. | |
| # Fallback transport options are specified by including multiple values in the | |
| # list. Strict mode (see below) should use only GETDNS_TRANSPORT_TLS. | |
| dns_transport_list: | |
| - GETDNS_TRANSPORT_TLS | |
| # Selects Strict or Opportunistic Usage profile as described in | |
| # https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ | |
| # Strict mode requires that authentication information for the upstreams is | |
| # specified below. Opportunistic may fallback to clear text DNS if UDP or TCP | |
| # is included in the transport list above. | |
| # For Strict use GETDNS_AUTHENTICATION_REQUIRED | |
| # For Opportunistic use GETDNS_AUTHENTICATION_NONE | |
| tls_authentication: GETDNS_AUTHENTICATION_REQUIRED | |
| # EDNS0 option to pad the size of the DNS query to the given blocksize | |
| # 128 is currently recommended by | |
| # https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 | |
| tls_query_padding_blocksize: 128 | |
| # EDNS0 option for ECS client privacy as described in Section 7.1.2 of | |
| # https://tools.ietf.org/html/rfc7871 | |
| edns_client_subnet_private : 1 | |
| ############################# CONNECTION SETTINGS ############################## | |
| # Set to 1 to instruct stubby to distribute queries across all available name | |
| # servers - this will use multiple simultaneous connections which can give | |
| # better performance in most (but not all) cases. | |
| # Set to 0 to treat the upstreams below as an ordered list and use a single | |
| # upstream until it becomes unavailable, then use the next one. | |
| round_robin_upstreams: 1 | |
| # EDNS0 option for keepalive idle timeout in milliseconds as specified in | |
| # https://tools.ietf.org/html/rfc7828 | |
| # This keeps idle TLS connections open to avoid the overhead of opening a new | |
| # connection for every query. | |
| idle_timeout: 10000 | |
| # Control the maximum number of connection failures that will be permitted | |
| # before Stubby backs-off from using an individual upstream (default 2) | |
| # tls_connection_retries: 5 | |
| # Control the maximum time in seconds Stubby will back-off from using an | |
| # individual upstream after failures under normal circumstances (default 3600) | |
| # tls_backoff_time: 300 | |
| # Specify the location for CA certificates used for verification purposes are | |
| # located - this overrides the OS specific default location. | |
| # tls_ca_path: | |
| # Limit the total number of outstanding queries permitted | |
| # limit_outstanding_queries: 100 | |
| # Specify the timeout in milliseconds on getting a response to an individual | |
| # request (default 5000) | |
| # timeout: 1000 | |
| # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is | |
| # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the | |
| # tls_ciphersuites option. This option can also be given per upstream. | |
| # tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" | |
| # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required | |
| # for this option. This option can also be given per upstream. | |
| # tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" | |
| # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. | |
| # This option can also be given per upstream. | |
| tls_min_version: GETDNS_TLS1_3 | |
| # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. | |
| # This option can also be given per upstream. | |
| tls_max_version: GETDNS_TLS1_3 | |
| ################################ LISTEN ADDRESS ################################ | |
| # Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4 | |
| # and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to | |
| # specify a different port | |
| listen_addresses: | |
| - 127.0.0.1 | |
| - 0::1 | |
| ############################### DNSSEC SETTINGS ################################ | |
| # Require DNSSEC validation. This will withhold answers with BOGUS DNSSEC | |
| # status and answers that could not be validated (i.e. with DNSSEC status | |
| # INDETERMINATE). Beware that if no DNSSEC trust-anchor is provided, or if | |
| # stubby is not able to fetch and validate the DNSSEC trust-anchor itself, | |
| # (using Zero configuration DNSSEC) stubby will not return answers at all. | |
| # If DNSSEC validation is required, a trust-anchor is also required. | |
| dnssec: GETDNS_EXTENSION_TRUE | |
| # Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly | |
| # when needed (Zero configuration DNSSEC), but only if it can store then | |
| # somewhere. The default location to store these files is the ".getdns" | |
| # subdirectory in the user's home directory on Unixes, and the %appdata%\getdns | |
| # directory on Windows. If there is no home directory, or | |
| # the required subdirectory could not be created (or is not present), Stubby | |
| # will fall back to the current working directory to try to store the | |
| # trust-anchor files. | |
| # | |
| # When stubby runs as a special system-level user without a home directory | |
| # however (such as in setups using systemd), it is recommended that an explicit | |
| # location for storing the trust-anchor files is provided that is writable (and | |
| # readable) by that special system user. | |
| # appdata_dir: "/var/cache/stubby" | |
| # When Zero configuration DNSSEC failed, because of network unavailability or | |
| # failure to write to the appdata directory, stubby will backoff trying to | |
| # refetch the DNSSEC trust-anchor for a specified amount of time expressed | |
| # in milliseconds (which defaults to two and a half seconds). | |
| # trust_anchors_backoff_time: 2500 | |
| # Specify the location of the installed trust anchor file (leave commented out | |
| # for zero configuration DNSSEC) | |
| # dnssec_trust_anchors: "/etc/unbound/getdns-root.key" | |
| ################################## UPSTREAMS ################################ | |
| # Specify the list of upstream recursive name servers to send queries to | |
| # In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset | |
| # so the upstream can be authenticated. | |
| # The list below includes all the available test servers but only has the subset | |
| # operated the stubby/getdns developers enabled. You can enable any of the | |
| # others you want to use by uncommenting the relevant section. See: | |
| # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers | |
| # If you don't have IPv6 then comment then out those upstreams. | |
| # In Opportunistic mode they only require an IP address in address_data. | |
| # The information for an upstream can include the following: | |
| # - address_data: IPv4 or IPv6 address of the upstream | |
| # port: Port for UDP/TCP (default is 53) | |
| # tls_auth_name: Authentication domain name checked against the server | |
| # certificate | |
| # tls_pubkey_pinset: An SPKI pinset verified against the keys in the server | |
| # certificate | |
| # - digest: Only "sha256" is currently supported | |
| # value: Base64 encoded value of the sha256 fingerprint of the public | |
| # key | |
| # tls_port: Port for TLS (default is 853) | |
| upstream_recursive_servers: | |
| ############################ DEFAULT UPSTREAMS ################################ | |
| ####### IPv4 addresses ###### | |
| ### Anycast services ### | |
| - address_data: 8.8.8.8 | |
| tls_auth_name: "dns.google" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: OWX/O9SC/2NtceWcgBxOPPurCQPzPbmBaFcMQw6onHY= | |
| - address_data: 8.8.4.4 | |
| tls_auth_name: "dns.google" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: OWX/O9SC/2NtceWcgBxOPPurCQPzPbmBaFcMQw6onHY= | |
| ## Cloudflare 1.1.1.1 and 1.0.0.1 | |
| - address_data: 1.1.1.1 | |
| tls_auth_name: "cloudflare-dns.com" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= | |
| - address_data: 1.0.0.1 | |
| tls_auth_name: "cloudflare-dns.com" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= | |
| ####### IPv6 addresses ###### | |
| - address_data: 2001:4860:4860::8888 | |
| tls_auth_name: "dns.google" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: OWX/O9SC/2NtceWcgBxOPPurCQPzPbmBaFcMQw6onHY= | |
| - address_data: 2001:4860:4860::8844 | |
| tls_auth_name: "dns.google" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: OWX/O9SC/2NtceWcgBxOPPurCQPzPbmBaFcMQw6onHY= | |
| ## Cloudflare servers | |
| - address_data: 2606:4700:4700::1111 | |
| tls_auth_name: "cloudflare-dns.com" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= | |
| - address_data: 2606:4700:4700::1001 | |
| tls_auth_name: "cloudflare-dns.com" | |
| tls_pubkey_pinset: | |
| - digest: "sha256" | |
| value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment