Skip to main content

DNS-over-TLS Setup

The goal of the DNS-over-TLS protocol is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. With DoT, the content and response of the DNS query are encrypted.

Using this feature the SafeDNS service can identify users by their public IP address only. This feature does not work with the SafeDNS Agent or the SafeDNS VPN solution.

Before you start, please open your SafeDNS Dashboard > Settings > Devices. Enter your public IP address in the "Enter an IP address or DynDNS" field and click the "Add" button.

DNS-over-TLS Setup.png


Windows 10

1. Download and install a Stubby .msi package.

2. Run the Windows Command Prompt as administrator:

2.DNS-over-TLS Setup Guide .png

3. Go to the Stubby directory using the Command Prompt and open stubby.yml configuration file with Notepad:

3.DNS-over-TLS Setup Guide .png

4. Set settings following the example below:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list: GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_NONE tls_query_padding_blocksize: 128
edns_client_subnet_private: 0
idle_timeout: 100000
listen_addresses: - 127.0.0.1@53
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 195.46.39.41
tls_auth_name: "dns-s.safedns.com"                                             tls_pubkey_pinset:
- digest: "sha256"
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=

5. Run the following command to replace the default DNS server with a local Stubby:

PowerShell -ExecutionPolicy bypass -file  "C:\Program Files\Stubby\stubby_setdns_windows.ps1"

6. Run the stubby.bat file

4.DNS-over-TLS Setup Guide .png

7. Check the filtering.


Linux (Ubuntu)

1. Install the Stubby package from a repository:

$ sudo apt install stubby

2. Set the configuration file /etc/stubby/stubby.yml as follows:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list: - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_NONE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 0
idle_timeout: 100000
listen_addresses: - 127.0.0.2@53
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 195.46.39.41
tls_auth_name: "dns-s.safedns.com"                                               tls_pubkey_pinset:
- digest: "sha256"
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=

3. Change DNS in /etc/resolv.conf file to 127.0.0.2:

nameserver 127.0.0.2

4. Start the filtering service

service stubby start

5. Check the filtering.


MacOS

1. Download and install the Stubby Manager package.

If you get a security alert, click on "Open Anyway" in the security settings.

5.DNS-over-TLS Setup Guide .png

2. Launch a Stubby Manager app after installation and click the "Advanced" button.

6.DNS-over-TLS Setup Guide .png

3. Set the configuration file as follows:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list: - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_NONE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 0
idle_timeout: 100000
listen_addresses: - 127.0.0.1@53
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 195.46.39.41
tls_auth_name: "dns-s.safedns.com"                                                       tls_pubkey_pinset:
- digest: "sha256"
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=

4. Apply the settings and click "Start".

5. Open "Network Properties" and set 127.0.0.1 as the DNS server.

7.DNS-over-TLS Setup Guide .png

6. Check the filtering.