# DNS-over-TLS using Stubby

The goal of the DNS-over-TLS protocol is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. With DoT, the content and response of the DNS query are encrypted.

Using this feature the SafeDNS service can identify users by their public IP address only. This feature does not work with the SafeDNS Agent or the SafeDNS VPN solution.

Before you start, please open your **SafeDNS** **Dashboard > Settings > Devices**. Enter your public IP address in the "**Enter an IP address or DynDNS**" field and click the "**Add**" button.

[![DNS-over-TLS Setup.png](https://docs.safedns.com/uploads/images/gallery/2024-08/scaled-1680-/3htrW0L4jUUOONjk-dns-over-tls-setup.png)](https://docs.safedns.com/uploads/images/gallery/2024-08/3htrW0L4jUUOONjk-dns-over-tls-setup.png)

---

#### Windows 10

1\. [Download](https://dnsprivacy.org/wiki/display/DP/Windows+installer+for+Stubby) and install a Stubby .msi package.

2\. Run the Windows Command Prompt as administrator:

[![2.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/71VLBAOxyleQiwmq-2-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/71VLBAOxyleQiwmq-2-dns-over-tls-setup-guide.png)

3\. Go to the Stubby directory using the Command Prompt and open **stubby.yml** configuration file with Notepad:

[![3.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/iEbdzMlvrh6wN6ss-3-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/iEbdzMlvrh6wN6ss-3-dns-over-tls-setup-guide.png)

4\. Set settings following the example below:

<p class="callout info">resolution\_type: GETDNS\_RESOLUTION\_STUB  
dns\_transport\_list: GETDNS\_TRANSPORT\_TLS  
tls\_authentication: GETDNS\_AUTHENTICATION\_NONE tls\_query\_padding\_blocksize: 128  
edns\_client\_subnet\_private: 0  
idle\_timeout: 100000  
listen\_addresses: - 127.0.0.1@53  
round\_robin\_upstreams: 1  
upstream\_recursive\_servers:  
- address\_data: 195.46.39.41  
tls\_auth\_name: "dns-s.safedns.com" tls\_pubkey\_pinset:  
- digest: "sha256"  
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=</p>

5\. Run the following command to replace the default DNS server with a local Stubby:

<p class="callout info">PowerShell -ExecutionPolicy bypass -file "**C:\\Program Files\\Stubby\\stubby\_setdns\_windows.ps1**"</p>

6\. Run the **stubby.bat** file

[![4.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/XsSPiGAE7UCI4iFl-4-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/XsSPiGAE7UCI4iFl-4-dns-over-tls-setup-guide.png)

7\. Check the filtering.

---

#### Linux (Ubuntu)

1\. Install the Stubby package from a repository:

<p class="callout info">$ sudo apt install stubby</p>

2\. Set the configuration file **/etc/stubby/stubby.yml** as follows:

<p class="callout info">resolution\_type: GETDNS\_RESOLUTION\_STUB  
dns\_transport\_list: - GETDNS\_TRANSPORT\_TLS  
tls\_authentication: GETDNS\_AUTHENTICATION\_NONE  
tls\_query\_padding\_blocksize: 128  
edns\_client\_subnet\_private : 0  
idle\_timeout: 100000  
listen\_addresses: - 127.0.0.2@53  
round\_robin\_upstreams: 1  
upstream\_recursive\_servers:  
- address\_data: 195.46.39.41  
tls\_auth\_name: "dns-s.safedns.com" tls\_pubkey\_pinset:  
- digest: "sha256"  
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=</p>

3\. Change DNS in **/etc/resolv.conf** file to **127.0.0.2**:

<p class="callout info">nameserver 127.0.0.2</p>

4\. Start the filtering service

<p class="callout info">service stubby start</p>

5\. Check the filtering.

---

#### MacOS

1\. [Download](https://dnsprivacy.org/dns_privacy_daemon_-_stubby/installation/macos_homebrew/) and install the Stubby Manager package.

If you get a security alert, click on "**Open Anyway**" in the security settings.

[![5.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/bXud5Q8gZWwB4tfL-5-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/bXud5Q8gZWwB4tfL-5-dns-over-tls-setup-guide.png)

2\. Launch a Stubby Manager app after installation and click the "**Advanced**" button.

[![6.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/hTyr6BBhVgeFD6VA-6-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/hTyr6BBhVgeFD6VA-6-dns-over-tls-setup-guide.png)

3\. Set the configuration file as follows:

<p class="callout info">resolution\_type: GETDNS\_RESOLUTION\_STUB  
dns\_transport\_list: - GETDNS\_TRANSPORT\_TLS  
tls\_authentication: GETDNS\_AUTHENTICATION\_NONE  
tls\_query\_padding\_blocksize: 128  
edns\_client\_subnet\_private : 0  
idle\_timeout: 100000  
listen\_addresses: - 127.0.0.1@53  
round\_robin\_upstreams: 1  
upstream\_recursive\_servers:  
- address\_data: 195.46.39.41  
tls\_auth\_name: "dns-s.safedns.com" tls\_pubkey\_pinset:  
- digest: "sha256"  
value: kbv1ODr8gP7FV9/h2lp5t3sP4TdYZEwqUYj0mk0IBzg=</p>

4\. Apply the settings and click **"Start"**.

5\. Open **"Network Properties"** and set **127.0.0.1** as the DNS server.

[![7.DNS-over-TLS Setup Guide .png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/aEqeug0rbnRICY5L-7-dns-over-tls-setup-guide.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/aEqeug0rbnRICY5L-7-dns-over-tls-setup-guide.png)

6\. Check the filtering.