Stubby: DoT DNS client on OpenBSD (EXPERIMENTAL)

Article published the22 March 2018 ; modified the22 May 2023
4 minutes to read

This article has 681 words.
RAW source of the article:
Commit version: 54af6be

Description

Stubby is a DNS client, using secure protocol (DoT ). This encrypts DNS queries sent from your machine to a DNS resolver, or an authoritative DNS server to increase the confidentiality. It can request queries according DNSSEC protocol, too.

Warning

Warning: it does not act as DNS cache resolver, nor as an authoritative DNS server; it’s only a DNS client!

In addition, there is no package, nor port on OpenBSD stable. Hence is the reason of title “EXPERIMENTAL”. We’re going to retrieve sources, compil, install and configure them.

Installation

The stubby client is/will be installed on OpenBSD stable.

at this day, now: 6.3

Prerequisite

OpenSSL : install by default
Libyaml : to install…
autoconf, automake : to install to configure, and build before installation.

Code: sh

# pkg_add autoconf automake libyaml
quirks-2.414 signed on 2018-03-28T14:24:37Z
Ambiguous: choose package for autoconf
a       0: <None>
        1: autoconf-2.13p4
        2: autoconf-2.52p6
        3: autoconf-2.54p5
        4: autoconf-2.56p4
        5: autoconf-2.57p4
        6: autoconf-2.58p5
        7: autoconf-2.59p5
        8: autoconf-2.60p5
        9: autoconf-2.61p5
        10: autoconf-2.62p2
        11: autoconf-2.63p1
        12: autoconf-2.64p1
        13: autoconf-2.65p1
        14: autoconf-2.67p1
        15: autoconf-2.68p1
        16: autoconf-2.69p2
Your choice: 16
Ambiguous: choose package for automake
a       0: <None>
        1: automake-1.10.3p8
        2: automake-1.11.6p2
        3: automake-1.12.6p1
        4: automake-1.13.4p1
        5: automake-1.14.1p0
        6: automake-1.15.1
        7: automake-1.4.6p5
        8: automake-1.8.5p9
        9: automake-1.9.6p12
Your choice: 6

Then, we will follow the official installation recommandations from sources, by adapting them to OpenBSD, step by step.

Download

Code: sh

$ git clone https://github.com/getdnsapi/getdns.git
$ cd getdns
$ git checkout develop

The second command git permits us to get/obtain the most recent sources .

Configuration

Code: sh

$ git submodule update --init
$ libtoolize -ci
$ export AUTOCONF_VERSION=2.69
$ export AUTOMAKE_VERSION=1.15
$ autoreconf -fi
$ mkdir build && cd build
$ ../configure --prefix=/usr/local --without-libidn --enable-stub-only --with-stubby

Compilation

$ make # make install

Of course, if you had configured doas , you can executed the ultimate command, as: $ doas make install

resolv.conf

It’s necessary to modify your /etc/resolv.conf file in order to communicate directly with stubby: nameserver 127.0.0.1 nameserver ::1

stubby.yml

The stubby’s configuration file is: /usr/local/etc/stubby/stubby.yml.

You can create your personal, as ~/.stubby.yml. It will be read in first.

Execution

To execute stubby, run as:

Code: sh

# stubby
[12:57:39.896254] STUBBY: Read config from file /usr/local/etc/stubby/stubby.yml
[12:57:39.898479] STUBBY: DNSSEC Validation is OFF
[12:57:39.898585] STUBBY: Transport list is:
[12:57:39.898617] STUBBY:   - TLS
[12:57:39.898681] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[12:57:39.898713] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[12:57:39.898749] STUBBY: Starting DAEMON....

Some interesting informations, about flags:

-C: to specify other configuration file.
-g: to run in background mode.
-i: to check the configuration!
-l: to log. Actually, the output is only on the standard stdout!

Test

We use dig:

=> IPv4

Code: sh

$ dig @127.0.0.1 www.gandi.net

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 www.gandi.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40041
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.gandi.net.                 IN      A

;; ANSWER SECTION:
www.gandi.net.          21583   IN      CNAME   prod.gandi.map.fastly.net.
prod.gandi.map.fastly.net. 3600 IN      A       151.101.37.103

;; AUTHORITY SECTION:
fastly.net.             3600    IN      NS      ns1.fastly.net.
fastly.net.             3600    IN      NS      ns2.fastly.net.
fastly.net.             3600    IN      NS      ns3.fastly.net.
fastly.net.             3600    IN      NS      ns4.fastly.net.

;; Query time: 1888 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 22 14:15:51 2018
;; MSG SIZE  rcvd: 155

=> IPv6 :

Code: sh

$ dig @::1 www.gandi.net

; <<>> DiG 9.4.2-P2 <<>> @::1 www.gandi.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.gandi.net.                 IN      A

;; ANSWER SECTION:
www.gandi.net.          84574   IN      CNAME   prod.gandi.map.fastly.net.
prod.gandi.map.fastly.net. 3600 IN      A       151.101.85.103

;; AUTHORITY SECTION:
fastly.net.             168207  IN      NS      ns4.fastly.net.
fastly.net.             168207  IN      NS      ns2.fastly.net.
fastly.net.             168207  IN      NS      ns1.fastly.net.
fastly.net.             168207  IN      NS      ns3.fastly.net.

;; ADDITIONAL SECTION:
ns1.fastly.net.         3600    IN      A       23.235.32.32
ns2.fastly.net.         3600    IN      A       104.156.80.32
ns3.fastly.net.         3600    IN      A       23.235.36.32
ns4.fastly.net.         3600    IN      A       104.156.84.32

;; Query time: 1614 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 22 14:16:40 2018
;; MSG SIZE  rcvd: 219