Stubby: DoT DNS client on OpenBSD (EXPERIMENTAL)

Article published the ; modified the
4 minute(s) to read

This article has 681 words.
RAW source of the article: MD

Description

Stubby is a DNS client, using secure protocol (DoT ). This encrypts DNS queries sent from your machine to a DNS resolver, or an authoritative DNS server to increase the confidentiality. It can request queries according DNSSEC protocol, too.

Warning

Installation

The stubby client is/will be installed on OpenBSD stable.

  • at this day, now: 6.3

Prerequisite

  • OpenSSL : install by default
  • Libyaml : to install…
  • autoconfautomake : to install to configure, and build before installation.

Code: sh

# pkg_add autoconf automake libyaml
quirks-2.414 signed on 2018-03-28T14:24:37Z
Ambiguous: choose package for autoconf
a       0: <None>
        1: autoconf-2.13p4
        2: autoconf-2.52p6
        3: autoconf-2.54p5
        4: autoconf-2.56p4
        5: autoconf-2.57p4
        6: autoconf-2.58p5
        7: autoconf-2.59p5
        8: autoconf-2.60p5
        9: autoconf-2.61p5
        10: autoconf-2.62p2
        11: autoconf-2.63p1
        12: autoconf-2.64p1
        13: autoconf-2.65p1
        14: autoconf-2.67p1
        15: autoconf-2.68p1
        16: autoconf-2.69p2
Your choice: 16
Ambiguous: choose package for automake
a       0: <None>
        1: automake-1.10.3p8
        2: automake-1.11.6p2
        3: automake-1.12.6p1
        4: automake-1.13.4p1
        5: automake-1.14.1p0
        6: automake-1.15.1
        7: automake-1.4.6p5
        8: automake-1.8.5p9
        9: automake-1.9.6p12
Your choice: 6

Then, we will follow the official installation recommandations from sources, by adapting them to OpenBSD, step by step.

Download

Code: sh

$ git clone https://github.com/getdnsapi/getdns.git
$ cd getdns
$ git checkout develop

The second command git permits us to get/obtain the most recent sources .

Configuration

Code: sh

$ git submodule update --init
$ libtoolize -ci
$ export AUTOCONF_VERSION=2.69
$ export AUTOMAKE_VERSION=1.15
$ autoreconf -fi
$ mkdir build && cd build
$ ../configure --prefix=/usr/local --without-libidn --enable-stub-only --with-stubby

Compilation

$ make
# make install

Of course, if you had configured doas , you can executed the ultimate command, as:
$ doas make install

resolv.conf

It’s necessary to modify your /etc/resolv.conf file in order to communicate directly with stubby:
nameserver 127.0.0.1
nameserver ::1

stubby.yml

The stubby’s configuration file is: /usr/local/etc/stubby/stubby.yml.

You can create your personal, as ~/.stubby.yml. It will be read in first.

Execution

To execute stubby, run as:

Code: sh

# stubby
[12:57:39.896254] STUBBY: Read config from file /usr/local/etc/stubby/stubby.yml
[12:57:39.898479] STUBBY: DNSSEC Validation is OFF
[12:57:39.898585] STUBBY: Transport list is:
[12:57:39.898617] STUBBY:   - TLS
[12:57:39.898681] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[12:57:39.898713] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[12:57:39.898749] STUBBY: Starting DAEMON....

Some interesting informations, about flags:

  • -C: to specify other configuration file.
  • -g: to run in background mode.
  • -i: to check the configuration!
  • -l: to log. Actually, the output is only on the standard stdout!

Test

We use dig:

=> IPv4

Code: sh

$ dig @127.0.0.1 www.gandi.net

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 www.gandi.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40041
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.gandi.net.                 IN      A

;; ANSWER SECTION:
www.gandi.net.          21583   IN      CNAME   prod.gandi.map.fastly.net.
prod.gandi.map.fastly.net. 3600 IN      A       151.101.37.103

;; AUTHORITY SECTION:
fastly.net.             3600    IN      NS      ns1.fastly.net.
fastly.net.             3600    IN      NS      ns2.fastly.net.
fastly.net.             3600    IN      NS      ns3.fastly.net.
fastly.net.             3600    IN      NS      ns4.fastly.net.

;; Query time: 1888 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 22 14:15:51 2018
;; MSG SIZE  rcvd: 155

=> IPv6 :

Code: sh

$ dig @::1 www.gandi.net

; <<>> DiG 9.4.2-P2 <<>> @::1 www.gandi.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.gandi.net.                 IN      A

;; ANSWER SECTION:
www.gandi.net.          84574   IN      CNAME   prod.gandi.map.fastly.net.
prod.gandi.map.fastly.net. 3600 IN      A       151.101.85.103

;; AUTHORITY SECTION:
fastly.net.             168207  IN      NS      ns4.fastly.net.
fastly.net.             168207  IN      NS      ns2.fastly.net.
fastly.net.             168207  IN      NS      ns1.fastly.net.
fastly.net.             168207  IN      NS      ns3.fastly.net.

;; ADDITIONAL SECTION:
ns1.fastly.net.         3600    IN      A       23.235.32.32
ns2.fastly.net.         3600    IN      A       104.156.80.32
ns3.fastly.net.         3600    IN      A       23.235.36.32
ns4.fastly.net.         3600    IN      A       104.156.84.32

;; Query time: 1614 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 22 14:16:40 2018
;; MSG SIZE  rcvd: 219