How to leverage the open source Stubby DNS resolver with CleanBrowsing.
What is Stubby
‘Stubby’ is an application (daemon) that runs on your network and allows you to proxy local DNS requests to external DNS resolvers leveraging DNS over TLS. Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
More details is available on their website.
Configuring Stubby.
If you are using Stubby, we assume that you are technically inclined. All the changes required to work with Stubby will done in the stubby.yml file, located here: /etc/stubby/stubby.yml.
You will make your edits at the bottom of the config file, inside the upstream_recursive_servers section.
You need to remove the entries that are configured and use the ones for CleanBrowsing. If you are on our paid plans, you can find the DNS over TLS Auth name on this page.
For example, for my account I use:
- address_data: 185.228.168.154
tls_auth_name: "custom-dns154.cleanbrowsing.org"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
Note that you must include the tls_pubkey_pinset when adding the your upstream resolvers. If, for whatever reason, you get a warning that reads: Verify failed : Transport=TLS – *Failure* – (20) “unable to get local issuer certificate you will want to verify the tls_pubkey_pinset value.
Verify the tls_pubkey_pinset value by using OpenSSL:
echo | openssl s_client -connect '185.228.169.154:853' 2>/dev/null |
openssl x509 -pubkey -noout | openssl pkey -pubin -outform der |
openssl dgst -sha256 -binary | openssl enc -base64
This will provide you the right tls_pubkey_pinset value.
Restart stubby when you’re done: systemctl restart stubby. That should just work.
Free Filters.
If you are using one of our Free Filters, try one these configs inside of upstream_recursive_servers::
Free Family Filter:
IPv4:
- address_data: 185.228.168.168
tls_auth_name: "family-filter-dns.cleanbrowsing.org"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 185.228.169.168
tls_auth_name: "family-filter-dns.cleanbrowsing.org"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
IPv6:
- address_data: 2a0d:2a00:1::
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 2a0d:2a00:2::
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
Free Adult Filter:
IPv4:
- address_data: 185.228.168.10
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 185.228.169.11
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
IPv6:
- address_data: 2a0d:2a00:1::1
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 2a0d:2a00:2::1
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
Free Security Filter:
IPv4:
- address_data: 185.228.168.9
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 185.228.169.9
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
IPv6:
- address_data: 2a0d:2a00:1::2
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
- address_data: 2a0d:2a00:2::2
tls_auth_name: "http://adult-filter-dns.cleanbrowsing.org/"
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
Reach out to us at support@cleanbrowsing.org if you have any questions.