Skip to main content
Topic: How do I make Stubby work with NetworkManager? (Read 886 times) previous topic - next topic
0 Members and 3 Guests are viewing this topic.

How do I make Stubby work with NetworkManager?

I have Stubby on my computer so that I can do encrypted DNS queries and also use DNS servers that are not my ISP's. The Gentoo Wiki seems to have instructions for setting up dnsmasq with NetworkManager, but I'm not sure that it supports DoT and DoH encryption like Stubby. Since there seems to be no option to add to NetworkManager.conf that will send DNS requests directly to Stubby, I may have to send it through dnsmasq and then Stubby by adding dns=dnsmasq to NetworkManager.conf and configuring dnsmasq to then pass it to Stubby by using 127.0.0.1 and 0::1, as those are the ports that Stubby is currently configured to listen to. And if I do it that way, then I can cache my DNS queries. Bnd if dnsmasq and Stubby are both listening on ports 127.0.0.1 and 0::1, will that create a conflict? And how would I fix it? Or is there an easier way to do this?

Re: How do I make Stubby work with NetworkManager?

Reply #1
You mention IP addresses not ports.

From the default /etc/stubby/stubby.yml
Code: [Select]
################################ LISTEN ADDRESS ################################
# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to
# specify a different port
listen_addresses:
  - 127.0.0.1
  - 0::1
So you can change the port stubby listens on by adding @PORTNUMBER after the IP addresses above.
Then hopefully no conflict.

Another option for you is Unbound https://www.nlnetlabs.nl/projects/unbound/about/

Handles DNS Caching and DNS-over-TLS and DNS-over-HTTPS in one package.
And is in the Artix repo's.

Re: How do I make Stubby work with NetworkManager?

Reply #2
Quote from: gripped – on
Another option for you is Unbound https://www.nlnetlabs.nl/projects/unbound/about/

Handles DNS Caching and DNS-over-TLS and DNS-over-HTTPS in one package.
And is in the Artix repo's.

So I switched over to Unbound , got it set up, and started the service. However, when I add the lines
Code: [Select]
[main]
plugins=keyfile
dns=unbound
to /etc/NetworkManager/NetworkManager.conf, NetworkManager still updates /etc/resolv.conf to my ISP's DNS servers if I manually change the file, which makes me connect to them. Using "dns=none," however, works, except that I don't know if I get DNSSEC or DNS caching if I do it like that, although it's possible that Unbound handles it on its own.

Another question I have is about the setting in /etc/unbound/unbound.conf called "tls-upstream" and what it actually affects. The comments in the file say
Code: [Select]
	# request upstream over TLS (with plain DNS inside the TLS stream).
	# Default is no.  Can be turned on and off with unbound-control.
I changed it to "yes" just in case, but does it enable connecting to an external DNS server with TLS entirely, at least in the way that someone like me would want to do it?

And if you know how to do it, how do I make Unbound choose the first forward address (DNS server) in the list of forward zones that I put in the Unbound config file, and if that fails, use the next forward address on the list, and so on (whether it's in another zone or not)? Or is that already enabled by default?
 

Re: How do I make Stubby work with NetworkManager?

Reply #3
Someone else may know but I don't use NetworkManager (would be overkill on my wired static IP) so my only suggestion on that would be to read https://wiki.archlinux.org/title/NetworkManager#DNS_management

I use Unbound, but it's on my router and while I know it's working - Caching and DoT - I don't know about the much about settings default or not (Installed via a TUI script that can install / control all manner of things on my router). You'd have to read the documentation.

But also if you search "test dns tls" there's a number of sites you can test that part with.

And this should give you unbound stats in a terminal
Code: [Select]
sudo unbound-control stats_noreset

Edit:
Quote
And if you know how to do it, how do I make Unbound choose the first forward address (DNS server) in the list of forward zones that I put in the Unbound config file, and if that fails, use the next forward address on the list, and so on (whether it's in another zone or not)? Or is that already enabled by default?
On that I'm fairly sure that's the default behaviour but haven't studied the docs myself.