Stubby support

[mgrybyk]

Hello!

Last couple of days I was fighting with Secure DNS and managed to resolve it with unbound + stubby.
So that Secure DNS is green including here https://www.cloudflare.com/ssl/encrypted-sni/

First of all I want to say that I'm not sure if this approach is fine, nevertheless it works.

ENVIRONMENT

CentOS 7.5.1804
Linux 5192 2.6.32-042stab127.2 (I'm using cheap hosting and not able to update kernel)

SHORT OVERVIEW

1. install openvpn, choose unbound on dns step
2. install stubby
3. edit stubby config file
4. edit unbound config file and restart service
5. enable stubby service and run it.

DETAILED STEPS

1. install openvpn, choose unbound on dns step
2. yum install stubby
3. edit config /etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
  - 10.8.0.1 # ip should be configured by openvpn

# we can specify any other DNS servers here, like quad, getdns, etc
# see default config for details
# ideally user should be able to choose desired dns servers
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

4. edit /etc/unbound/unbound.conf
   add port under server section
   port: 53
   and add forward-zone section

forward-zone:
        name: "."
        forward-ssl-upstream: yes # NOTE: I have to use ssl instead of tls here because my kernel version is 2. For latest kernels just replace ssl with tls
        forward-addr: 10.8.0.1@853 # ip should be configured by openvpn

restart service.
5.
IF your kernel version is 2 it is required to fix stubby service first. For latest kernels just enable service.
edit /usr/lib/systemd/system/stubby.service

[Unit]
Description=stubby DNS resolver
# we need to start stubby after unbound.service
After=unbound.service

[Service]
Type=simple
ExecStart=/usr/bin/stubby
# AmbientCapabilities=CAP_NET_BIND_SERVICE # this one doesn't work with kernel 2
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
User=root # we need root privileges to run stubby on port 53

[Install]
WantedBy=multi-user.target

then
systemctl enable stubby.
Maybe some action is required for latest kernels as well but I'm not able to test it.

PROFIT :)

FINALLY

Do you think it make sense and it is possible to add stubby support?

Thank you!