Adguard With Stubby On MacOS & Linux

kalistiana

New Member
Hello

How do I configure Adguard Family DNS with Stubby to use DNSoverTLS.

There are these fields I need to fill

address_data: 176.103.130.132
tls_port: 853
tls_auth_name: "dns-family.adguard.com"
tls_pubkey_pinset:
digest: "sha256"
value: ???

What data should I put in "value" to make Adguard DNS run as DoT on my machine. How do I find out "value"

Thank You.
 

LazyAspect

Beta Tester
No need digest and value fields there. Only these:
Code:
Adguard Family Protection servers
 - address_data: 176.103.130.132
   tls_auth_name: "dns-family.adguard.com"
 - address_data: 176.103.130.134
   tls_auth_name: "dns-family.adguard.com"
 

kalistiana

New Member
No need digest and value fields there. Only these:
Code:
Adguard Family Protection servers
- address_data: 176.103.130.132
   tls_auth_name: "dns-family.adguard.com"
- address_data: 176.103.130.134
   tls_auth_name: "dns-family.adguard.com"
Thanks :) <3

I had to tweak around a little bit and finally got it working.

I was wondering, How do I enable DNSSEC with stubby while using AdguardDNS. I've heard it would break my network somehow. Now sure why.

Also, What do these "Digest" and "values" add to the network security, if any. Do they act as some sort of authenticaiton or add some sort of security mechanism?

Is there anything to make the DNS mechanism more secure by modifying the stubby.yml file from default? Like modifying the "tls_authentication" or "dnssec_return_status" and similar stuff. What values shall I put to make it more [most] secure.

Thank You Once Again :)
 
Last edited:

LazyAspect

Beta Tester
Also, What do these "Digest" and "values" add to the network security, if any. Do they act as some sort of authenticaiton or add some sort of security mechanism?
No, i don't think so. For some servers these options is just not required.

Is there anything to make the DNS mechanism more secure by modifying the stubby.yml file from default? Like modifying the "tls_authentication" or "dnssec_return_status" and similar stuff. What values shall I put to make it more [most] secure.
You can find all information here:

tls_authentication - this is Strict mode option. dnssec_return_status - the option for DNSSEC. This option make sense to enable only for the servers, that support DNSSEC. More information here:

But also you can control TLS version and cipher types. For example:
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"


But you need to be sure that servers is support it too...:rolleyes:

P.S.: last version of Stubby does not support cipher types change.
 
Last edited:

kalistiana

New Member
No, i don't think so. For some servers these options is just not required.


You can find all information here:

tls_authentication - this is Strict mode option. dnssec_return_status - the option for DNSSEC. This option make sense to enable only for the servers, that support DNSSEC. More information here:

But also you can control TLS version and cipher types. For example:
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"


But you need to be sure that servers is support it too...:rolleyes:

P.S.: last version of Stubby does not support cipher types change.
So I read the documentation about stubby and a few other wikis and forums.

I made a configuration to use AdguardDNS with stubby. I would really appreciate if you folks could rectify/verify the file before I implement it system-wide and NOT end up breaking the networking.

I could compromise a little bit of Performance since it isn't a top priority, Network Security however is, keeping that in mind.

The input in the file is as follows & I'm wondering if its correct. Any suggestions/mistakes to be rectified / or improvements I could implement?

resolution_type: GETDNS_RESOLUTION_STUB
tls_min_version: GETDNS_TLS1_3
dnssec_return_status: GETDNS_EXTENSION_TRUE
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1
- 0::1
round_robin_upstreams: 1
upstream_recursive_servers:
# Adguard Family Protection servers
- address_data: 176.103.130.132
tls_auth_name: "dns-family.adguard.com"
- address_data: 176.103.130.134

tls_auth_name: "dns-family.adguard.com"


Before copying this to my stubby configuration file, I need to make sure the syntax and strings are correct & If I could add any more arguments to improve the overall network security such that It works and wont brick my networking once I implement it :)

Thank You <3
 

kalistiana

New Member
I read that the "digest" and "value" (hash) actually add to an authentication process. As mentioned in the wiki "tls_pubkey_pinset: The sha256 SPKI pinset for the server. This is also verified against the presented certificate."


So

I could potentially modified the configuration file [thanks to LazyAspect & ssllabs] as :


- address_data: 176.103.130.132
tls_auth_name: "dns-family.adguard.com"
tls_pubkey_pinset:
- digest: "sha256" value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- address_data: 176.103.130.134
tls_auth_name: "dns-family.adguard.com"
tls_pubkey_pinset:
- digest: "sha256" value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=



I do realize that I would have to change the values when the cert expires and new cert is uploaded.



A few final doubts I hope to get cleared


1.
I could not find any use of the following argument in the latest wiki; is this arguments really required today?
"dnssec_return_status: GETDNS_EXTENSION_TRUE"

2. C
an I add the argument "tls_port:443" as a parameter without service being interfered since assuming traffic on [default] port 853 can be easily sniffed to figure out someone is using DoT protocol. I have placed an argument below in the final expected file output, is the syntax/placement correct?

3. As LazyAspect said, last version of Stubby does not support cipher types change.
this means I cannot specify what ciphers I want to use, if I'm not mistaken. The version I currently have installed is 0.2.5.

Kinda of a weird quesiton but putting an argument like

tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

would be useless? Or shall I add the above argument?

If Not,
4. How does the DNS server select which cipher should be selected best suited for security of its individual user? Maybe It checks from best cipher to weaker cipher against the users and selected the most sufficient one? It's automated I suppose or maybe I'm misinterpreting how it works.

The [somewhat] final output should look something like this :


resolution_type: GETDNS_RESOLUTION_STUB
tls_min_version: GETDNS_TLS1_2
#dnssec_return_status: GETDNS_EXTENSION_TRUE
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1
- 0::1
round_robin_upstreams: 1
upstream_recursive_servers:
# Adguard Family Protection servers
- address_data: 176.103.130.132
tls_auth_name: "dns-family.adguard.com"
#tls_port: 443
#tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_pubkey_pinset:
- digest: "sha256"
value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- address_data: 176.103.130.134
tls_auth_name: "dns-family.adguard.com"
#tls_port: 443
#tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_pubkey_pinset:
- digest: "sha256"
value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=




[hashed out about those that I'm not sure aka The questions I asked about, Once rectify them after confirming that the placement and syntax is correct and the stubby would actually work as intended]


Once again. Thank You @LazyAspect for helping me out so far :)
 

kalistiana

New Member
resolution_type: GETDNS_RESOLUTION_STUB
tls_min_version: GETDNS_TLS1_2
#dnssec_return_status: GETDNS_EXTENSION_TRUE
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1
- 0::1
round_robin_upstreams: 1
upstream_recursive_servers:
# Adguard Family Protection servers
- address_data: 176.103.130.132
tls_auth_name: "dns-family.adguard.com"
#tls_port: 443
#tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_pubkey_pinset:
- digest: "sha256"
value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- address_data: 176.103.130.134
tls_auth_name: "dns-family.adguard.com"
#tls_port: 443
#tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_pubkey_pinset:
- digest: "sha256"
value:ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
This does not work. Broke the networking. Had to revert back to original. Anyone knows where I went wrong?

Appreciate the help.
 

LazyAspect

Beta Tester
This does not work. Broke the networking. Had to revert back to original. Anyone knows where I went wrong?

Appreciate the help.
Try to comment digest and value rows and uncomment dnssec_return_status. You can start stubby with -l flag - this is show up logging window.
 

kalistiana

New Member
Try to comment digest and value rows and uncomment dnssec_return_status. You can start stubby with -l flag - this is show up logging window.
I ended up completely removing the the digest, value and dnssec_return_status, TLS_min_version and a little more. Just a bare bone configuration. Works as of now.

Thanks for helping :)
 

setinggil

New Member
I ended up completely removing the the digest, value and dnssec_return_status, TLS_min_version and a little more. Just a bare bone configuration. Works as of now.

Thanks for helping :)
Can you please share your adguard configuration for stubby?
I have tried many configuration, but none work.

Thanks in advance
 

setinggil

New Member
Finally works.
Here my stubby.yml :
Code:
.................
round_robin_upstreams: 0
.................
upstream_recursive_servers:

# Adguard Default servers
  - address_data: 176.103.130.130
    tls_auth_name: "dns.adguard.com"
  - address_data: 176.103.130.131
    tls_auth_name: "dns.adguard.com"
..............
But something is strange.
Sometimes works ("You are using 'Default' AdGuard DNS configuration" ), oftentimes not ("You are currently not using AdGuard DNS").
Is it happen to everyone or just me?

I am on Ubuntu 20.04
 
Last edited:

setinggil

New Member
But something is strange.
Sometimes works ("You are using 'Default' AdGuard DNS configuration" ), oftentimes not ("You are currently not using AdGuard DNS").
Is it happen to everyone or just me?
Got solution : comment listen_addresses for IPv6 (my ISP not support IPv6).
So my stubby.yml become :
Code:
.....................
# specify a different port
listen_addresses:
  - 127.0.0.1
###  - 0::1

############################### DNSSEC SETTINGS ################################
......................
Hopefully this is the last search about adguard :)
 
Top