You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Last couple of days I was fighting with Secure DNS and managed to resolve it with unbound + stubby.
So that Secure DNS is green including here https://www.cloudflare.com/ssl/encrypted-sni/
First of all I want to say that I'm not sure if this approach is fine, nevertheless it works.
ENVIRONMENT
CentOS 7.5.1804
Linux 5192 2.6.32-042stab127.2 (I'm using cheap hosting and not able to update kernel)
SHORT OVERVIEW
install openvpn, choose unbound on dns step
install stubby
edit stubby config file
edit unbound config file and restart service
enable stubby service and run it.
DETAILED STEPS
install openvpn, choose unbound on dns step
yum install stubby
edit config /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
- 10.8.0.1 # ip should be configured by openvpn
# we can specify any other DNS servers here, like quad, getdns, etc
# see default config for details
# ideally user should be able to choose desired dns servers
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
edit /etc/unbound/unbound.conf
add port under server section port: 53
and add forward-zone section
forward-zone:
name: "."
forward-ssl-upstream: yes # NOTE: I have to use ssl instead of tls here because my kernel version is 2. For latest kernels just replace ssl with tls
forward-addr: 10.8.0.1@853 # ip should be configured by openvpn
restart service.
5. IF your kernel version is 2 it is required to fix stubby service first. For latest kernels just enable service.
edit /usr/lib/systemd/system/stubby.service
[Unit]
Description=stubby DNS resolver
# we need to start stubby after unbound.service
After=unbound.service
[Service]
Type=simple
ExecStart=/usr/bin/stubby
# AmbientCapabilities=CAP_NET_BIND_SERVICE # this one doesn't work with kernel 2
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
User=root # we need root privileges to run stubby on port 53
[Install]
WantedBy=multi-user.target
then systemctl enable stubby. Maybe some action is required for latest kernels as well but I'm not able to test it.
PROFIT :)
FINALLY
Do you think it make sense and it is possible to add stubby support?
This discussion was converted from issue #338 on December 11, 2025 23:21.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello!
Last couple of days I was fighting with Secure DNS and managed to resolve it with unbound + stubby.
So that Secure DNS is green including here https://www.cloudflare.com/ssl/encrypted-sni/
First of all I want to say that I'm not sure if this approach is fine, nevertheless it works.
ENVIRONMENT
CentOS 7.5.1804
Linux 5192 2.6.32-042stab127.2 (I'm using cheap hosting and not able to update kernel)
SHORT OVERVIEW
DETAILED STEPS
yum install stubby/etc/stubby/stubby.yml/etc/unbound/unbound.confadd port under server section
port: 53and add forward-zone section
restart service.
5.
IF your kernel version is 2 it is required to fix stubby service first. For latest kernels just enable service.
edit
/usr/lib/systemd/system/stubby.servicethen
systemctl enable stubby.Maybe some action is required for latest kernels as well but I'm not able to test it.
PROFIT :)
FINALLY
Do you think it make sense and it is possible to add stubby support?
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions