I can point you to a guide for stubby.
Any place you see this command sudo vi
replace it with sudo nano
Also take note once you get to the pihole configuration at the bottom ignore making the new dnsmasq config file. Instead set the address and port in the pihole gui.
I should be able to help if u hit any roadblocks.
one more tip you can use the default stubby.yml no editing is actually required
crap i lied.....
replace this command at the very end sudo systemctl restart dnsmasq
with sudo pihole restartdns
probably not necessary to even run honestly
Thanks @drewski
I'll take a look when I get a chance.
I tried following the guide for cloudflared, went all the way through, bit couldn't resolve any queries.
I'm glad to help.
I have been using stubby for months now. Very reliable! Good luck
Yeah makes sense.
Sky must have changed something in recent times.
Annoying.
Thanks for all you help, appreciated.
I'll give stubby a try over the weekend, given cloudflared didn't seem to work.
I have this is my config already.
I've also tried this, but unbound 1.6.0 tells me this is an unknown key using unbound-checkconfig
sudo apt update
sudo apt upgrade -y
sudo apt install -y libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
sudo apt install -y build-essential libssl-dev libtool m4 autoconf libyaml-dev
git clone https://github.com/getdnsapi/getdns.git
cd getdns
git checkout master
sed -i 's#git://#https://#g' .gitmodules # fix for git checkout
git submodule update --init
libtoolize -ci
autoreconf -fi
mkdir -v build && cd build
../configure --prefix=/usr/local --without-libidn --without-libidn2 --enable-stub-only --with-ssl --with-stubby
make
sudo make install
sudo /sbin/ldconfig -v
cd ../stubby
sudo useradd stubby
sudo /usr/bin/install -Dm644 stubby.yml.example /etc/stubby.yml
sudo nano /lib/systemd/system/stubby.service
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/stubby -C /etc/stubby.yml
Restart=on-abort
User=stubby
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable stubby
sudo systemctl start stubby
sudo /sbin/ldconfig -v
^
This should get stubby installed.
The code after sudo nano
goes inside the stubby.service you just created.
Follow this guide I just typed. The one I linked doesn't build stubby with SSL from some reason. That's a big problem. Just let me know if you get stuck. Once the above is completed. Run sudo nano /etc/stubby.yml
I recommended turning off round robin in there. You may have to enable DNSSEC cannot remember the default. You can change the other configurations to your liking. The last thing you have to do is add the stubby IP and port to the DNS section in http://pi.hole/ this is configured in the above stubby.yml
Lastly I'm on mobile rn sorry if formatting is crap
Be careful with .yml
files they do not like whitespace
One more thing you might have trouble with the dependencies. You might have to search for the equivalent libs etc. sudo apt search
Example: I think libuv1
might actually be libuv10
Yes I have the hash in my config:
pi@pi-hole:~ $ cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
#use ca-certificate
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-ssl-upstream: yes
pi@pi-hole:~ $ unbound-checkconf
/etc/unbound/unbound.conf:15: error: unknown keyword 'tls-cert-bundle'
/etc/unbound/unbound.conf:15: error: stray ':'
/etc/unbound/unbound.conf:15: error: stray '"'
/etc/unbound/unbound.conf:15: error: unknown keyword '/etc/ssl/certs/ca-certificates'
/etc/unbound/unbound.conf:15: error: stray '"'
read /etc/unbound/unbound.conf failed: 5 errors in configuration file
Get the same error with ssl-cert-bundle
You're welcome!
I'm just trying to piece it together it's been so long.
Yes you're right.
But even with
#use ca-certificate
ssl-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
In /etc/unbound/unbound.conf.d/pi-hole.conf
I still get the same error
I am giving the answers.
My unbound pihole.conf
contains server:
at the top with the SSL cert entry underneath.
I removed ssl-cert-bundle
from the main unbound config
The certificate file is located at /etc/ssl/certs/ca-certificate.crt
Hence me declaring it there.
Can confirm the above works if you are interested. I just rebuilt stubby.
Definitely interested.
Just not able to try just yet. Will report back when I've got it going
I can make these changes, worth a try.
But the guys at the unbound git said the forward zones should be in the main unbound config
If i forward my request in TLS and my upstream is using dnssec how could tampering occur? No one can pretend to be my upstream and my upstream cannot spoof the test. So where is the danger?
I'm just making sure i have my head on straight.