Awesome, you're a star
I assume it's working as intended so far?
Had to break off.
Just running the make command
No worries I run it in a laptop I forget that it must take ages to build on a pi
Yeah. It took a while to run the configure command
When you get done with everything sudo nano /etc/stubby.yml make sure to set the IP and Port and input them into the pihole gui and you should be golden.
Unfortunately make takes longer than configure
I think it's done, but I can't see where the IP and port are noted in the stubby.yml
Looks like line 119 to me
Ah ok.
So I'd go for 127.0.0.1@5454 for example?
Exactly like that
Thanks.
Stubby Daemon seems to be running.
What tests would you recommend running?
I would just run a www.dnsleaktest.com to make sure your isp dns is not showing up. Check your dnssec to make sure that stubby is using a dnssec capibable server. Did you do any editing to the .yml?
DNS leak test shows my ISP.
I added the port, and set round robin to 0
These are the only changes I made.
Well you might not to be able to get rid of the isp without blocking port 53 outbound not sure on that yet. Did u set the port in pihole? I personaly use 127.0.0.2@2053.
I have changed the following in my stubby.yml seems to speed things up a bit
# EDNS0 option for keepalive idle timeout in milliseconds as specified in
# https://tools.ietf.org/html/rfc7828
# This keeps idle TLS connections open to avoid the overhead of opening a new
# connection for every query.
idle_timeout: 7500
# Control the maximum number of connection failures that will be permitted
# before Stubby backs-off from using an individual upstream (default 2)
tls_connection_retries: 3
# Control the maximum time in seconds Stubby will back-off from using an
# individual upstream after failures under normal circumstances (default 3600)
tls_backoff_time: 300
# Specify the location for CA certificates used for verification purposes are
# located - this overrides the OS specific default location.
# tls_ca_path: "/etc/ssl/certs/"
# Limit the total number of outstanding queries permitted
# limit_outstanding_queries: 100
# Specify the timeout in milliseconds on getting a response to an individual
# request (default 5000)
timeout: 2500
Yes, I'm using port 5454.
Any reason why you used 2053?
I see in the stubby yaml file, it says stubby uses port 53 by default? Could this help with my ISP bullcrap?
Also getting dnssec tests failing with stubby.
I'll make these changes you've quoted above. And let it run over night and tomorrow.
It could potentially prevent port conflicts, also note i used 127.0.0.2. Are you getting any dns other than your isp's?
In a leak test no, just Sky broadband
Edit: success!
I made the changes you suggested, set the chrome flag #enable-async-dns to disabled, flushed the cache and now do not see my ISP in DNS leak test
Edit again: dnssec tests failing
Check pihole tail. Look for the request to go to 127.0.0.1@5454. it would likely be a problem if you have unbound on the same Port and ip. If that's it use 127.0.0.2 like I did
Unbound is running on 127.0.0.1@5353