Is Stubby worth it?

Mike1 · August 4, 2018, 10:11am

Hii Community

I just stumbled over stubby, did someone install that in addition?

https://dnsprivacy.org/wiki/display/DP/About+Stubby

would be a good feature or?

Thank you

tomporter518 · August 4, 2018, 3:18pm

As with most valuations of 'worth', it depends on what you want or need. I use stubby with my pihole. I like the benefit of it being the DNSSEC 'client' and then pihole doesn't need to be on my network. I can't recall all of my original 'needs' to use it as it's virtually invisible to me now. Following the guide, that I found, makes it trivial to set up though you will likely have to do your own homework to figure out IF you want or need it.

jfb · August 4, 2018, 4:09pm

It depends on what you are hoping to accomplish. Improving security, privacy, or both?

Normally, DNS traffic is unencrypted. Your ISP can see all your DNS requests, regardless of which upstream server you use, unless you encrypt them in some manner (Stubby does this). However, even if you encrypt your DNS, if you follow it up immediately with a clear text request for that IP address, your ISP knows where you are browsing anyway. So, there is no obvious privacy gain.

There are some security improvements from using encrypted DNS - this protects against third parties tampering with the DNS return and providing false information (man in middle attack).

If you run your web traffic through an encrypted tunnel (VPN), now you are shifting your trust to your VPN provider. With no other steps, all your DNS traffic would route through the tunnel, and your ISP will see none of what you are doing. If you want to use a DNS other than your VPN provider, you can configure encrypted DNS to do that. In this way, all your traffic (DNS and everything else) is encrypted. This is pretty good from a privacy standpoint, and you can get the security improvements from encrypted DNS.

Many Pi-Hole users use "unbound," which is a Linux recursive, caching resolver. This software typically runs on the Pi alongside Pi-Hole, and Pi-Hole uses unbound as it's upstream DNS server. Unbound communicates directly with the root servers on the internet and the other authoritative domain name servers, so you don't use Cloudflare, Google or any of the others. The DNS traffic is not encrypted but it is authenticated for validity.

I have tried both encrypted DNS and unbound, and finally settled on unbound as the best solution for me. When I use VPN, I use my VPN provider DNS as well.