Content DNS over TLS Linux privacy Ubuntu Ubuntu 18.04 Ubuntu Desktop

How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS

ubuntu stubby

This tutorial might be displaying you ways to shield your DNS privateness on Ubuntu 18.04 desktop with DNS over TLS. We’ll use a software referred to as stubby to obtain that. However first, let me inform you why DNS is just not safe.

DNS Vulnerability

DNS is insecure as a result of by default DNS queries usually are not encrypted, which could be exploited by center entities. DNS cache poison is likely one of the DNS abuses that’s extensively utilized by the Nice Firewall of China to censor Chinese language Web. The Nice Firewall of China checks each DNS question that’s despatched to a DNS server outdoors of China. When it finds a website identify on its block listing, it modifications the DNS response. For instance, if a Chinese language Web consumer needs to go to, the Nice firewall of China returns to the DNS resolver an IP tackle situated in China as an alternative of Google’s actual IP tackle. Then the DNS resolver returns the pretend IP tackle to the consumer’s pc.

What’s DNS over TLS? How It Protects Your Privacy?

DNS over TLS signifies that DNS queries are despatched over a safe connection encrypted with TLS, the identical know-how that encrypts HTTP visitors, so no third events can see your DNS queries. Collectively with HTTPS and encrypted SNI (Server Identify Indication), your searching historical past is absolutely shielded from ISP spying.

Stubby is an open-source DNS stub resolver developed by the getdns group. It makes use of the getdns library. A stub resolver is a small DNS shopper on the end-user’s pc that receives DNS requests from purposes similar to Firefox and ahead requests to a recursive resolver like or eight.eight.eight.eight. Stubby is particular in that it helps DNS over TLS. By default, it’s going to solely ship DNS requests encrypted. There’s one other open-source stub resolver referred to as cloudflared that helps DNS over HTTPS however stubby is already in Ubuntu 18.04 repository and could be very straightforward to use.

How to Set up and Use Stubby on Ubuntu 18.04 Desktop

Stubby is in Ubuntu 18.04 repository. Open up a terminal window and run the next command to set up it.

sudo apt set up stubby

It will set up stubby and the getdns library. As soon as put in, stubby runs within the background. You you examine its standing with:

systemctl standing stubby

ubuntu stubby

Stubby listens on TCP and UDP port 53 of localhost (, as might be seen by operating this command:

sudo netstat -lnptu | grep stubby

stubby dns over tls

The default stub resolver offered by systemd-resolved listens on TCP and UDP port 53 of

sudo netstat -lnptu | grep systemd-resolve

systemd-resolved stub resolver

Observe: If dnsmasq is listening on TCP port 53 of, then Stubby will pay attention solely on UDP port 53 of

The primary configuration file is /and so forth/stubby/stubby.yml. Usually there’s no want to make modifications to it until you need to use one other or your personal recursive resolver. Let me clarify some default configurations. You possibly can open the file with:

sudo nano /and so forth/stubby/stubby.yml

The next line makes stubby run as a stub resolver as an alternative of a full recursive resolver, which is why it’s named stubby.


The next configuration make stubby ship DNS queries encrypted with TLS. It won’t ship quries in plain textual content.


This following line requires a legitimate TLS certificates on the distant recursive resolver.


The next strains set the pay attention addresses for the stubby daemon. By default, IPv4 and IPv6 are each enabled.

– zero::1

The next line make stubby question recursive resolvers in a round-robin trend. If set to zero, Stubby will use every upstream server sequentially till it turns into unavailable after which transfer on to use the subsequent.

round_robin_upstreams: 1

By default there are three recursive resolvers enabled in stubby configuration file. They’re run by stubby builders and help DNS over TLS. You’ll be able to see the complete record of really helpful servers on DNS Privacy web site.

There are different DNS servers within the Further Servers part which are disabled by default.

dns.quad9.internet (supporting TLS1.2 and TLS 1.three)

There are additionally DNS servers listening on port 443. If port 853 is blocked in your community, you’ll be able to uncomment them to use these servers.

Now you possibly can exit nano textual content editor by urgent Ctrl+X.

Switching to Stubby

Modifying the /and so on/resolve.conf file to change identify server just isn’t beneficial any extra. Comply with the directions under to make systemd-resolved ship DNS queries to stubby.

GNOME Desktop

Click on the Community Supervisor icon on the upper-right nook of your desktop. Then choose wired settings. (In case you are utilizing Wi-fi, choose Wi-fi settings.)

encrypt dns

Click on the gear button.

cloudflare dns over tls

Choose IPv4 tab, then in DNS settings, change Automated to OFF, which can forestall your Ubuntu system from getting DNS server tackle out of your router. Enter within the DNS area. Click on Apply button to save your modifications.

dns over tls port 853

Then restart NetworkManager for the modifications to take impact.

sudo systemctl restart NetworkManager

As soon as you’re reconnected, you possibly can see that your Ubuntu system is now utilizing because the DNS server within the Particulars tab.

stub resolver dns over tls

Unity Desktop

Beneficial studying: how to set up Unity desktop setting on Ubuntu 18.04.

Click on the Community Supervisor icon on the upper-right nook of your desktop, then click on edit connections.

network manager change DNS

Choose your connection identify and click on the gear icon.

stubby systemd-resolved

Choose IPv4 settings tab, change technique from Automated(DHCP) to Automated(DHCP) addresses solely, which can forestall your Ubuntu system from getting DNS server tackle out of your router. Then specify a DNS server ( Stubby listens on

ubuntu dns over tls

Save your modifications. Then restart NetworkManager for the modifications to take impact.

sudo systemctl restart NetworkManager

As soon as you’re reconnected, click on the Community Supervisor icon once more and choose connection info. You’ll be able to see that your Ubuntu system is now utilizing because the DNS server.

ubuntu 18.04 dns over tls

You may also verify your present DNS server by operating the next command:

systemd-resolve –status

Pattern output:

Hyperlink 2 (enp5s0)
Present Scopes: DNS
LLMNR setting: sure
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers:

How to Examine if Your DNS Visitors is Encrypted

We will use WireShark to monitor DNS visitors. Set up WireShark from Ubuntu 18.04 repository.

sudo apt set up wireshark

In case you are requested “Should non-superusers be able to capture packets?”, reply Sure. As soon as it’s put in, run the next command to add your consumer account to the wireshark group to be able to seize packets.

sudo adduser your-username wireshark

Sign off and log again in for the modifications to take impact. Then open WireShark out of your software menu, choose your community interface in WireShark. For instance, my Ethernet interface identify is enp5s0. Then enter port 853 because the seize filter. It will make WireShark solely seize visitors on port 853, which is the port utilized by DNS over TLS.

ubuntu 18.04 stubby

Click on the button on the upper-left nook to begin capturing. After that, in terminal window, run the next command to question area identify through the use of the dig utility. For example, I can question the A report of my area identify.

dig A

Now you possibly can see the captured DNS visitors in WireShark. As you possibly can see, my DNS question was despatched to, and, that are the three default DNS resolvers outlined in stubby configuration file. Connections have been made over TCP and encrypted with TLS, which is what I would like.

secure dns

If DNS queries are despatched with out encryption, then the pc would contact DNS server on port 53. You possibly can seize packets once more with port 53 because the seize filter, however you gained’t see any packets in WireShark, which suggests stubby is encrypting your DNS queries.

How to Add CloudFlare DNS to Stubby

I discovered that there’s excessive latency (over 200ms) between my pc and the three default DNS servers, whereas CloudFlare DNS servers (, give me very low latency (under 20ms). CloudFlare additionally helps DNS over TLS. So as to add CloudFlare DNS server, edit stubby configuration file.

sudo nano /and so on/stubby/stubby.yml

Scroll down to the upstream_recursive_servers: part and add the next textual content above different DNS servers.

#CloudFlare servers
– address_data:
tls_auth_name: “”
– address_data:
tls_auth_name: “”

Then discover the next line:

round_robin_upstreams: 1

Change 1 to zero. It will make stubby all the time use CloudFlare DNS server. If CloudFlare just isn’t out there, stubby will use different DNS servers. Save the file and restart stubby for the modifications to take impact.

sudo systemctl restart stubby

I hope this tutorial helped you shield your DNS privateness on Ubuntu 18.04 with DNS over TLS. As all the time, in case you discovered this publish helpful, then subscribe to our free publication to get extra ideas and tips. Take care.

Fee this tutorial

[Total: 34 Average: 4]

(perform(d, s, id)
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
(doc, ‘script’, ‘facebook-jssdk’));