# DNS OVER TLS WITH GETDNS AND STUBBY PORTS INSTALL HELP NEEDED



## directnupe (May 2, 2018)

Dear Fellow FreeBSD Users,
I hope that all is well with all. I need some assistance with DNS OVER TLS - specifically using GETDNS and Stubby from Ports from FreeBsd Ports. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here :

https://getdnsapi.net/

https://dnsprivacy.org/wiki/display/DP/ … n+-+Stubby

https://dnsprivacy.org/wiki/display/DP/ … ts-Unbound

I am using  FreeBsd Ports from GitHub. I have gotten as far as installing the /dns/getdns port with Stubby installed with make config option. However, that is where I get stuck.

I need a start up script:
A -   it is the rc system. You need to put a file into /etc/rc.conf.d with the same name as the service file and add the config options.

and

B -  you need an RC config file under /etc/rc.conf.d which includes your config options. This is usually. For an example you can look at the templates in the plugins


So, can someone who knows how to write up scripts for GetDns and Stubby help me with this; or at the least someone who knows how to do this generally offer me some ideas on how to get this up and running.

Here is the log after installing GetDns and Stubby:

/usr/bin/install -c -m 644 getdns_list_set_list.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_pretty_print_dict.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_root_trust_anchor.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_service.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_service_sync.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_validate_dnssec.3 /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/strip /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/lib/libgetdns*.so.*
/usr/bin/strip /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/bin/getdns_*
/usr/bin/strip /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/bin/stubby
/bin/mv /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/etc/stubby/stubby.yml  /usr/obj/usr/ports/dns/getdns/work/stage/usr/local/etc/stubby/stubby.yml.sample
====> Compressing man pages (compress-man)
===>  Installing for getdns-1.4.0
===>  Checking if getdns already installed
===>   Registering installation for getdns-1.4.0
Installing getdns-1.4.0...
***
***  !!! IMPORTANT !!!!  libgetdns needs a DNSSEC trust anchor!
***
***  For the library to be able to perform DNSSEC, the root
***  trust anchor needs to be present in presentation format
***  in the file:
***     /usr/local/etc/unbound/root.key
***
***  We recomend using unbound-anchor to retrieve and install
***  the root trust anchor like this:
***     su -m unbound -c /usr/local/sbin/unbound-anchor
***

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/lib/libgetdns.so.10.0.0

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
https://getdnsapi.net/


Files wind up in:  
/usr/local/man/man3   /usr/local/lib/libgetdns*.so.*    /usr/local/bin/getdns_*     /usr/local/bin/stubby  /usr/local/etc/stubby/stubby.yml  
and  /usr/local/etc/stubby/stubby.yml.sample

I guess that I need start up scripts and / or a method to integrate this port installed package into my FreeBsd System where it will function as a native piece of software. So if you have experience with installing packages from ports please help me.
Stubby is a Daemon and its' yml contents are in this format:

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

dnssec_return_status: GETDNS_EXTENSION_TRUE

tls_query_padding_blocksize: 256

edns_client_subnet_private : 1

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@5453

round_robin_upstreams: 1

upstream_recursive_servers:
# IPV4 Servers
#Quad9 'secure'
  - address_data: 9.9.9.9
    tls_port: 853
    tls_auth_name: "dns.quad9.net"
#Cloudflare DNS TLS
  - address_data:  1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853

I want to use this with Unbound. I already know that Unbound can use upstream DNS to forward over port 853 - but please I only wish assistance for GetDns and Stubby from Ports.
Thank you in advance and God Bless Always In Peace,

directnupe / kappagus2


----------



## SirDice (May 2, 2018)

directnupe said:


> I am using Opnsense Ports from GitHub. I run Opnsense on a VM behind a Pfsense Hardware Router.


PC-BSD, FreeNAS, NAS4Free, and all other FreeBSD Derivatives

Rule #7: FreeBSD Forums Rules


----------



## directnupe (May 2, 2018)

SirDice said:


> PC-BSD, FreeNAS, NAS4Free, and all other FreeBSD Derivatives
> 
> Rule #7: FreeBSD Forums Rules



I modified my post to FreeBsd as I use FreeBsd as well and need help with ports. Thanks


----------



## directnupe (May 2, 2018)

SirDice said:


> PC-BSD, FreeNAS, NAS4Free, and all other FreeBSD Derivatives
> 
> Rule #7: FreeBSD Forums Rules



I modified my post to FreeBsd as I use FreeBsd as well and need help with ports. Thanks


----------

