Using DNS over TLS (DoT) Resolvers in Windows

This tutorial will guide you through the steps to set up DoT resolvers on a Windows machine.

Steps

Step 1: Install Stubby

  1. Visit the Stubby releases page to download the latest version of Stubby for Windows.
  2. Download the installer executable (e.g., stubby-<version>-installer.exe).

Step 2: Install Stubby

  1. Run the Stubby installer executable you downloaded.
  2. Follow the installation prompts to complete the installation.

Step 3: Configure Stubby

  1. Open the stubby.yml configuration file located in the C:\Program Files\Stubby\ directory using a text editor (e.g., Notepad).
  2. Edit the file to specify the DoT resolvers you want to use. You can find them on our Public Resolvers page. Below is an example configuration:

    resolution_type: GETDNS_RESOLUTION_STUB
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    round_robin_upstreams: 1
    idle_timeout: 10000
    listen_addresses:
      - 127.0.0.1
      - 0::1
    dnssec_return_status: GETDNS_EXTENSION_TRUE
    upstream_recursive_servers:
      - address_data: 2a09:b280:fe01:35::a
        tls_auth_name: "dnscry.pt"
      - address_data: 2a03:94e0:271f::5b1
        tls_auth_name: "dnscry.pt"
      - address_data: 198.140.141.46
        tls_auth_name: "dnscry.pt"
    

Step 4: Start Stubby

  1. Open Command Prompt as Administrator:
    • Press Win + X and select "Command Prompt (Admin)" or "Windows PowerShell (Admin)".
  2. Navigate to the Stubby directory: sh cd "C:\Program Files\Stubby\"
  3. Start Stubby by running: sh stubby -v

Step 5: Configure Network Adapter

  1. Open the Control Panel and go to "Network and Sharing Center".
  2. Click on "Change adapter settings" on the left sidebar.
  3. Right-click your active network connection and select "Properties".
  4. Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties".
  5. Check "Use the following DNS server addresses" and enter 127.0.0.1 for both the preferred and alternate DNS server.
  6. Click "OK" to apply the changes.

Step 6: Verify DoT is Working

  1. Open Command Prompt and run: sh nslookup -type=txt debug.opendns.com
  2. You should see a response that includes information about the resolver, indicating that DoT is working correctly.

Troubleshooting

  • If you encounter issues, check the stubby.log file in the C:\Program Files\Stubby\ directory for error messages.
  • Ensure that no other DNS services are running on port 53, as this could interfere with Stubby.