From d5b0c46ece4bc494843ff99758704122684b8641 Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 02:03:08 -0700
Subject: [PATCH 1/7] stubby: rearrange Makefile for clarity

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/Makefile | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/net/stubby/Makefile b/net/stubby/Makefile
index 3f3df9c12..6ff93162d 100644
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@@ -29,12 +29,6 @@ define Package/stubby/Default
 	URL:=https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
 endef
 
-define Package/stubby/description
-	This package contains the Stubby daemon (which utilizes the getdns library).
-
-	See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
-endef
-
 define Package/stubby
 	$(call Package/stubby/Default)
 	SECTION:=net
@@ -45,6 +39,16 @@ define Package/stubby
 	DEPENDS:= +libyaml +getdns +ca-certificates
 endef
 
+define Package/stubby/description
+	This package contains the Stubby daemon (which utilizes the getdns library).
+
+	See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
+endef
+
+define Package/stubby/conffiles
+	/etc/stubby/stubby.yml
+endef
+
 define Package/stubby/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stubby $(1)/usr/sbin/stubby
@@ -55,9 +59,4 @@ define Package/stubby/install
 	$(INSTALL_DATA) ./files/stubby.yml $(1)/etc/stubby/stubby.yml
 endef
 
-
-define Package/stubby/conffiles
-	/etc/stubby/stubby.yml
-endef
-
 $(eval $(call BuildPackage,stubby))

From 4819fc5e6e63551444af479054deb1556353b915 Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 02:04:42 -0700
Subject: [PATCH 2/7] stubby: fix config file definition

The config file /etc/stubby/stubby.yml is not registered properly and any
local changes are being overwritten on upgrade or reinstall.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/stubby/Makefile b/net/stubby/Makefile
index 6ff93162d..f855a1e37 100644
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@@ -46,7 +46,7 @@ define Package/stubby/description
 endef
 
 define Package/stubby/conffiles
-	/etc/stubby/stubby.yml
+/etc/stubby/stubby.yml
 endef
 
 define Package/stubby/install

From 0425d9198a41c8c774e599195b59b3b931b2f9b4 Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 02:23:34 -0700
Subject: [PATCH 3/7] stubby: use EDNS client-subnet privacy by default

Retain the upstream value since privacy is usually the key user motivation
for using DNS-over-TLS, and simply note that those encountering sub-optimal
routing may consider disabling the setting.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/files/README.md  | 6 +++---
 net/stubby/files/stubby.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md
index 14b7bbf92..38e05071f 100644
--- a/net/stubby/files/README.md
+++ b/net/stubby/files/README.md
@@ -20,10 +20,10 @@ This package has some modifications that makes it differ from the default upstre
 ### General Cleanup
 Comments are removed, etc.
 
-### EDNS Client-Subnet Option Changed to 0
+### EDNS Client-Subnet Option
 The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc.
 
-To give a more "comparable" DNS experience similar to google/opendns, this package disables this option.
+We retain the upstream value since privacy is a key user motivation for using DNS-over-TLS, but note users encountering poor routing may consider changing it.
 
 ### Default Listening Ports Changed
 The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby.
@@ -43,4 +43,4 @@ Cloudflare is an Anycast DNS service. This should take care of any needed "failo
 Most of the default resolvers for stubby are in Europe. To provide a better experience for a larger number of users, this package defaults to using Cloudflare's DNS service. Cloudflare's DNS service has been ranked number one in speed against many other top resolvers.
 
 https://developers.Cloudflare.com/1.1.1.1/commitment-to-privacy/
-https://www.dnsperf.com/dns-resolver/1-1-1-1
\ No newline at end of file
+https://www.dnsperf.com/dns-resolver/1-1-1-1
diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml
index 278fa2ee3..7db041966 100644
--- a/net/stubby/files/stubby.yml
+++ b/net/stubby/files/stubby.yml
@@ -9,7 +9,7 @@ tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
 
 tls_query_padding_blocksize: 128
 
-edns_client_subnet_private : 0
+edns_client_subnet_private : 1
 
 round_robin_upstreams: 0
 

From 8b2de594de0219681ba9630b8390738a1afb7e4e Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 02:35:31 -0700
Subject: [PATCH 4/7] stubby: add Cloudflare 1.0.0.1 and ::1001 servers

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/files/stubby.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml
index 7db041966..71af185b2 100644
--- a/net/stubby/files/stubby.yml
+++ b/net/stubby/files/stubby.yml
@@ -24,6 +24,8 @@ upstream_recursive_servers:
 # # Cloudflare IPv6
   - address_data: 2606:4700:4700::1111
     tls_auth_name: "cloudflare-dns.com"
+  - address_data: 2606:4700:4700::1001
+    tls_auth_name: "cloudflare-dns.com"
 
 # # Quad 9 IPv6
 #  - address_data: 2620:fe::10
@@ -33,6 +35,8 @@ upstream_recursive_servers:
 # # Cloudflare servers
   - address_data: 1.1.1.1
     tls_auth_name: "cloudflare-dns.com"
+  - address_data: 1.0.0.1
+    tls_auth_name: "cloudflare-dns.com"
 
 # Quad 9 service
 #  - address_data: 9.9.9.10

From 1170686cbab9a017d49cb532918a4e4c4a9c490d Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 03:11:19 -0700
Subject: [PATCH 5/7] stubby: add SPKI pin set for Cloudflare cert

Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.

Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/files/stubby.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml
index 71af185b2..012b1d6fb 100644
--- a/net/stubby/files/stubby.yml
+++ b/net/stubby/files/stubby.yml
@@ -24,8 +24,14 @@ upstream_recursive_servers:
 # # Cloudflare IPv6
   - address_data: 2606:4700:4700::1111
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
   - address_data: 2606:4700:4700::1001
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 
 # # Quad 9 IPv6
 #  - address_data: 2620:fe::10
@@ -35,8 +41,14 @@ upstream_recursive_servers:
 # # Cloudflare servers
   - address_data: 1.1.1.1
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
   - address_data: 1.0.0.1
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 
 # Quad 9 service
 #  - address_data: 9.9.9.10

From 7a1cfd43e956235010e321aa4c2cbcf0d12a56aa Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 7 Aug 2018 04:08:29 -0700
Subject: [PATCH 6/7] stubby: remove unnecessary core limit

Remove the limit setting core="unlimited", since this shouldn't be needed
in production use (i.e. non-debug) and on an embedded platform, which is
why it's rarely used by any existing packages.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/files/stubby.init | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init
index 1f2ce16e2..19743f15d 100644
--- a/net/stubby/files/stubby.init
+++ b/net/stubby/files/stubby.init
@@ -13,8 +13,6 @@ start_service() {
 
   procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
 
-  procd_set_param limits core="unlimited"
-
   procd_set_param file /etc/stubby/stubby.yml
 
   procd_set_param stdout 1

From 8f241854ed89d9fb70c2a10955af7041900e83f2 Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Tue, 18 Sep 2018 01:06:32 -0700
Subject: [PATCH 7/7] stubby: bump PKG_RELEASE

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 net/stubby/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/stubby/Makefile b/net/stubby/Makefile
index f855a1e37..f3b33e0e7 100644
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=stubby
 PKG_VERSION:=0.2.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=COPYING