Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/net/stubby/files/stubby.yml
Tony Ambardar 1170686cba stubby: add SPKI pin set for Cloudflare cert 
Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.

Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2018-09-23 21:55:03 -07:00

55 lines
1.4 KiB
YAML
Raw Blame History

#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 0
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
upstream_recursive_servers:
# IPv6 addresses
# # Cloudflare IPv6
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
# # Quad 9 IPv6
# - address_data: 2620:fe::10
# tls_auth_name: "dns.quad9.net"
# IPv4 addresses
# # Cloudflare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
# Quad 9 service
# - address_data: 9.9.9.10
# tls_auth_name: "dns.quad9.net"
Reference in a new issue View git blame Copy permalink