/etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@8053
- 0::1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"
/etc/systemd/resolved.conf
[Resolve]
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=149.112.112.112#dns.quad9.net
DNSSEC=no
DNSOverTLS=yes
Domains that do not support DNSSEC fail to resolve even with the allow-downgrade option. Explicitly disable DNSSEC until the systemd bug is resolved.
/etc/dnsmasq.d/stubby.conf
no-resolv
server=::1#8053
server=127.0.0.1#8053
interface=wg0
except-interface=lo
bind-dynamic
/etc/dnsmasq.d/systemd-resolved.conf
no-resolv
server=127.0.0.53
interface=wg0
except-interface=lo
bind-dynamic
systemctl enable stubby
systemctl enable systemd-resolved
systemctl enable dnsmasq