Setting up Stubby/systemd-resolved & dnsmasq

Stubby

/etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@8053
  - 0::1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
  - address_data: 149.112.112.112
    tls_auth_name: "dns.quad9.net"

systemd-resolved

/etc/systemd/resolved.conf

[Resolve]
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=149.112.112.112#dns.quad9.net
DNSSEC=no
DNSOverTLS=yes

Domains that do not support DNSSEC fail to resolve even with the allow-downgrade option. Explicitly disable DNSSEC until the systemd bug is resolved.

https://github.com/systemd/systemd/issues/10579

dnsmasq

/etc/dnsmasq.d/stubby.conf

no-resolv
server=::1#8053
server=127.0.0.1#8053
interface=wg0
except-interface=lo
bind-dynamic

/etc/dnsmasq.d/systemd-resolved.conf

no-resolv
server=127.0.0.53
interface=wg0
except-interface=lo
bind-dynamic

Enable Services

systemctl enable stubby
systemctl enable systemd-resolved
systemctl enable dnsmasq