################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).
#
# For more information see
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
#
# This format does not fully support all yaml features - the restrictions are:
#   - the outer-most data structure must be a yaml mapping
#   - mapping keys must be yaml scalars
#   - plain scalars will be converted to json unchanged
#   - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted
#     as json strings, i.e. double quoted.
#   - yaml tags are not supported
#   - IPv6 addresses ending in :: are not yet supported (use ::0)
#
# Also beware that yaml is sensitive to the indentation at the start of each
# line so if you encounter errors when parsing the config file then please check
# that. We will add better checking but a useful online tool to check yaml
# format is here (it also converts yaml to json)
# https://yaml-online-parser.appspot.com/
#
# Note that we plan to introduce a more compact format for defining upstreams
# in future: https://github.com/getdnsapi/stubby/issues/79

################################### LOGGING ####################################
# Define at which level messages will be logged to stdout. Can be one of:
# GETDNS_LOG_EMERG, GETDNS_LOG_ALERT, GETDNS_LOG_CRIT, GETDNS_LOG_ERR,
# GETDNS_LOG_WARNING, GETDNS_LOG_NOTICE, GETDNS_LOG_INFO or GETDNS_LOG_DEBUG
# where GETDNS_LOG_EMERG is the least and GETDNS_LOG_DEBUG the most verbose.
log_level: GETDNS_LOG_NOTICE


########################## BASIC & PRIVACY SETTINGS ############################
# Specifies whether to run as a recursive or stub resolver
# For stubby this MUST be set to GETDNS_RESOLUTION_STUB
resolution_type: GETDNS_RESOLUTION_STUB

# Ordered list composed of one or more transport protocols:
# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS
# If only one transport value is specified it will be the only transport used.
# Should it not be available basic resolution will fail.
# Fallback transport options are specified by including multiple values in the
# list.  Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.
dns_transport_list:
  - GETDNS_TRANSPORT_TLS

# Selects Strict or Opportunistic Usage profile as described in
# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/
# ONLY for the case when TLS is the one and only transport specified above.
# Strict mode requires that authentication information for the upstreams is
# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP
# is included in the transport list above.
# For Strict use        GETDNS_AUTHENTICATION_REQUIRED
# For Opportunistic use GETDNS_AUTHENTICATION_NONE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

# EDNS0 option to pad the size of the DNS query to the given blocksize
# 128 is currently recommended by
# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
tls_query_padding_blocksize: 128

# EDNS0 option for ECS client privacy as described in Section 7.1.2 of
# https://tools.ietf.org/html/rfc7871
# If you really want to use a resolver that sends ECS (such as Google or one of
# the Quad9 ones) in order to gain better geo-location of content, then be aware
# that this will expose a portion of your IP address in queries to some 
# authoritative servers. You will need to configure that server and also set this
# parameter to 0 to fully enable ECS.
edns_client_subnet_private : 1

############################# CONNECTION SETTINGS ##############################
# Set to 1 to instruct stubby to distribute queries across all available name
# servers - this will use multiple simultaneous connections which can give
# better performance in most (but not all) cases.
# Set to 0 to treat the upstreams below as an ordered list and use a single
# upstream until it becomes unavailable, then use the next one.
round_robin_upstreams: 1

# EDNS0 option for keepalive idle timeout in milliseconds as specified in
# https://tools.ietf.org/html/rfc7828
# This keeps idle TLS connections open to avoid the overhead of opening a new
# connection for every query. Note that if a given server doesn't implement 
# EDNS0 keepalive and uses an idle timeout shorter than this stubby will backoff
# from using that server because the server is always closing the connection.
# This can degrade performance for certain configurations so reducing the
# idle_timeout to below that of that lowest server value is recommended.
idle_timeout: 10000

# Control the maximum number of connection failures that will be permitted
# before Stubby backs-off from using an individual upstream (default 2)
# tls_connection_retries: 2

# Control the maximum time in seconds Stubby will back-off from using an
# individual upstream after failures under normal circumstances (default 3600)
# tls_backoff_time: 3600

# Specify the location for CA certificates used for verification purposes are
# located - this overrides the OS specific default location.
# tls_ca_path: "/etc/ssl/certs/"

# Limit the total number of outstanding queries permitted on one TCP/TLS
# connection (default is 0, no limit)
# limit_outstanding_queries: 0

# Specify the timeout in milliseconds on getting a response to an individual
# request (default 5000)
# timeout: 5000

# Set the acceptable ciphers for DNS over TLS.  With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
# tls_ciphersuites option. This option can also be given per upstream. 
# (default as shown)
# tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"

# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
# (default as shown)
# tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream. (default is 1.2)
# tls_min_version: GETDNS_TLS1_2

# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream. (default is 1.3)
# tls_max_version: GETDNS_TLS1_3

################################ LISTEN ADDRESS ################################
# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to
# specify a different port. (Note that due to restrictions within the config
# file parser, IPv6 address cannot start with `::` )
listen_addresses:
  - 127.0.0.1
  - 0::1

############################### DNSSEC SETTINGS ################################
# Require DNSSEC validation. This will withhold answers with BOGUS DNSSEC
# status and answers that could not be validated (i.e. with DNSSEC status
# INDETERMINATE). Beware that if no DNSSEC trust-anchor is provided, or if
# stubby is not able to fetch and validate the DNSSEC trust-anchor itself,
# (using Zero configuration DNSSEC) stubby will not return answers at all.
# If DNSSEC validation is required, a trust-anchor is also required.
# (default is no DNSSEC validation)
# dnssec: GETDNS_EXTENSION_TRUE

# Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly
# when needed (Zero configuration DNSSEC), but only if it can store then
# somewhere.  The default location to store these files is the ".getdns"
# subdirectory in the user's home directory on Unixes, and the %appdata%\getdns
# directory on Windows. If there is no home directory, or
# the required subdirectory could not be created (or is not present), Stubby
# will fall back to the current working directory to try to store the
# trust-anchor files.
#
# When stubby runs as a special system-level user without a home directory
# however (such as in setups using systemd), it is recommended that an explicit
# location for storing the trust-anchor files is provided that is writable (and
# readable) by that special system user.
# appdata_dir: "/var/cache/stubby"

# When Zero configuration DNSSEC failed, because of network unavailability or
# failure to write to the appdata directory, stubby will backoff trying to
# refetch the DNSSEC trust-anchor for a specified amount of time  expressed
# in milliseconds (which defaults to two and a half seconds).
# trust_anchors_backoff_time: 2500

# Specify the location of the installed trust anchor files to override the
# default location (see above)
# dnssec_trust_anchors:
#   - "/etc/unbound/getdns-root.key"


##################################  UPSTREAMS  ################################
# Specify the list of upstream recursive name servers to send queries to
# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset
# so the upstream can be authenticated.
# The list below includes various public resolvers and some of the available test
# servers but only has the getdns developer operated upstream enabled by default. 
###############################################################################
####  Users are recommended to use more than one upstream for robustness  #####
###############################################################################
# You can enable other resolvers by uncommenting the relevant 
# section below or adding their information directly. Also see this list for
# other test servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
# If you don't have IPv6 then comment then out those upstreams.
# In Opportunistic mode they only require an IP address in address_data.
# The information for an upstream can include the following:
# - address_data: IPv4 or IPv6 address of the upstream
#   port: Port for UDP/TCP (default is 53)
#   tls_auth_name: Authentication domain name checked against the server
#                  certificate
#   tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
#                      certificate
#     - digest: Only "sha256" is currently supported
#       value: Base64 encoded value of the sha256 fingerprint of the public
#              key
#   tls_port: Port for TLS (default is 853)

# To always use the DHCP resolvers provided by the local network in Opportunistic
# mode then
# 1) In the dns_transport_list after TLS add UDP then TCP
# 2) Change to tls_authentication: GETDNS_AUTHENTICATION_NONE
# 3) Remove all the upstream_recursive_servers listed below

upstream_recursive_servers:
############################ DEFAULT UPSTREAM  ################################
####### IPv4 addresses ######
### Test servers ###
# The getdnsapi.net server
  - address_data: 185.49.141.37
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
####### IPv6 addresses ######
### Test servers ###
# The getdnsapi.net server
  - address_data: 2a04:b900:0:100::38
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=


############################ OPTIONAL UPSTREAMS  ###############################
####### IPv4 addresses ######
### Anycast services ###
## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
#  - address_data: 9.9.9.9
#    tls_auth_name: "dns.quad9.net"
#  - address_data: 149.112.112.112
#    tls_auth_name: "dns.quad9.net"
## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS
## See the entry for `edns_client_subnet_private` for more details on ECS
#  - address_data: 9.9.9.11
#    tls_auth_name: "dns11.quad9.net"
#  - address_data: 149.112.112.11
#    tls_auth_name: "dns11.quad9.net"
## Quad 9 'insecure' service - No filtering, no DNSSEC, doesn't send ECS
#  - address_data: 9.9.9.10
#    tls_auth_name: "dns10.quad9.net"
#  - address_data: 149.112.112.10
#    tls_auth_name: "dns10.quad9.net"
## Cloudflare 1.1.1.1 and 1.0.0.1
## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare)
#  - address_data: 1.1.1.1
#    tls_auth_name: "cloudflare-dns.com"
#  - address_data: 1.0.0.1
#    tls_auth_name: "cloudflare-dns.com"
## The Uncensored DNS servers
#  - address_data: 91.239.100.100
#    tls_auth_name: "anycast.censurfridns.dk"
#    tls_pubkey_pinset:
#######  pin for "deic-ore.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg=
#######  pin for "deic-ore.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs=
#######  pin for "deic-lgb.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8=
#######  pin for "deic-lgb.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M=
#######  pin for "kracon.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0=
#######  pin for "kracon.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=
#######  pin for "rgnet-iad.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4=
#######  pin for "rgnet-iad.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM=
## Google
#  - address_data: 8.8.8.8
#    tls_auth_name: "dns.google"
#  - address_data: 8.8.4.4
#    tls_auth_name: "dns.google"
## Adguard Default servers
#  - address_data: 94.140.14.14
#    tls_auth_name: "dns.adguard-dns.com"
#  - address_data: 94.140.15.15
#    tls_auth_name: ""dns.adguard-dns.com"
## Adguard Family Protection servers
#  - address_data: 94.140.14.15
#    tls_auth_name: "family.adguard-dns.com"
#  - address_data: 94.140.15.16
#    tls_auth_name: "family.adguard-dns.com"
## Comcast
#  - address_data: 96.113.151.145
#    tls_auth_name: "dot.xfinity.com"
### A few unicast test servers ###
## The Uncensored DNS servers
#  - address_data: 89.233.43.71
#    tls_auth_name: "unicast.censurfridns.dk"
#    tls_pubkey_pinset:
#######  pin for "unicast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
#######  pin for  "unicast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
## dns.neutopia.org
#  - address_data: 89.234.186.112
#    tls_auth_name: "dns.neutopia.org"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## Fondation RESTENA (NREN for Luxembourg)
#  - address_data: 158.64.1.29
#    tls_auth_name: "dnspub.restena.lu"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: aC/vKm0neSr3uDucVsYO62RPZ4ETWjoI0Gw8uWjGdLg=
## NIC Chile
#  - address_data: 200.1.123.46
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=
## Foundation for Applied Privacy 
#  - address_data: 146.255.56.98
#    tls_auth_name: "dot1.applied-privacy.net"


####### IPv6 addresses #######
### Anycast services ###
## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
#  - address_data: 2620:fe::fe
#    tls_auth_name: "dns.quad9.net"
#  - address_data: 2620:fe::9
#    tls_auth_name: "dns.quad9.net"
## Quad 9 'secure w/ECS' service - Filters, does DNSSEC, DOES send ECS
## See the entry for `edns_client_subnet_private` for more details on ECS
#  - address_data: 2620:fe::11
#    tls_auth_name: "dns11.quad9.net"
#  - address_data: 2620:fe::fe:11
#    tls_auth_name: "dns11.quad9.net"
## Quad 9 'insecure' service - No filtering, does DNSSEC, doesn't send ECS 
#  - address_data: 2620:fe::10
#    tls_auth_name: "dns10.quad9.net"
#  - address_data: 2620:fe::fe:10
#    tls_auth_name: "dns10.quad9.net"
## Cloudflare servers
## (NOTE: recommend reducing idle_timeout to 9000 if using Cloudflare)
#  - address_data: 2606:4700:4700::1111
#    tls_auth_name: "cloudflare-dns.com"
#  - address_data: 2606:4700:4700::1001
#    tls_auth_name: "cloudflare-dns.com"
## The Uncensored DNS servers
#  - address_data: 2001:67c:28a4::0
#    tls_auth_name: "anycast.censurfridns.dk"
#    tls_pubkey_pinset:
#######  pin for "deic-ore.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg=
#######  pin for "deic-ore.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs=
#######  pin for "deic-lgb.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8=
#######  pin for "deic-lgb.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M=
#######  pin for "kracon.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0=
#######  pin for "kracon.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=
#######  pin for "rgnet-iad.anycast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4=
#######  pin for "rgnet-iad.anycast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM=
## Google
#  - address_data: 2001:4860:4860::8888
#    tls_auth_name: "dns.google"
#  - address_data: 2001:4860:4860::8844
#    tls_auth_name: "dns.google"
## Adguard Default servers
#  - address_data: 2a10:50c0::ad1:ff
#    tls_auth_name: "dns.adguard-dns.com"
#  - address_data: 2a10:50c0::ad2:ff
#    tls_auth_name: "dns.adguard-dns.com"
## Adguard Family Protection servers
#  - address_data: 2a10:50c0::bad1:ff
#    tls_auth_name: "family.adguard-dns.com"
#  - address_data: 2a10:50c0::bad2:ff
#    tls_auth_name: "family.adguard-dns.com"
## Comcast
#  - address_data: 2001:558:fe21:6b:96:113:151:145
#    tls_auth_name: "dot.xfinity.com"
### A few unicast test servers ###
## The Uncensored DNS server
#  - address_data: 2a01:3a0:53:53::0
#    tls_auth_name: "unicast.censurfridns.dk"
#    tls_pubkey_pinset:
#######  pin for  "unicast.censurfridns.dk RSA"
#      - digest: "sha256"
#        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
#######  pin for "unicast.censurfridns.dk ECDSA"
#      - digest: "sha256"
#        value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
## Fondation RESTENA (NREN for Luxembourg)
#  - address_data: 2001:a18:1::29
#    tls_auth_name: "dnspub.restena.lu"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: aC/vKm0neSr3uDucVsYO62RPZ4ETWjoI0Gw8uWjGdLg=
## dns.neutopia.org
#  - address_data: 2a00:5884:8209::2
#    tls_auth_name: "dns.neutopia.org"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## NIC Chile
#  - address_data: 2001:1398:1:0:200:1:123:46
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=
## Foundation for Applied Privacy 
#  - address_data: 2a02:1b8:10:234::2
#    tls_auth_name: "dot1.applied-privacy.net"

####### Servers that listen on port 443 (IPv4 and IPv6) #######
### Test servers ###
## The getdnsapi.net server
#  - address_data: 185.49.141.37
#    tls_port: 443
#    tls_auth_name: "getdnsapi.net"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## The getdnsapi.net server (IPv6 address)
#  - address_data: 2a04:b900:0:100::38
#    tls_port: 443
#    tls_auth_name: "getdnsapi.net"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## dns.neutopia.org
#  - address_data: 89.234.186.112
#    tls_port: 443
#    tls_auth_name: "dns.neutopia.org"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## dns.neutopia.org
#  - address_data: 2a00:5884:8209::2
#    tls_port: 443
#    tls_auth_name: "dns.neutopia.org"
#    tls_pubkey_pinset:
#      - digest: "sha256"
#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### A few unicast test servers ###
## Foundation for Applied Privacy 
#  - address_data: 146.255.56.98
#    tls_port: 443
#    tls_auth_name: "dot1.applied-privacy.net"
#  - address_data: 2a02:1b8:10:234::2
#    tls_port: 443
#    tls_auth_name: "dot1.applied-privacy.net"