How to enable DNSSEC and Secure SNI on stubby?

RSHARM · January 13, 2026, 4:49pm

etc/config/stubby

config stubby 'global'
	option manual '0'
	option trigger 'wan'
	list dns_transport 'GETDNS_TRANSPORT_TLS'
	option tls_authentication '1'
	option tls_query_padding_blocksize '128'
	option edns_client_subnet_private '1'
	option idle_timeout '10000'
	option round_robin_upstreams '1'
	list listen_address '127.0.0.1@5453'
	list listen_address '0::1@5453'
	option appdata_dir '/tmp/stubby'
	dnssec_return_status 'GETDNS_EXTENSION_TRUE'

Should I add dnssec_return_status '0'

etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '127.0.0.1#5453'
	list server '0::1#5453'
	list rebind_domain 'time.android.com'
	option stripmac '1'
	option proxydnssec '1'

AndrewZ · January 13, 2026, 7:33pm

That is wrong there.

You should add option dnssec_return_status '1'
Then when you check your dynamically created configuration file (/var/etc/stubby/stubby.yml) you should see there
dnssec_return_status: GETDNS_EXTENSION_TRUE
See https://dnsprivacy.org/dns_privacy_daemon_-_stubby/configuring_stubby/#dnssec

brada4 · January 13, 2026, 8:16pm

Same cloudflare page sends you to help page to set up your browser to use ECH. That has very little to do with the router. Default is trust DoH, not DNS, so you have to make your dnsmasq a trusted resolver...

Does generated stubby.yml reference valid dnssec trust root?

github.com/getdnsapi/stubby

stubby.yml.example

7f07bde70


      
          
          ################################ LISTEN ADDRESS ################################
          # Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
          # and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to
          # specify a different port. (Note that due to restrictions within the config
          # file parser, IPv6 address cannot start with `::` )
          listen_addresses:
            - 127.0.0.1
            - 0::1
          
          ############################### DNSSEC SETTINGS ################################
          # Require DNSSEC validation. This will withhold answers with BOGUS DNSSEC
          # status and answers that could not be validated (i.e. with DNSSEC status
          # INDETERMINATE). Beware that if no DNSSEC trust-anchor is provided, or if
          # stubby is not able to fetch and validate the DNSSEC trust-anchor itself,
          # (using Zero configuration DNSSEC) stubby will not return answers at all.
          # If DNSSEC validation is required, a trust-anchor is also required.
          # (default is no DNSSEC validation)
          # dnssec: GETDNS_EXTENSION_TRUE
          
          # Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly

efahl · January 13, 2026, 8:27pm

Or use quad9 and let them handle it:

otnert · January 14, 2026, 3:00am

or you could just configure dnsmasq to require DNSSEC validation.

More info here.