├── README.md
├── cert
    └── dns.sb.crt
└── example
    ├── stubby.yml
    └── unbound.conf


/README.md:
--------------------------------------------------------------------------------
 1 | ## DNS Over TLS
 2 | 
 3 | DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. ([Wikipedia](https://en.wikipedia.org/wiki/DNS_over_TLS))
 4 | 
 5 | ## Our DoT Servers
 6 | 
 7 | ### Hostname for TLS Authentication
 8 | 
 9 | `dot.sb` or `dns.sb`
10 | 
11 | ### TLS Port
12 | 
13 | `853`
14 | 
15 | ### IPv4
16 | 
17 | ```
18 | 185.222.222.222
19 | 45.11.45.11
20 | ```
21 | 
22 | ### IPv6
23 | 
24 | ```
25 | 2a09::
26 | 2a11::
27 | ```
28 | 
29 | ### IPv6 with Full Address
30 | 
31 | ```
32 | 2a09:0000:0000:0000:0000:0000:0000:0000
33 | 2a11:0000:0000:0000:0000:0000:0000:0000
34 | ```
35 | 
36 | ### PEM / CRT File
37 | 
38 | [dns.sb.crt](cert/dns.sb.crt)
39 | 
40 | ### SPKI Pin
41 | 
42 | ```
43 | amEjS6OJ74LvhMNJBxN3HXxOMSWAriaFoyMQn/Nb5FU=
44 | ```
45 | 
46 | You can generate and verify SPKI PIN with the following command:
47 | 
48 | ```bash
49 | echo | openssl s_client -connect 185.222.222.222:853 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
50 | ```
51 | 
52 | ## Example Configurations
53 | 
54 | ### Unbound
55 | 
56 | [unbound.conf](example/unbound.conf)
57 | 
58 | ### Nebulo (Android App)
59 | 
60 | The server is included in this app. [Download it](https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen), open the server list at the bottom right and select DNS.SB
61 | 


--------------------------------------------------------------------------------
/cert/dns.sb.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIE1jCCBFygAwIBAgIQTPB39DtwueiIYLN46QRJITAKBggqhkjOPQQDAzBvMQsw
 3 | CQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAP
 4 | BgNVBAoMCFNTTCBDb3JwMSswKQYDVQQDDCJTU0wuY29tIFNTTCBJbnRlcm1lZGlh
 5 | dGUgQ0EgRUNDIFIyMB4XDTI1MDUyMDE2MzkxMloXDTI2MDYxMzE2MzkxMlowETEP
 6 | MA0GA1UEAwwGMmExMTo6MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+J5xXoUf
 7 | TmSw7xXdaalhqbF+ahvjKxA7uvTqTNkOi+BaeI0NuHxWyoarPRUSSf3Q+OLVsfkC
 8 | MoDdoghOncZgYKOCAzYwggMyMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUDXRm
 9 | Cl6f4izs1cJdJQR/dTK6/30wcQYIKwYBBQUHAQEEZTBjMD8GCCsGAQUFBzAChjNo
10 | dHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1TU0wtRUNDLTM4NC1SMi5j
11 | ZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMFEGA1UdEQRKMEiH
12 | ECoRAAAAAAAAAAAAAAAAAACHBLne3t6HECoJAAAAAAAAAAAAAAAAAACHBC0LLQuC
13 | BmRucy5zYoIGZG9oLnNiggZkb3Quc2IwIwYDVR0gBBwwGjAIBgZngQwBAgEwDgYM
14 | KwYBBAGCqTABAwEBMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBEBgNV
15 | HR8EPTA7MDmgN6A1hjNodHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1TdWJDQS1T
16 | U0wtRUNDLTM4NC1SMi5jcmwwHQYDVR0OBBYEFIgx8/YYg2zizbaasdjYezSbVp2f
17 | MA4GA1UdDwEB/wQEAwIHgDCCAYAGCisGAQQB1nkCBAIEggFwBIIBbAFqAHcAyzj3
18 | FYl8hKFEX1vB3fvJbvKaWc1HCmkFhbDLFMMUWOcAAAGW7plqqAAABAMASDBGAiEA
19 | 4VUe+3GVr3SGA0nmyZZMZ/5QzB3x6798MVYQiJCMxlACIQCZZ2cJfO5foN1nYfX1
20 | nAme9UiDALoggY/clE/BTi5Z9wB3AA5XlLzzrqk+MxssmQez95Dfm8I9cTIl3SGp
21 | JaxhxU4hAAABlu6ZamkAAAQDAEgwRgIhAJbgYczPJM99I8Z1scwZKdsoxz2TR93/
22 | KvaKm9YavYYoAiEAywKfaZoDWylzRT6eZ0fCasPy7bCEQ4GxbD7q58Cn8IkAdgBJ
23 | nJtp3h187Pw23s2HZKa4W68Kh4AZ0VVS++nrKd34wwAAAZbumWqxAAAEAwBHMEUC
24 | IQCFznhyjjYOw0Q+MyWBfNh/Hp4Coba7wM7Uix8dDiOVPQIgTsoUJ6kuAChrUB9Y
25 | jKImfriY3rWibd/3x9pDBbZMjLowCgYIKoZIzj0EAwMDaAAwZQIxAOUs0Hyk3Y/5
26 | vC14e1w4uy9BuV92PQpqwxTFNSA13VujXW4w0huid3TNcK+3xVLmswIwLQfCEP0z
27 | pG3kOsKt+UhItolplO6p+a+Hlyq/qWhCX3Lt4R8S50MqWUoxk0l1fArQ
28 | -----END CERTIFICATE-----
29 | -----BEGIN CERTIFICATE-----
30 | MIIDejCCAv+gAwIBAgIQHNcSEt4VENkSgtozEEoQLzAKBggqhkjOPQQDAzB8MQsw
31 | CQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAW
32 | BgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENl
33 | cnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzAeFw0xOTAzMDcxOTQyNDJaFw0zNDAz
34 | MDMxOTQyNDJaMG8xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UE
35 | BwwHSG91c3RvbjERMA8GA1UECgwIU1NMIENvcnAxKzApBgNVBAMMIlNTTC5jb20g
36 | U1NMIEludGVybWVkaWF0ZSBDQSBFQ0MgUjIwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
37 | AASEOWn30uEYKDLFu4sCjFQ1VupFaeMtQjqVWyWSA7+KFljnsVaFQ2hgs4cQk1f/
38 | RQ2INSwdVCYU0i5qsbom20rigUhDh9dM/r6bEZ75eFE899kSCI14xqThYVLPdLEl
39 | +dyjggFRMIIBTTASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFILRhXMw
40 | 5zUE044CkvvlpNHEIejNMHgGCCsGAQUFBwEBBGwwajBGBggrBgEFBQcwAoY6aHR0
41 | cDovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkvU1NMY29tLVJvb3RDQS1FQ0MtMzg0
42 | LVIxLmNydDAgBggrBgEFBQcwAYYUaHR0cDovL29jc3BzLnNzbC5jb20wEQYDVR0g
43 | BAowCDAGBgRVHSAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA7BgNV
44 | HR8ENDAyMDCgLqAshipodHRwOi8vY3Jscy5zc2wuY29tL3NzbC5jb20tZWNjLVJv
45 | b3RDQS5jcmwwHQYDVR0OBBYEFA10Zgpen+Is7NXCXSUEf3Uyuv99MA4GA1UdDwEB
46 | /wQEAwIBhjAKBggqhkjOPQQDAwNpADBmAjEAxYt6Ylk/N8Fch/3fgKYKwI5A011Q
47 | MKW0h3F9JW/NX/F7oYtWrxljheH8n2BrkDybAjEAlCxkLE0vQTYcFzrR24oogyw6
48 | VkgTm92+jiqJTO5SSA9QUa092S5cTKiHkH2cOM6m
49 | -----END CERTIFICATE-----
50 | -----BEGIN CERTIFICATE-----
51 | MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC
52 | VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
53 | U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0
54 | aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz
55 | WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0
56 | b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS
57 | b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB
58 | BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI
59 | 7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg
60 | CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud
61 | EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD
62 | VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T
63 | kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+
64 | gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl
65 | -----END CERTIFICATE-----


--------------------------------------------------------------------------------
/example/stubby.yml:
--------------------------------------------------------------------------------
 1 | resolution_type: GETDNS_RESOLUTION_STUB
 2 | dns_transport_list: 
 3 |   - GETDNS_TRANSPORT_TLS
 4 | tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
 5 | tls_query_padding_blocksize: 256
 6 | edns_client_subnet_private : 1
 7 | idle_timeout: 10000
 8 | listen_addresses:
 9 |   - 127.0.0.1
10 |   -  0::1
11 | round_robin_upstreams: 1
12 | upstream_recursive_servers:
13 |   - address_data: 185.222.222.222
14 |     tls_auth_name: "dot.sb"
15 |   - address_data: 45.11.45.11
16 |     tls_auth_name: "dot.sb"
17 |   - address_data: 2a09::
18 |     tls_auth_name: "dot.sb"
19 |   - address_data: 2a11::
20 |     tls_auth_name: "dot.sb"


--------------------------------------------------------------------------------
/example/unbound.conf:
--------------------------------------------------------------------------------
 1 | server:
 2 | 	pidfile: "/etc/unbound/unbound.pid"
 3 | 	interface: 127.0.0.1@53
 4 | 	interface: ::1@53
 5 | 	prefetch: yes
 6 | 	hide-identity: yes
 7 | 	hide-version: yes
 8 | 	do-not-query-localhost: no
 9 | 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
10 | 	tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
11 | 	forward-zone:
12 | 		name: "."
13 | 		forward-tls-upstream: yes
14 | 		forward-addr: 185.222.222.222@853
15 | 		forward-addr: 45.11.45.11@853
16 | 		forward-addr: 2a09::@853
17 | 		forward-addr: 2a11::@853
18 | 


--------------------------------------------------------------------------------