Well, it may not be much but here’s a copy of my stubby.yml when I was running DOT. I switched to DOH as it’s harder (if not near impossible) to block than DOT’s requirement of an open port 853 when it comes to hostile networks:
#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 0
idle_timeout: 60000
listen_addresses:
- 127.0.0.1@53535
- 0::1@53535
upstream_recursive_servers:
## DeCloudUs Custom DNS Locked IPv4 (USA)
- address_data: 173.234.30.187
tls_port: 853
tls_auth_name: "[redacted].decloudus.com"
# ## DeCloudUs Custom DNS Locked IPv4 (Germany)
# - address_data: 78.47.212.211
# tls_port: 853
# tls_auth_name: "[redacted].decloudus.com"
## DeCloudUs Custom DNS Locked IPv6 (Germany)
# - address_data: 2a01:4f8:13a:250b::187
# tls_port: 853
# tls_auth_name: "[redacted].decloudus.com"
Perhaps you should ping @beniamin ; he seems to state having some experience w/ OpenWrt & dockerizing AdGuardHome: