DNS name resolver with pre-configured DNS-over-TLS and DNSSEC validation. Not that DNS records without the accompanying RRSIG record will still be successfully resolved.
# run stubby $ docker run \ --rm \ --publish 127.0.0.1:53:53/udp \ --publish 127.0.0.1:53:53/tcp \ --init \ registry.staex.io/staex/stubby:latest # check that everything works $ dig @127.0.0.1 +dnssec +short staex.io 185.215.4.66 A 8 2 300 20240123160747 20240101160747 41949 staex.io. YGH2IxTz4svMOhuAx0QRzLQELfICxG5v/RUHn4MbUgWEYcQb/g+FfyHn Tj1guMMAKCkktIVzocxKmWNCra8q2xRxJ2G/PwJOqogB2Vmd6MZ1Hmua RpjDjt2qWkIzRTJyGw/nBGh+SDHmAsvA069IS1h/H3pW7K7bh5bSArNj rWY=
To override the default configuration add --volume /etc/stubby/stubby.conf:/etc/stubby/stubby.conf:ro to the docker run command.
--- log_level: GETDNS_LOG_NOTICE resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 round_robin_upstreams: 1 idle_timeout: 10000 listen_addresses: - 0.0.0.0 dnssec: GETDNS_EXTENSION_TRUE upstream_recursive_servers: - address_data: 9.9.9.11 tls_auth_name: dns11.quad9.net - address_data: 149.112.112.11 tls_auth_name: dns11.quad9.net