Install the required packages. Enable DNS encryption.
# Install packages opkg update opkg install dnscrypt-proxy # Configure DNSCrypt provider uci set dnscrypt-proxy.@dnscrypt-proxy[0].resolver="adguard-dns" uci set dnscrypt-proxy.@dnscrypt-proxy[0].address="127.0.0.1" uci set dnscrypt-proxy.@dnscrypt-proxy[0].port="5253" uci commit dnscrypt-proxy service dnscrypt-proxy restart # Enable DNS encryption service dnsmasq stop uci set dhcp.@dnsmasq[0].noresolv="1" uci -q delete dhcp.@dnsmasq[0].server DNSCRYPT_ADDR="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].address)" DNSCRYPT_PORT="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].port)" DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}" uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}" uci commit dhcp service dnsmasq start
LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to dnscrypt-proxy which encrypts DNS traffic.
Verify domain name resolution with nslookup:
nslookup openwrt.org localhost
To check your DNS provider, you can use:
DNS Leak Test and DNSSEC Test:
Alternative test via CLI: * check connection to Quad9 DNS (it require to use Quad9 DNS servers):
dig +short txt proto.on.quad9.net. # should print: doh. or dot.
* check connection to NextDNS (it require to use NextDNS DNS servers):
curl -SL https://test.nextdns.io/
{
"status": "ok",
"protocol": "DOT",
"profile": "SOMEPROFILE",
"client": "80.XXX.XXX.XXX",
"srcIP": "80.XXX.XXX.XXX",
"destIP": "XX.XX.28.0",
"anycast": true,
"server": "zepto-ber-1",
"clientName": "unknown-dot"
}
Collect and analyze the following information.
# Restart services service log restart; service dnsmasq restart; service dnscrypt-proxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnscrypt-proxy; netstat -l -n -p | grep -e dnscrypt-proxy # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show dhcp; uci show dnscrypt-proxy
If you want to manage the settings using web interface. Install the necessary packages.
# Install packages opkg update opkg install luci-app-dnscrypt-proxy service rpcd restart
dnscrypt-proxy is configured with AdGuard DNS. You can change it to DNSCrypt.eu or any other DNSCrypt provider. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.
# Configure DNSCrypt provider while uci -q delete dnscrypt-proxy.@dnscrypt-proxy[0]; do :; done uci set dnscrypt-proxy.dns6a="dnscrypt-proxy" uci set dnscrypt-proxy.dns6a.resolver="dnscrypt.eu-dk-ipv6" uci set dnscrypt-proxy.dns6a.address="[::1]" uci set dnscrypt-proxy.dns6a.port="5253" uci set dnscrypt-proxy.dns6b="dnscrypt-proxy" uci set dnscrypt-proxy.dns6b.resolver="dnscrypt.eu-nl-ipv6" uci set dnscrypt-proxy.dns6b.address="[::1]" uci set dnscrypt-proxy.dns6b.port="5254" uci set dnscrypt-proxy.dnsa="dnscrypt-proxy" uci set dnscrypt-proxy.dnsa.resolver="dnscrypt.eu-dk" uci set dnscrypt-proxy.dnsa.address="127.0.0.1" uci set dnscrypt-proxy.dnsa.port="5255" uci set dnscrypt-proxy.dnsb="dnscrypt-proxy" uci set dnscrypt-proxy.dnsb.resolver="dnscrypt.eu-nl" uci set dnscrypt-proxy.dnsb.address="127.0.0.1" uci set dnscrypt-proxy.dnsb.port="5256" uci commit dnscrypt-proxy service dnscrypt-proxy restart uci -q delete dhcp.@dnsmasq[0].server while DNSCRYPT_ADDR="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].address)" DNSCRYPT_PORT="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].port)" DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}" uci -q delete dnscrypt-proxy.@dnscrypt-proxy[0] do uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}" done uci revert dnscrypt-proxy uci commit dhcp service dnsmasq restart