Install the packages and DNS encryption should be configured automatically.
# Install packages opkg update opkg install dnsmasq https-dns-proxy
LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
Collect and analyze the following information.
# Restart services /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e https-dns; netstat -l -n -p | grep -e https-dns # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a https-dns # Persistent configuration uci show dhcp; uci show https-dns-proxy
Install the necessary packages if you want to manage the settings using web interface.
# Install packages opkg update opkg install luci-app-https-dns-proxy
https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it Google DNS or any other DoH provider. Make sure the provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.
# Configure DoH provider while uci -q delete https-dns-proxy.@https-dns-proxy; do :; done uci set https-dns-proxy.dns="https-dns-proxy" uci set https-dns-proxy.dns.bootstrap_dns="22.214.171.124,126.96.36.199" uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query" uci set https-dns-proxy.dns.listen_addr="127.0.0.1" uci set https-dns-proxy.dns.listen_port="5053" uci commit https-dns-proxy /etc/init.d/https-dns-proxy restart