DNS over HTTPS with Dnsmasq and https-dns-proxy

• This how-to describes the method for setting up DNS over HTTPS on OpenWrt.
• It relies on Dnsmasq and https-dns-proxy for masking DNS traffic as HTTPS traffic.
• Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.

Install the packages and DNS encryption should be configured automatically.

# Install packages
opkg update
opkg install dnsmasq https-dns-proxy

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e https-dns; netstat -l -n -p | grep -e https-dns
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a https-dns
 
# Persistent configuration
uci show dhcp; uci show https-dns-proxy

Install the necessary packages if you want to manage the settings using web interface.

# Install packages
opkg update
opkg install luci-app-https-dns-proxy
/etc/init.d/rpcd restart

• Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.
• Navigate to LuCI → Services → HTTPS DNS Proxy to configure https-dns-proxy.

https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it Google DNS or any other DoH provider. Make sure the provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.

# Configure DoH provider
while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4"
uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart