Show pagesourceOld revisionsBacklinksBack to top × Table of Contents DoH with Dnsmasq and https-dns-proxy Introduction Goals Command-line instructions Testing Troubleshooting Extras Web interface DoH provider Issues DoH with Dnsmasq and https-dns-proxy This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up DNS over HTTPS on OpenWrt. It relies on Dnsmasq and https-dns-proxy for masking DNS traffic as HTTPS traffic. Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic. Goals Encrypt your DNS traffic improving security and privacy. Prevent DNS leaks and DNS hijacking. Bypass regional restrictions using public DNS providers. Escape DNS-based content filters and internet censorship. Command-line instructions Install the required packages. DNS encryption should be enabled automatically. # Install packages opkg update opkg install https-dns-proxy LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic. Testing Verify domain name resolution with nslookup. nslookup openwrt.org localhost Check your DNS provider and test DNSSEC validation. https://dnsleaktest.com/ https://dnssec-tools.org/test/ Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e https-dns; netstat -l -n -p | grep -e https-dns # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a https-dns head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show dhcp; uci show https-dns-proxy Extras Web interface If you want to manage the settings using web interface. Install the necessary packages. # Install packages opkg update opkg install luci-app-https-dns-proxy /etc/init.d/rpcd restart Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq. Navigate to LuCI → Services → HTTPS DNS Proxy to configure https-dns-proxy. DoH provider https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it to Google DNS or any other DoH provider. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance. # Configure DoH provider while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done uci set https-dns-proxy.dns="https-dns-proxy" uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4" uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query" uci set https-dns-proxy.dns.listen_addr="127.0.0.1" uci set https-dns-proxy.dns.listen_port="5053" uci commit https-dns-proxy /etc/init.d/https-dns-proxy restart Issues If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI. Put your private DNS-over-HTTPS resolver endpoint (found in “Setup” in your NextDNS configuration page) into option resolver_url which is in /etc/config/https-dns-proxy. LuCI will now erroneously show the wrong resolver in Instances because it doesn't recognize your private resolver. If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again. This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/01/16 23:30by vgaetera