OpenWrt Project

User Tools

Site Tools

You are here: Welcome to the OpenWrt Project » Documentation » User guide » Additional Services » DNS (aka Domain Name System) » DNS over HTTPS with Dnsmasq and https-dns-proxy
en
 ?

Sidebar

docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy

Table of Contents

DNS over HTTPS with Dnsmasq and https-dns-proxy

This article relies on the following:

Introduction

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Instructions

Install the packages and DNS encryption should be configured automatically. 

# Install packages
opkg update
opkg install dnsmasq https-dns-proxy

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.

Testing

Verify that domain name resolution works. 

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Troubleshooting

Collect and analyze the following information. 

# Restart the services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e https-dns-proxy; netstat -l -n -p | grep -e https-dns
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a https-dns-proxy
 
# Persistent configuration
uci show dhcp; uci show https-dns-proxy

Extras

Web interface

Install the necessary packages if you want to manage the settings via web interface. 

# Install packages
opkg update
opkg install luci-app-https-dns-proxy
  • Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.
  • Navigate to LuCI → Services → HTTPS DNS Proxy to configure https-dns-proxy.

DoH provider

https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it Google DNS or any other DoH provider. Make sure the provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance. 

# Configure DoH provider
while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4"
uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart

Local system

Configure Dnsmasq as a primary resolver for local system. Bypass DNS encryption for NTP provider to avoid deadlock state when system time is not synchronized. Beware of race condition with Adblock service. 

# Enforce DNS encryption for local system
uci set dhcp.@dnsmasq[0].localuse="1"
 
# Fetch DNS provider
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_find_wan6 NET_IF6
network_get_dnsserver NET_DNS "${NET_IF}"
network_get_dnsserver NET_DNS6 "${NET_IF6}"
 
# Bypass DNS encryption for NTP provider
uci get system.ntp.server \
| sed -e "s/\s/\n/g" \
| sed -e "s/^[0-9]*\.//" \
| sort -u \
| while read -r NTP_DOMAIN
do
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS%% *}"
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS6%% *}"
done
uci commit dhcp
/etc/init.d/dnsmasq restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy.txt · Last modified: 2020/06/16 07:02 by vgaetera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki