DoH with Dnsmasq and https-dns-proxy
Introduction
- This how-to describes the method for setting up DNS over HTTPS on OpenWrt.
- It relies on Dnsmasq and https-dns-proxy for masking DNS traffic as HTTPS traffic.
- Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.
Goals
- Encrypt your DNS traffic improving security and privacy.
- Prevent DNS leaks and DNS hijacking.
- Bypass regional restrictions using public DNS providers.
- Escape DNS-based content filters and internet censorship.
Command-line instructions
Install the required packages. DNS encryption should be enabled automatically.
# Install packages opkg update opkg install https-dns-proxy
LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
Testing
Verify domain name resolution with nslookup:
nslookup openwrt.org localhost
To check your DNS provider, you can use:
DNS Leak Test and DNSSEC Test:
Alternative test via CLI: * check connection to Quad9 DNS (it require to use Quad9 DNS servers):
dig +short txt proto.on.quad9.net. # should print: doh. or dot.
* check connection to NextDNS (it require to use NextDNS DNS servers):
curl -SL https://test.nextdns.io/ { "status": "ok", "protocol": "DOT", "profile": "SOMEPROFILE", "client": "80.XXX.XXX.XXX", "srcIP": "80.XXX.XXX.XXX", "destIP": "XX.XX.28.0", "anycast": true, "server": "zepto-ber-1", "clientName": "unknown-dot" }
Troubleshooting
Collect and analyze the following information.
# Restart services service log restart; service dnsmasq restart; service https-dns-proxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e https-dns; netstat -l -n -p | grep -e https-dns # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a https-dns head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show dhcp; uci show https-dns-proxy
"Private DNS server cannot be accessed" on Android
When using a custom DNS server on your Android device in combination with https-dns-proxy on your router, you may be unable to connect to the Internet, resulting in an error message that reads: “Private DNS server cannot be accessed”. This is due to DNS forcing being enabled by default.
In order to fix this, run the following commands in an SSH session:
uci delete https-dns-proxy.config.force_dns uci set https-dns-proxy.config.force_dns='0' uci commit https-dns-proxy service https-dns-proxy restart
Or, if you have the web interface installed, you can go to LuCI → Services → HTTPS DNS Proxy and change the “Force Router DNS” value to “Let local devices use their own DNS servers if set”. Then press “Save & Apply”.
Extras
Web interface
If you want to manage the settings using web interface. Install the necessary packages.
# Install packages opkg update opkg install luci-app-https-dns-proxy service rpcd restart
- Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.
- Navigate to LuCI → Services → HTTPS DNS Proxy to configure https-dns-proxy.
DoH provider
https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it to Google DNS or any other DoH provider. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.
# Configure DoH provider while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done uci set https-dns-proxy.dns="https-dns-proxy" uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4" uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query" uci set https-dns-proxy.dns.listen_addr="127.0.0.1" uci set https-dns-proxy.dns.listen_port="5053" uci commit https-dns-proxy service https-dns-proxy restart