DoH/DoH3, DoT, DoQ and DNSCrypt with Dnsmasq and dnsproxy
Introduction
- This how-to describes the method for setting up DNS over HTTPS, DNS over HTTP/3, DNS over TLS, DNS over QUIC and DNSCrypt on OpenWrt.
- Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.
Goals
- Encrypt your DNS traffic improving security and privacy.
- Prevent DNS leaks and DNS hijacking.
- Bypass regional restrictions using public DNS providers.
- Escape DNS-based content filters and internet censorship.
Command-line instructions
1. Install the required packages:
opkg update
opkg install dnsproxy
2. Enable DNS encryption:
# Configure dnsmasq service dnsmasq stop uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].cachesize="10000" uci set dhcp.@dnsmasq[0].min_cache_ttl="3600" uci set dhcp.@dnsmasq[0].max_cache_ttl="86400" uci -q del dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5354" uci add_list dhcp.@dnsmasq[0].server="::1#5354" uci commit dhcp service dnsmasq start # Configure dnsproxy uci set dnsproxy.global.enabled="1" uci del dnsproxy.global.listen_port uci add_list dnsproxy.global.listen_port="5354" uci set dnsproxy.cache.enabled="0" # "1" to enable (Enable this ONLY if you want to test "cache_optimistic" option) uci set dnsproxy.cache.cache_optimistic="1" uci set dnsproxy.cache.size="2097152" # Equal to 2 MB (in binary) uci del dnsproxy.servers.bootstrap uci add_list dnsproxy.servers.bootstrap="8.8.8.8" uci add_list dnsproxy.servers.bootstrap="tcp://8.8.8.8" uci commit dnsproxy service dnsproxy restart
3. It is recommended to increase the maximum buffer size: UDP Buffer Sizes
cat << "EOF" > /etc/sysctl.d/12-buffer-size.conf net.core.rmem_max=7500000 net.core.wmem_max=7500000 EOF sysctl -p /etc/sysctl.d/12-buffer-size.conf
4. Ensure NTP (Network Time Protocol) can work without DNS:
uci del system.ntp.server uci add_list system.ntp.server="216.239.35.0" # time.google.com uci add_list system.ntp.server="216.239.35.4" # time.google.com uci add_list system.ntp.server="216.239.35.8" # time.google.com uci add_list system.ntp.server="216.239.35.12" # time.google.com uci add_list system.ntp.server="162.159.200.123" # time.cloudflare.com uci add_list system.ntp.server="162.159.200.1" # time.cloudflare.com uci commit system service system restart
5. Optional: DNS hijacking: Configure firewall to intercept DNS traffic:
# Intercept DNS traffic uci -q del firewall.dns_int uci set firewall.dns_int="redirect" uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.family="any" uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.target="DNAT" uci commit firewall service firewall restart
LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to dnsproxy which encrypts DNS traffic.
For documents, please see:
Testing
Verify domain name resolution with nslookup:
nslookup openwrt.org localhost
To check your DNS provider, you can use:
DNS Leak Test and DNSSEC Test:
Alternative test via CLI: * check connection to Quad9 DNS (it require to use Quad9 DNS servers):
dig +short txt proto.on.quad9.net. # should print: doh. or dot.
* check connection to NextDNS (it require to use NextDNS DNS servers):
curl -SL https://test.nextdns.io/
{
"status": "ok",
"protocol": "DOT",
"profile": "SOMEPROFILE",
"client": "80.XXX.XXX.XXX",
"srcIP": "80.XXX.XXX.XXX",
"destIP": "XX.XX.28.0",
"anycast": true,
"server": "zepto-ber-1",
"clientName": "unknown-dot"
}
Troubleshooting
Collect and analyze the following information.
# Set verbose mode uci set dnsproxy.global.verbose="1"; uci commit dnsproxy # Restart services service log restart; service dnsmasq restart; service dnsproxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsproxy; netstat -l -n -p | grep -e dnsproxy # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a dnsproxy head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show dhcp; uci show dnsproxy
Extras
Configure DNS provider
dnsproxy is configured with Cloudflare DNS by default. You can change it to Google DNS or any other Known DNS Providers or DNS Stamp used for DNSCrypt. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.
Example with "AdGuard DNS (Default)" # DNS over HTTPS (DoH) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="https://dns.adguard-dns.com/dns-query" uci commit dnsproxy service dnsproxy restart # DNS over HTTP/3 (DoH3) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="h3://dns.adguard-dns.com/dns-query" uci commit dnsproxy service dnsproxy restart # DNS over TLS (DoT) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="tls://dns.adguard-dns.com" uci commit dnsproxy service dnsproxy restart # DNS over QUIC (DoQ) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="quic://dns.adguard-dns.com" uci commit dnsproxy service dnsproxy restart # DNSCrypt ("DNS Stamp" of AdGuard DNS) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20" uci commit dnsproxy service dnsproxy restart # DNS over HTTPS ("DNS Stamp" of AdGuard DNS) uci del dnsproxy.servers.upstream uci add_list dnsproxy.servers.upstream="sdns://AgMAAAAAAAAADDk0LjE0MC4xNS4xNSCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQw5NC4xNDAuMTUuMTUKL2Rucy1xdWVyeQ" uci commit dnsproxy service dnsproxy restart
Web interface
If you want to manage the settings using web interface. Install the necessary packages. The package is not officially in OpenWrt, you need to download the package, upload and install it through the Luci interface (System → Software → Upload Package...):
Navigate to LuCI → Services → DNS Proxy to configure.
Note: I hope someone wants to become the maintainer of “luci-app-dnsproxy” package and make it an official OpenWrt package.