• This guide describes how to configure OpenWrt to protect your DNS traffic.
• It utilizes DNS over TLS to provide DNS encryption.
• DNS encryption is limited to DNS traffic, use VPN to protect all traffic.

This method utilizes DoT via Unbound and focuses on performance and fault tolerance.

Encrypt both LAN client and local system DNS traffic. Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Use Unbound to encrypt DNS traffic. Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized.

# Install packages
opkg update
opkg install unbound ca-bundle
 
# Enable DNS encryption
sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf
cat << EOF >> /etc/unbound/unbound_ext.conf
server:
    tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 2001:4860:4860::8888@853#dns.google
    forward-addr: 2001:4860:4860::8844@853#dns.google
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
forward-zone:
    name: "openwrt.pool.ntp.org."
    forward-addr: 2001:4860:4860::8888
    forward-addr: 2001:4860:4860::8844
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4
EOF
service unbound restart

See also: DNS hijacking, Random generator

Collect and analyze the following information.

# Restart the services
service log restart; service unbound restart
 
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
 
# Runtime configuration
pgrep -f -a unbound
 
# Persistent configuration
uci show unbound
grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf