DoT with Unbound

• This how-to describes the method for setting up DNS over TLS on OpenWrt.
• It relies on Unbound for performance and fault tolerance.
• Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.

Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Install the required packages. Enable DNS encryption.

# Install packages
opkg update
opkg install unbound-daemon
 
# Enable DNS encryption
uci set unbound.fwd_google.enabled="1"
uci set unbound.fwd_google.fallback="0"
uci commit unbound
/etc/init.d/unbound restart

LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/unbound restart
 
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
 
# Runtime configuration
pgrep -f -a unbound
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show unbound

If you want to manage the settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-app-unbound
/etc/init.d/rpcd restart

Navigate to LuCI → Services → Recursive DNS to configure Unbound.

Unbound is configured with Google DNS. You can change it to Cloudflare DNS or any other DoT provider including your own DoT server with Nginx. Make sure the resolvers support DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.

# Configure DoT provider
uci set unbound.fwd_google.enabled="0"
uci set unbound.fwd_cloudflare.enabled="1"
uci set unbound.fwd_cloudflare.fallback="0"
uci commit unbound
/etc/init.d/unbound restart

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues.

# Enforce DNSSEC validation
uci set unbound.@unbound[0].validator="1"
uci commit unbound
/etc/init.d/unbound restart