DNS over TLS is fully supported with UCI and LuCI starting with OpenWrt 19.07. You can manage zone recursion, zone forward, and zone transfer preferences in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers for example “youtube.com.” to “8.8.8.8” with or without TLS.

• README for Unbound 1.9.3 @ OpenWrt 19.07
• README for Unbound @ OpenWrt Snapshot

• This how-to describes the method for setting up DNS over TLS on OpenWrt.
• It relies on Unbound for performance and fault tolerance.
• Follow DNS encryption for alternative methods or use VPN to protect all traffic.

Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Use Unbound to encrypt both LAN client and local system DNS traffic.

# Install packages
opkg update
opkg install unbound ca-bundle

In 19.07 and later, configuring TLS via UCI in /etc/config/unbound is supported:

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option tls_upstream '1'
	option tls_index 'dns.google'
	list zone_name '.'
	list server '8.8.8.8'
	list server '8.8.4.4'
	list server '2001:4860:4860::8888'
	list server '2001:4860:4860::8844'

In 18.06 and earlier:

# Enable DNS encryption
sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf
cat << EOF >> /etc/unbound/unbound_ext.conf
server:
    tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 2001:4860:4860::8888@853#dns.google
    forward-addr: 2001:4860:4860::8844@853#dns.google
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
EOF

/etc/init.d/unbound restart

Collect and analyze the following information.

# Restart the services
/etc/init.d/log restart; /etc/init.d/unbound restart
 
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
 
# Runtime configuration
pgrep -f -a unbound
 
# Persistent configuration
uci show unbound
grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf

Install the necessary packages if you want to manage the settings via web interface.

# Install packages
opkg update
opkg install luci-app-unbound

Navigate to LuCI → Services → Recursive DNS to configure Unbound.

Unbound was configured with Google DNS above. You can change it to CloudFlare, another DoT provider. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.

In 19.07 and later, edit /etc/config/unbound:

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option tls_upstream '1'
	option tls_index 'cloudflare-dns.com'
	list zone_name '.'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'

In 18.06 and earlier:

# Configure DoT provider
sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf
cat << EOF >> /etc/unbound/unbound_ext.conf
server:
    tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
EOF

Then:

/etc/init.d/unbound restart

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of performance issues.

# Enforce DNSSEC validation
uci set unbound.@unbound[0].validator="1"
uci commit unbound
/etc/init.d/unbound restart

Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. No additional action is required by default.