DoH with Dnsmasq and https-dns-proxy

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Install the required packages. DNS encryption should be enabled automatically.

# Install packages
opkg update
opkg install https-dns-proxy

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.

Use nslookup to verify that domain name resolution works.

nslookup openwrt.ifw.cn localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e https-dns; netstat -l -n -p | grep -e https-dns
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a https-dns
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show dhcp; uci show https-dns-proxy

If you want to manage the settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-app-https-dns-proxy
/etc/init.d/rpcd restart
  • Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.
  • Navigate to LuCI → Services → HTTPS DNS Proxy to configure https-dns-proxy.

https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. You can change it to Google DNS or any other DoH provider. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.

# Configure DoH provider
while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4"
uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart

If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI.

Put your private DNS-over-HTTPS resolver endpoint (found in “Setup” in your NextDNS configuration page) into option resolver_url which is in /etc/config/https-dns-proxy.

LuCI will now erroneously show the wrong resolver in Instances because it doesn't recognize your private resolver.

If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/09/15 14:01
  • by account4538