Encrypted dns queries

DNS query encryption for OpenWRT

Once we are in the DNS topic I couldn’t notice that also those queries can be encrypted today. DNS over Http (DoH) standard was accepted just a few days ago. DNS over TSL (DoT) bit earlier. Both standards will encrypt DNS queries so that their content cannot be seen outside, but in addition of that, DoH will also make DNS queries to look like any https query. There is wikipedia page listing public providers that support those standards already. Cloudflare is among them so now I will just need to check if there is easy way to add it to OpenWRT.

I found this, this and this. All combined and I did following:

opkg install stubby
opkg install ca-certificates

edit /etc/config/dhcp. In the ‘config dnsmasq’ section see that (dns) server is pointed stubby (i.e. localhost)

list server ‘’
list server ‘/pool.ntp.org/’

There were instructions to modify /etc/stubby/stubby.yml, but mine was fine without any changes.

Then start and enable the services

killall dnsmasq
/etc/init.d/dnsmasq start
/etc/init.d/stubby start
/etc/init.d/stubby enable

Optionally set your router to work as a ntp server for the lan
edit /etc/config/system and set

config timeserver ‘ntp’
option enabled ‘1’
option enable_server ‘1’
list server ‘pool.ntp.org’

and add following rule to firewall through luci (network | firewall | custom rules)
iptables -t nat -A PREROUTING -p udp –dport 123 -j REDIRECT –to-ports 123

Next thing would be to add dnssec to ensure that the dns query replies would be authentic.

update: 2018-11-12: Related to above writing Cloudflare has just release also mobile app to mask dns queries