Home > Uncategorized > DNS Over TLS on OpenWrt 18.06

DNS Over TLS on OpenWrt 18.06

DNS over TLS encrypts DNS queries so no one between you and the DNS server you’re using (which, by default using these steps, will be Cloudflare’s, can tell what DNS queries/responses are being exchanged.

DNS over TLS provides confidentiality but not integrity or authenticity. For those, you need to setup DNSSEC which I’ve described how to do on OpenWrt in another post.

By setting up DNS over TLS on your OpenWrt router, you protect your entire network as all clients will perform DNS requests using your OpenWrt router’s DNS server which in turn will use DNS over TLS to perform the actual resolution.

Setting up DNS over TLS using Stubby on OpenWrt 18.06 is remarkably easy. You can use the LuCI web interface to perform these steps or shell command over ssh; I’m providing the commands here.

  1. Refresh the package list: opkg update
  2. Install the ca-certificates package (necessary for stubby to verify the certificate of the DNS server): opkg install ca-certificates (this step shouldn’t be necessary; ca-certificates should be a dependency of stubby. See this issue in OpenWrt.)
  3. Install the stubby package: opkg install stubby
  4. Start stubby: /etc/init.d/stubby start
  5. Set stubby to start automatically at boot: /etc/init.d/stubby enable
  6. Use stubby as the DNS server by editing /etc/config/dhcp
    In the config dnsmasq section, add (or change the values of, if these settings already exist) these settings:

    • option noresolv '1'
    • list server ''
  7. Restart dnsmasq so the changes take effect: /etc/init.d/dnsmasq restart

If you'd rather use a different DNS over TLS server than Cloudflare's, edit /etc/stubby/stubby.yml.

Now you can restart assured that your DNS queries can't be seen by 3rd parties.

CC BY-SA 4.0 DNS Over TLS on OpenWrt 18.06 by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Categories: Uncategorized Tags:
  1. September 25th, 2018 at 04:47 | #1
    In OpenWRT 18.06.1, the default configuration file is /etc/stubby/stubby.yml
  2. October 26th, 2018 at 16:21 | #3
    When useing openwrt-adblock with “DNS Backend”: dnsmasq, does it (adblock) remain functional?
    • October 30th, 2018 at 14:30 | #4
      I believe so – I don’t see why it wouldn’t. However, I don’t use that approach so I can’t say for sure. If you do, can you report back with the results?
  3. October 31st, 2018 at 14:05 | #5
    Thanks for the very useful info, Craig.

    I’m not a networking genius, but I’ve successfully installed stubby on several standalone workstations, but when I try to (follow all the instructions here, and) restart dnsmasq, I get:

    udhcpc: started, v1.28.3
    udhcpc: sending discover
    udhcpc: no lease, failing

    … and the router fails to offer any working connections to hosts. Any hints on where I might have gone wrong?

    Thanks again.

  1. August 10th, 2018 at 11:46 | #1