DNS over TLS encrypts DNS queries so no one between you and the DNS server you’re using (which, by default using these steps, will be Cloudflare’s 220.127.116.11), can tell what DNS queries/responses are being exchanged.
DNS over TLS provides confidentiality but not integrity or authenticity. For those, you need to setup DNSSEC which I’ve described how to do on OpenWrt in another post.
By setting up DNS over TLS on your OpenWrt router, you protect your entire network as all clients will perform DNS requests using your OpenWrt router’s DNS server which in turn will use DNS over TLS to perform the actual resolution.
Setting up DNS over TLS using Stubby on OpenWrt 18.06 and 19.07 is remarkably easy. You can use the LuCI web interface to perform these steps or shell command over ssh; I’m providing the commands here.
- Refresh the package list:
- Install the
opkg install stubby
- Start stubby:
- Set stubby to start automatically at boot:
- Use stubby as the DNS server by editing
config dnsmasqsection, add (or change the values of, if these settings already exist) these settings:
option noresolv '1'
list server '127.0.0.1#5453'
- Restart dnsmasq so the changes take effect:
If you’d rather use a different DNS over TLS server than Cloudflare’s 18.104.22.168, edit
Now you can restart assured that your DNS queries can’t be seen by 3rd parties.