Best way to configure quad9 in OpenWrt

Hi
I wanted to configure DNS encryption with quad9, but since I generally have little idea about router settings, I ran into unexpected options. I did read some recommendations on how to configure quad9 using unbound, but also found somewhere that OpenWrt actually doesn't seem to need unbound for that. At the same time, unbound for OpenWrt is available (and I currently have it installed). So what is the best/correct method? It would be ideal if someone could add a step-by-step guide so I won't screw it up.
Thanks

How about using DNS HTTPS Proxy? Download this in LuCi and you can configure it there to have Quad9 resolve your encrypted DNS queries

2 Likes

Is it somehow better or easier than unbound?
Quad9 official setup for luci https://www.quad9.com/support/set-up-guides/setup-openwrt-luci/ suggest that u just put 9.9.9.9 and 149.112.112.112 to DNS forwardings field. The problem is - this does not work!
When I then test quad9 in my browser it says clearly "You are NOT using quad9"
Does anyone have succeeded in using quad9 in OpenWrt?

I would guess that you also still need to tell dnsmasq to ignore the DNS servers your ISP offers?

have you disabled DoH in your browser, and DoT (or DoH) on your OS ?

I did test it with chrome secure DNS setting off with same result

Have a look here:

# Configure DNS provider
uci -q delete network.wan.dns
uci add_list network.wan.dns="8.8.8.8"
uci add_list network.wan.dns="8.8.4.4"
 
# Configure IPv6 DNS provider
uci -q delete network.wan6.dns
uci add_list network.wan6.dns="2001:4860:4860::8888"
uci add_list network.wan6.dns="2001:4860:4860::8844"
 
# Disable peer DNS
uci set network.wan.peerdns="0"
uci set network.wan6.peerdns="0"
 
# Save and apply
uci commit network
/etc/init.d/network restart

Peer DNS options

  • Keep peer DNS enabled to improve your DNS fault tolerance.

  • Disable peer DNS to prevent DNS leaks if you have configured a VPN connection on OpenWrt.

  • Disable peer DNS to actually change your DNS provider and receive more predictable DNS replies.

2 Likes

That's only half of things you were supposed to check/disable.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns might need to be implemented, too.

1 Like

At this point, as I understand (if not, somebody can correct me) the only way to implement DNScrypt in OpenWrt is to use unbound. So even if I eventually succeed in pointing luci to quad9 DNS it is still just half of the solution.

If somebody can point me to how to properly set up unbound in OpenWrt to quad9 would be great!
Thanks

what the actual goal of .... whatever you're trying to do.

All I wanted to note is that unless you set peerdns to 0 in dnsmasq you will get both your self added DNS servers as well as the one's your ISP supplies. But even if you switch dnsmasq to only ever query 9.9.9.9 not sure whether a DNS test would notice that, as the browser likely will use your rputer as DNS source, so will not use 9.9.9.9 as address.

That said, i am out of my league here, as I use knot/kres as non-forwardig resolver (I like my ISP, but I prefer not having to rely on their DNS servers), so I have little information.

?
If you're just trying to force all devices to use your router for DNS,
You can take a look at the following tutorial: DNS hijacking

Well... obviously the goal is maximum security. DNS is the only thing that is not yet encrypted on today's internet. Quad9 is to my knowledge only secure option yet to prevent data collection and man-the-middle attacks. Modern browsers do use DoH but this is not DNScrypt. In reality, it would also be easier if all the devices on my network automatically use a secure DNS query.
I am very reluctant to make security changes unless I am absolutely sure of what I am doing. The result can very easily be like a monkey with a microscope. So I need someone who actually knows how to set up unbound in OpenWrt.

Since you're ok with HTTPS in general, perhaps https-dns-proxy would be good enough for you?
It's a lot easier to set up, too.

DNScrypt is clearly the best solution, and I'm at least trying to find ways to achieve it. I don't know why the OpenWrt Wiki doesn't have an unbound setup guide. The last option is DNSCrypt with Dnsmasq and dnscrypt-proxy, but unbound should actually be easier if done right.
Thanks

Why? How is it better than DNS-over-HTTPS (or more precisely, why/how do you think it is better)?

2 Likes

then I guess you've enabled it for all your web traffic too ?

hi, have you checked this guide?

and dns can be a complex topic just be aware of the followings:

  • it was already mentioned but let me emphasize: modern browsers, mobile devices and apps may use their own dns provider, so configuring secure dns solution on your owrt router is not enough. you should force your clients to use your secure owrt -> see dns hijacking,
  • secure dns requires punctual system time hence accessing ntp server is a must. if you setup a secure dns you have a chicken-egg problem, so ntp should be exception to your secure dns config and should use a traditional dns solution.

" Navigate to Resolv and Hosts Files sub-tab, and make sure Ignore resolv file is Enabled"

I've used this successfully.