DNS privacy where are we today? 12 dec 2018

Hi There,

I would like to have DNS privacy, What I think to understand, is that today DNS over TLS is the way to go because DNS over HTTPS isn’t standardised yet.

I found several howto’s and granted I don’t own a engineer title, I can perform most task needed. In my younger years I compiled my own linux kernel. A self educated man so to speak.

What I lack in most howto’s is an explanation why this or that path is chosen.

I started with dnscrypt more then a year ago but then for some reason my router a DIR-860B1 didn’t work anymore. The network failed. There was nothing wrong with the router so I started a search on the internet and this time I stumbled over this article.

https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ I aplied it in the beginning of this year and it was happily working.
Some days ago I upgraded to 18.06.1 and found that I didn’t have any internet. I can’t quite recall if it was immediately after applying the unbound or not.

So I searched again and found the original website but also more, and now I’m lost.
I founds solutions where they were using unbound, some are using unbound and stubby and other combinations. Directnupe seems to experiment and knows a lot about this, but when he writes a guide I find it hard to follow. For me he also seems to jump all over the place it’s hard to follow for me.(why is he talking about expanding memory?)
I also find warnings about openssl not being 1.1 and so therefore it's a problem for unbound.

https://blog.cloudflare.com/dns-over-tls-for-openwrt/ 09 Apr 2018

https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ 24 jan 2018

https://forum.openwrt.org/t/adding-dns-over-tls-support-to-openwrt-lede-with-unbound/13765 23 apr 2018

[Tutorial] DNS-over-TLS with dnsmasq and stubby (no need for unbound) 9 aug 2018

What I found for me, is that it is intimidating to read al these guides and pick the best one.
The best one for me is the one that:

  • Stay’s the closest to the original openwrt installation.

  • Has fewer components

  • Follows standard protocols

  • Doesn’t need regular intervention or as few as possible

  • Informs me that certificates or other components need attention

  • Has a simple failover way in case the DNS breaks..

  • Performs reasonably well

  • How big is the cashe of the resolver? Where is it? Can I alter it

I would very much appreciate the communities help in this quest and hope that the openwrt dev guy’s see this question as a point where more guidance is needed in there vast documentation.

Kind Regards
Guy F


Quite a few walk-throughs of various approaches can be found here through search


1 Like

Hi Jeff
Is there any particular reason DNS over Lts is preferred to DNScrypt??? I tried it on a windows machine a long time ago. Now I discovered that some servers are managed by Cisco too (toghether with opendns) that should guarantee long term support ? Or am I wrong ? Just trying to understand the landscape given that Norton Core expensive secure router doesn’t mention anything about DNS traffic privacy security.

1 Like

HI Jeff thanks for pointing that out, my question remains..
If I see how few steps I need in the Torstens approach and how many steps I need in the 28 oct approach from directnupe one can ask. Why is this approach choosen over the other one.

My take on it is that there are many competing approaches in varying states of deployment and standardization for encrypted channels for DNS. The suppliers of "secure" DNS, "transport-secure" DNS, and "privacy-enhanced" DNS (three different things) may select one or more of the transport.

Each user should pick one that meets their own needs, desires, and technical skills (which includes the option of "none, just use plain DNS over UDP"). There is no "best" that I know of, and what is "better" today is likely to be different in a few months or years.

One good source of information is

Okay let's say I want that I'm sure there's no middleman Then I need a solution with DNSSEC If I want to encrypt my DNS request I would use DNS over TLS or over HTTPS. I think I fall in your first category wright? Is there a preferred openwrt way?
I found a comparison list https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software where Stubby isn't even mentioned.
In the site they mention to use Stubby together with unbound to have the best of both worlds.
Thanks again for clarifying, though it's still difficult to see which of the 2 will mature the fasted.

I don't expect that whatever I implement today will be a "forever" solution.

Many times, Wikipedia lags behind what is happening on the ground, especially when technology and practice is evolving quickly. The DNS Privacy link, above, is probably more current.

With the caveat that I run DNS services under FreeBSD and not OpenWrt, and that I have used unbound for many years in a non-trivial configuration, my personal preference would be stubby and unbound -- this week :wink:

Dear Forssux,
Hello and Season's Greetings - I hope that all is well with you. I am directnupe the gentleman that has posted many of the tutorials you refer to.
I will try to help you out as much as I can. If I were you - I would start out with this tutorial as it is fairly simple and straightforward. Hopefully you are fairly comfortable and proficient with command line SSH. The guide I suggest is this one entitled: OPENWRT STUBBY DNS OVER TLS USING DNSMASQ-FULL FOR DNSSEC & CACHING found here:
I is also posted in this forum; however; for whatever reasons I can not seem to get all the entries to be listed clearly. Editing errors appear which just may lead to your not being able to understand and / or copy and paste the commands.
You may not have UNBOUND however; you get DNSSEC and a cache using DNSMASQ-FULL in place of native DNSMASQ. The tutorial is well documented and should be easy enough for you to get up and running.
The reason STUBBY and GETDNS are preferred over UNBOUND alone is explained in my tutorials. I will repeat here from DNSPRIVACY DEVELOPERS - UNBOUND has limitations which are described here:
Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).
However STUBBY and GETDNS overcomes these shortcomings - read here:
Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project. Stubby is essential - please read the following:
So - you really do not need UNBOUND - so check out the tutorial I suggested and let me knows how it works out for you.
May God Blesss You and Yours Always In Peace,


Guide for secured DNS for next openwt release:

  1. Install stubby;
  2. Setup dnsmasq to use stubby as upstream DNS server;
  3. Setup as system (openwrt) DNS server in network settings.

Done. Matches all your requirements.

1 Like

@AmbientSummer Thanks if in the next release everything gets easier, I believe a lot of people will implement this approach.

@directnupe thanks for clarifying I think I will try this Stubby and dnsmasq-full approach today.
I still have some questions though...
I have a Dir-860L-B1 router and there's some 10MB free memory to install.

  • How can I monitor the size of the dns cache?
  • How can I see the health of the installed certificates?
  • If there's no internet after applying all these steps how can one revert to a working situation without flashing the stock again
    Kind regards

@Forssux Please open a new topic for new questions.

As a slight alternative, I'm also using Stubby and DNSMASQ on an X86 install of OpenWRT. However, I'm using the built-in DNSMASQ and haven't updated it. Stubby can be configured to use DNSSEC for the external queries via TLS. I'm less concerned with DNSSEC on an internal DNSMASQ server, I just want the external WAN-bound DNS requests to go out via TLS and use DNSSEC.

My understanding is that Stubby will do this without needing to install DNSMASQ-FULL. So you may be able to get this setup working with minimal effort, unless for some reason you need DNSMASQ to also pass through DNSSEC to your local LAN.

I think this guide is suitable for the current version. But you need to install 'ca-certificates'.

Dear Forssux,
Look - you need to either have a little faith or let this project go. I am not trying to be nasty but if you check - there are thousands ( tens of thousands ) of people who have followed these tutorials and successfully deployed these setups.
Q- How can I monitor the size of the dns cache? Answer: By using DNSMASQ FULL - the cache is limited to and by the number of entries you enter in the configuration file. The default size of cache is 150 - you can set it up to 15000 so 1000 should be safe. You read cache by reading DNSMSQ- FULL cache log - you can research how to do that. I use UNBOUND so that is a different solution. But 1000 cache entries is easily handled by your router.

Q -How can I see the health of the installed certificates? Answer - I do not know exactly what you mean. However, you should try reading the entire guide BEFORE asking these questions. This matter of certificates and root keys are well documented in the tutorial. Let' stop the hand holding - please. Please realize that you need to take some initiative on your own behalf.

Q - If there's no internet after applying all these steps how can one revert to a working situation without flashing the stock again
Answer - There will be internet and DNS OVER TLS if you follow the directions in the tutorial correctly. As far as RESETTING YOUR ROUTER TO DEFAULTS - you should check the specifics for your router using RESET BUTTON or read here: https://medium.com/openwrt-iot/lede-openwrt-factory-resetting-48b77417a950
That's it - and I must say - stop being uber needy and either take the dive or leave it alone. Once again - nothing personal - but I have tried to help you and you seem to taking few to no steps to do any research or reading on your own - including the guide I first pointed you to - https://forums.torguard.net/index.php?/topic/1455-openwrt-stubby-dns-over-tls-using-dnsmasq-full-for-dnssec-caching/

Once Again Peace,


Hi Jeff more on the where we are DNS privacy !

Played a little with bind9 on VBox using it as caching forwarder server ( not sure is right definition). My openwrt box used it as DNS server and it was forwarding request to a public nameserver like or a random root server.
How dnssec works still a mistery to me ! Question is how I force my openwrt box to drop dns reply that are not dnssec validated ? I know the pool of nameserver dnssec compliant is small but assume I live in Sweden :lying_face: ? Or should my PC force the drop of such replies ? I stumbled upon



Is it any good ?
Last but not least I know people suold be able to master command line config but given how difficult is to interpreting some of them do you know any well supported frontend GUI for bind9 or unbound that could clarify both how a dns server and dnssec works ? Sorry for beeing so long

Happy Xmas

Not sure you really want to do that, as "the whole Internet" isn't DNSSEC validated, even in Sweden.

Run unbound and read the unbound documentation (as in the upstream doc, in addition to the OpenWrt configuration information).

DNSSEC "signs" the DNS result so that you know who it comes from. It is a different thing than DNS "privacy".

Does stubby supports dnssec?

From the links posted above from dnsprivacy.org

Does Stubby support DNSSEC?
ANSWER: Yes, stubby can be configured to be a local validating stub. Note that this can currently add an overhead to DNS resolution because a greater number of queries are required (this will be mitigated in a future release when a small cache will be added to stubby).

1 Like


Guess these statistics show kind of different data as a John Doe like me would expect ....
any peculiar reason ?