DNS resolver options

I am learning about openwrt and eventually lede by playing around with an older tp-link I have that is running chaos calmer 15.05.1 and having fun so far.

I would like to make this router a local dns resolver to learn a little more about installing my own packages and other things.

I have been reading information I can find on the Internet but some things are not clear.
My hope is to install a dns resolver that could replace my isp dns services with my own.

I might also want to forward some requests in a secure way but have to learn more about that and if I will even need that.

My questions are;

Which package is the most current and still being updated at least now and then?

Do I have to update the resolvers that my local dns server will be using? I am not wanting to use it as a dns server, only as a resolver.

When my dns server makes requests of root servers, how is that any safer than using my own isp dns services since they could also log everything an IP is wanting to look up. Again, this is my basic understanding so far, I also have to learn more about dns resolver services.

I'm not sure what else to ask or if I am even asking in the right place so hope for replies and can provide more info it needed.

For security reasons you really want to upgrade to at least 17.01.5 or 18.06-rc2.

I will buy another device eventually but for now, just learning so it's fine.
I guess maradns and even bind are out as the packages are not found for chaos calmer.

Even if BIND was available in CC, it's old with security flaws.

The device won't accept an upgrade?

None (or very few) packages are updated in 15.05.1, as it is an old version out-of-development.

This is not clear, as a resolver acts as a server for whatever LAN client it forwards requests for. The firewall is closed on WAN by default, so this service is not open to the Internet.

The OpenWrt makes requests to whatever DNS server you programmed (or the ones received via DHCP). It doesn't use root hints by default. The DNS request is still sent on WAN in the clear. You would have to use DNS-over-HTTPS or some other mechanism to prevent the ISP from seeing clear requests.

Your DNS security questions may better answered on a security forum. I also think you may want to brush-up on DNS understanding and/or the Dnsmasq software (used in OpenWrt) first (not all DNS software are identical).

My question is not a dns security question, it is just a general question asking what packages I might have as options since I have yet to find any.

I don't understand why the replies are telling me I need to learn this and that. I already said I am new to playing around with these things and learning one small thing at a time. I will read up on the things I must learn about. I read a lot about dns which is why I want to play with it. Everyone starts by reading then playing, it's the hands on experience that leads to searching for more answers and learning as you try.

I am not ready to build firmware just yet, just playing around with the os at the moment.

I mainly just wanted to see if I could use the mini router as my dns server rather than my isp. When I mentioned forwarding, it is because I have read that you can forward some requests to an upstream server.

I just want to start with something very basic, like my own dns server.

@TomGG, I just provided you that information:

Concerns about the ISP seeing the packets, I thought were security, you asked where to inquire about them.

If the packages are not available; and you choose not to compile, then you must upgrade to a version where that software is offered. I wasn't forcing you to code or compile, simply answering your question.

Yes; but what you describe as a resolver and server were not accurate; then you said you were concerned the ISP could still see the requests, which is true. So I suggested:

In order to use that device with Chaos Calmer, it uses the software dnsmasq by default, NOT BIND. Therefore, dnsmasq is a resolver, not a full DNS server. Since Chaos Calmer does not offer BIND (per your post); then you will have to upgrade, or settle with configuring dnsmasq to use non-ISP DNS servers.

Concerns about the ISP seeing the packets, I thought were security, you
asked where to inquire about them

My question is not a security one but a privacy one. Again, new to this and taking things one step at a time.

In terms of compiling, as I said, I am completely new to this and can only learn things a little at a time.

Since Chaos Calmer does not offer BIND (per your post); then you will have
to upgrade, or settle with configuring dnsmasq to use non-ISP DNS servers.

Fine, that is the answer. Thank you for your help.

1 Like

Since it sounds like you're new to the workings of DNS, it would be worthwhile to understand if you need a resolver or an authoritative server. The first is to provide DNS for your clients, the second is to provide DNS about your domain to the rest of the world. BIND and NSD are the two most common applications used for the latter. They are not easy to configure and require "glue" to be in place to identify them as the "right" servers to be used for your domain.

If what you need is a resolver to serve your own clients, dnsmasq is the "standard" approach for OpenWRT. unbound is another approach that users with more sophisticated needs may use. While, years ago, BIND was used by many of the `nix distributions, it has fallen out of favor due to its complexity and "vulnerability surface" relative to unbound and other approaches.

There are several approaches to "secure" DNS, including verifying the identity of upstream servers and encryption of the connections. There are many threads and references on those here and elsewhere.

I'd definitely recommend upgrading to preferably 18.X, at least to 17.X

1 Like

I only need a resolver for local DNS queries so that I am not using my providers DNS services.
I am not looking to create records for local domain or any others, only to resolve DNS queries from devices on my LAN.

There is one thing I don't understand about running my own DNS resolver to gain privacy from the ISP (to some extent) and that is about querying root servers directly.

Even if the ISP DNS is not being used and queries are going directly to root servers, those servers could also be involved in logging and selling profiling data no?

I'm sure the answer is yes, it's possible that queries could still be logged and yes, the ISP could still be logging your traffic as well if they were asked to by police or something.

My question is specifically, does anyone know if root server administrators are/would/have been known to be involved in such activities?

At some point you need to take off the tinfoil hat if you're going to use the Internet. Yes, every single packet can be tracked, even over the backbone. Just the type, size, and sequence of packets can reveal, or at least strongly suggest, what you're doing.

In my opinion, If you're worried about the root servers, then you have to place pretty much the entire Internet off limits. Personally, I'd worry more about the CAs that issue "identity" for the TLS/SSL certificates much more than the root servers. There have been several already "de-trusted" due to inappropriate actions.

1 Like

Now running lele 17.01.4 on another router so have both kinds now.

# opkg update
# opkg install maradns
Unknown package 'maradns'.
Collected errors:
 * opkg_install_cmd: Cannot install package maradns.
# opkg install unbound
Unknown package 'unbound'.
Collected errors:
 * opkg_install_cmd: Cannot install package unbound.

No tinfoil hat friend, just asking questions to learn but keep getting chastised kind of replies. Not very friendly around here. You help while insulting over and over again.

https://www.iana.org/domains/root/servers provides a list of the organizations responsible for running the root servers.

1 Like

But, you're getting answers! I noted these inquires were security-related, you disagreed. I also noted that you wern't quite up-to-speed on DNS, you also disagreed.

Please don't blame us for the lack of understanding. Despite this, we're helping you anyway. Please respect that. Still, your understanding of DNS is flawed... I offered that you study on DNS; because I assumed that a security forum would be more harsh, actually.

Any device along the way that can see the clear traffic can log you, not just the ISP. Also, it's important to note that Root Servers do not receive the query, they only get a query for the first domain in the chain. So, given your question, due to the design of a Root Hint query, I highly doubt that Root Servers are collecting this data.

For example: a root hint query for forum.openwrt.org

When you query a recursive DNS server:

  • you ask for A Record of FORUM.LEDE-PROJECT.ORG
  • the server does all the above for you or has a cached record to provide
  • an A Record is provided

I'm so sorry you feel chastisied...but again this sentence is somewhat confusing...as DNS resolvers do not query root servers, FULL DNS SERVERS do.

Hope this helps.

As a specific example:

$ drill -T www.openwrt.org
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
org.	172800	IN	NS	a0.org.afilias-nst.info.
org.	172800	IN	NS	a2.org.afilias-nst.info.
org.	172800	IN	NS	b0.org.afilias-nst.org.
org.	172800	IN	NS	b2.org.afilias-nst.org.
org.	172800	IN	NS	c0.org.afilias-nst.info.
org.	172800	IN	NS	d0.org.afilias-nst.org.
openwrt.org.	86400	IN	NS	ns1.digitalocean.com.
openwrt.org.	86400	IN	NS	ns2.digitalocean.com.
openwrt.org.	86400	IN	NS	ns3.digitalocean.com.
www.openwrt.org.	43200	IN	CNAME	wiki-01.infra.openwrt.org.
wiki-01.infra.openwrt.org.	3600	IN	A

So, in this case, one of the root servers, one of the NIST servers, and one of the Digital Ocean servers "saw" the query (or at least portions of it), as well as every router and link between you and those servers.


@TomGG Privacy of DNS queries is well addressed at


That, coupled with a better understanding of how DNS works, in general, would be a good reference that will directly for many of your questions, as well as what current approaches there are to achieve various levels of DNS privacy.

Once you understand the options and their relative merits, there are several good "how-to" threads here on the specifics of an OpenWRT-based implementation.

Also per: https://openwrt.org/packages/table/start

Maradns is not avaliable. Unbound should exist (may be in 18.06, I did not browse the downloads.openwrt.org package folders).

LOL, some of you simply have no clue or don't care how you come across.

It doesn't matter what I say or don't say, you'll have something else to come down on me for, it's just obvious in the thread :).

Yes I'm getting answered but often with chastisement for not knowing this or that. I've said throughout this thread that I'm new to openwrt, never played around with it but I've done some things using linux. No expert but I can learn from reading and especially by asking questions when reading becomes a blur after a while.

I don't have any flawed understanding of DNS... I have only a very basic understanding as I've said all along but you keep pointing out how I don't have the knowledge. Yes, that's a fact, we all know this now, good of you to point that out and I've also pointed out I'm just starting out, have a lot to read, will be reading etc.

Ok, don't feel that you are being anything but helpful but as a new user on this site, I can only share how I am sensing the 'attitude' from some of you. If I feel that, I'm sure many others might too. Just a little feedback from someone new, nothing else.

And again, thank you for the leads too.

1 Like

Everyone who has replied to you in this thread earlier are among most helpful forum users and have never been anything but nice to everyone they've helped.

If you're feeling an attitude, maybe it's just you.

To the point -- if you're concerned about keeping your DNS requests private from your ISP, you need to have them encrypted (look up dnscrypt-proxy or https_dns_proxy, latter is IMHO more reliable and easier to set up). Even if you don't use your ISP servers, unless your DNS requests are encrypted, they can still intercept/modify them.

If you're concerned about keeping your traffic secure from authorities and/or DNS servers other than your ISP's, you need to look into encrypting all your traffic and sending it inside the (OpenVPN/Wireguard) tunnel to a location outside of the sphere of influence of your government.

1 Like