I followed this guide and installed https-dns-proxy:
https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
My understanding is that it protects against DNS leak but I am not sure about DNS hijacking. Do I have to set up DNS interception as well for that? Like this for example:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
1st link is for setting up secure DNS lookups from your router (and indirectly clients).
The 2nd for intercepting rogue DNS calls, from your network devices, not honoring the
DNSes provided by your DHCP.
I think this is why DNSSEC is a thing to make sure this does not happen, you can use unbound to use this feature, but you would also need the full dnsmsq to use this feature.
I would not recomend removing it and installing the full version there is a proper method on how you can switch from one to another.
I think this is the gude I used to setup such a service
https://candrews.integralblue.com/2018/08/dnssec-on-openwrt-18-06/
Thank you for your help, I think I get it now. I found this option in LuCi meanwhile:
And did a quick test with one of my clients where I set it to use my ISP's DNS. I went to https://dnsleaktest.com/ and saw Google and Cloudflare DNS servers only so I think I can conclude such rogue DNS calls can not happen.
The built-in hijacking method provided by https-dns-proxy has some limitations:
The DNS hijacking in the wiki article can solve the above problems.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
