DoH with dnsmasq

I am exploring DoH. It seems the recommended way on openWrt is to use https-dns-proxy.

From a cursory look at the code, I see:

if [ -n "$(uci -q changes dhcp)" ]; then
		uci -q commit dhcp
		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1

Given that this code does not check for the update_dnsmasq_config setting, it seems that https-dns-proxy is modifying /etc/config/dhcp config even when option update_dnsmasq_config '-' is used.

That makes me a little hesitant to use, because it is easier for my simple mind to know that no process is modifying configurations files for other processes.

Is it correct to say that the https-dns-proxy does the following, and only the following:

  • modify /etc/config/dhcp
  • start a proxy server to decrypt DoH queries and relay them to dnsmasq (effectively operating as a dns server for dnsmasq)

Is it a reasonable endeavour to attempt to do DoH with only dnsmasq? If so, any pointer much appreciated.

Maybe I could use https-dns-proxy only as the proxy server, and not the part that modifies /etc/config/dhcp?

https-dns-proxy is mostly recommended for casual users.
Dnsmasq doesn't support DNS encryption by itself.
You can use Unbound to combine the crypto/resolver/cache roles.


Ok, fair enough, I'll use https-dns-proxy. Thanks a lot for your help.

1 Like