Implementing DNS-Over-TLS for novices - Which guide to follow?

Hi all,

I am using a Netgear Nighthawk R8000 router running the vanilla version of LEDE - 17.01.04. This router is facing my residential ISP on its WAN port and has 14 dhcp clients including IOT devices.

So far I have managed to setup a few static IP addresses, WiFi, Adblock, stealth ports, and changed the DNS settings to point to Google DNS instead of our ISP. I have not modified anything else.

I am now wanting to switch over to using DNS-Over-TLS but in my attempts at locating an appropriate guide to follow, I found it difficult to determine which one to use due to the differences in the following tutorials.

Option 1 - Replacing DNSMasq with Unbound and odhcpd:

Option 2 - Similar to option 1 without any mention of odhcpd:

Option 3 - Using a combination of GetDNS and Stubby with Unbound Dns and DNSMasq for local DNS:

I am therefore seeking some advice from the LEDE community to help me identify the best approach based on my own and those with similar needs.

Thanks in advance.
~ Tala ~

1 Like

I choose 1, it is very simple and requires few steps. But there is a missing step, you need to disable dnsmasq services.

1 Like

If your goal is to encrypt DNS traffic so that your ISP can't see and or sell to 3rd parties, then dnscrypt-proxy is an effective and easy way to do it.

@ leeandy - thanks for the reply. For simplicity, and the fact that I am a novice user, I was kind of hoping that someone would suggest option 1! In this tutorial, the author actually uninstalls DNSMasq using;

opkg update
opkg install unbound odhcpd unbound-control
opkg remove dnsmasq

Is this what you did?

1 Like

@ davidc502 - thanks for your reply. I am actually running your build on another upstream router (WRT1900AC v1) and DNS-Crypt is running great although resolving speed can be rather slow sometimes here in the pacific!

fyi - I am wanting to switch to DNS-Over-TLS due to the abandonment of DNS-Crypt. Correct me if I am wrong but isn't DNS-Over-TLS supposed to be the new best practice implementation?

Yep, same ways. If you don't want to remove dnsmasq, u can disable it.

There is dnscrypt-proxy2 which some have installed an configured to support DNS-Over-TLS. From what I remember, they are able to download the binary and configuration files, and are able to run it without too much trouble. I'd point you to the post on the openwrt forum, but as everyone knows is down.

Thanks @davidc502.

As a side note, when using your custom build on my WRT1900AC samba, I have full access to the luci-app-dnscrypt-proxy in LUCI web gui.

In the standard build (17.01.04) that I am using on my R8000 gateway, I am only able to install dnscrypt-proxy and dnscrypt-proxy-resolvers. Is there any reason why I cannot find and install the luci-app-dnscrypt-proxy package?

~ Tala ~

There are some good links on the various encrypted and authenticated DNS schemes presently implemented and under development in Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound

There are at least seven "competing" schemes outlined at which leads off with

This site is mainly focussed on following the development and deployment of DNS-over-TLS (DOT) and DNS-over-HTTPS (DOH) as the leading solutions for DNS Privacy because DOT is the only protocol currently standardized by the IETF and DOH is expected to be a standard shortly (as of May 2018).

DNS-Crypt is apparently widely deployed, though not an IETF standard or standard-track. That, at some time in the future, it may wane in popularity as a result, does not mean that it is "abandoned". shows commits as of hours ago right now.

This is not intended to be an endorsement of any particular approach, just to provide references so that an informed decision can be made.

instructions on how to install dnscrypt-proxy version 2.
Installation OpenWRT/LEDE

David, will u include dnscrypt-proxy2 in ur future builds ?

No plans to do so at the moment. However, if dnscrypt-proxy2 is approved for lede/openwrt, it will eventually be added to all builds.

Who knows, maybe it is already in the works... unknown to me.

Ok, thanks for letting us know.
Ur builds are working very well, i'd like to stay on ur builds as long as possible... :ok_hand:
Hopefully i can try dnscrypt-proxy2 soon, im allready using dnscrypt-proxy and i cant complain.
Ill try to combine it with adblock soon... Pls keep it up david.

Cool -- thanks :smile:

There is also the alternative dns over https.

Is quite small, lightweight and fast.
It only opens 1 https connection and pipes all dns request through it.

The http2 feature is bugged atm. Resolution stops after sometime. But you can work around
that by using the -x start parameter or compile libcurl without http2 support.

Downside only supports Google and cloudflare.

Dnscryptproxy2 is nice.
The auto server list with the filter options good stuff.
Also the load balancer feature.
But its size is one problem. Very bad choice to use go here, makes adaption to (for?) smaller embedded devices with limited space quite hard.

I also don't like that it opens many connections.
(One downside of the load balancer feature.

i was able to compress the dnscrypt-proxy (v2) size down to 1.67mb with upx may still pose a challenge to smaller embedded devices though.

Just install stubby and configure dnsmasq to use it.

You can also follow this guide:

if one is using dnsmasq, can one simply utilize luci by navigating to network -> dhcp & dns -> advanced settings -> dns server port to 5053?

or use cli, uci set 'dhcp.@dnsmasq[0].port=5053'

it's better to edit the file directly or use the CLI.

I can't remember what works for me. Try one and if it doesn't work, try the other.
If you've used my repo, you can also view /var/logs/dnscrypt-proxy-query.log by using tail -f to see if it's working for you, as you can immediately see any DNS queries coming in.