Quad9 DNS encryption

So Quad9 DNS is out and it is performing better than all previous options for me while including DNSSEC.

Currently, it has limited encryption options of DNS-over-TLS, but I'm told that DNSCrypt and other options are on the way. I was thinking that this thread maybe could serve as a forum for discussing these encryption options and their configuration, performance, what works best on LEDE, etc.

Presently, is there a way to get Quad9 DNS-over-TLS working on LEDE? Is it complicated?

No, just use unbound as dns backend.
I'm using unbound plus odhcpd without dnsmasq without any problems (dnssec & dns/tls enabled). Here you'll find the excellent package description.

So to get started with unbound, simply install and uninstall before configuring per your link?

opkg update
opkg install unbound odhcpd unbound-control
opkg remove dnsmasq

Please simply follow https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#unbound-and-odhcpd ... you need 'unbound-control' as well.

Thanks. I edited my previous post to include unbound-control

Might it be also useful to install "luci-app-unbound" or is that not necessary?

Found this blog post comparing DNS-over-TLS & DNSCrypt. The author argues that DNS-over-TLS is the better choice.

DNS-over-TLS vs DNSCrypt

Can anyone confirm these steps for getting DNS-over-TLS working? Is there a step-by-step walk through posted anywhere? (Is luci-app-unbound needed)?

opkg update
opkg install unbound odhcpd unbound-control
opkg remove dnsmasq

I tried this and did not end up with DNS over TLS.

I believe the main issue is the lack of a UCI setting such that a forwarder can be set in Unbound to

After following the instructions above instead of all DNS queries going to I was connected to DNS servers all over the planet! Easy to see on the real time connections page: look for connections to port 53.

Well, let's start with DNSSEC which is pretty much standard in unbound, e.g. config for unbound+odhcpd:

cat /etc/config/unbound 

config unbound
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option add_wan_fqdn '1'
	option dhcp4_slaac6 '1'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1280'
	option hide_binddata '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option resource 'small'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '1'
	option enabled '1'
	option protocol 'ip4_only'
	option luci_expanded '1'
	option extended_luci '1'
	option extended_stats '0'
	option query_minimize '1'
	option query_min_strict '0'
	option dhcp_link 'odhcpd'
	option recursion 'default'
	option rebind_localhost '0'
	option validator '1' # DNSSEC validator module
	option validator_ntp '1'
	option rebind_protection '1'
	list trigger 'lan'
	list trigger 'trm_wwan'

For DNS over TLS edit the unbound extented conf (/etc/unbound/unbound_ext.conf) and add at least one forward-zone, e.g.:

  name: "."
  forward-addr:        # quad9.net 
  forward-addr: # securedns.eu Europe
  forward-addr:   # unicast.censurfridns.dk Europe
  forward-ssl-upstream: yes

All unbound uci options and the config file change are available via unbound LuCI addon, too.

1 Like

Thanks. I'll try again this weekend, I missed the unbound_ext.conf file. I didn't see those settings in the LuCI addon.

BTW, installing odhcpd doesn't seem to be necessary, my system already had it.


Here's a list of some more TLS DNS servers

To see the enhanced manual unbound capabilities (e.g. config editor window) you have to check "Advanced LuCI" on the basic tab.

So will running these commands properly prepare for DNSSEC & DNS-over-TLS configuration?

opkg update
opkg install unbound odhcpd unbound-control luci-app-unbound
opkg remove dnsmasq

odhcpd is probably already installed.

Okay, I'm waiting until somebody writes up a step-by-step guide on how to get DNS-over-TLS working before I give this another try.

I just gave it a shot and dang near frightened myself that I bricked my router. Big thanks to anomeome for saving me.

New TLS flaw just announced...


This is a variant of a 20 year old rsa vulnerability and only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures.

DNS over TLS is still work in progress, nevertheless RFC 7858 specifies:

There are known attacks on TLS, such as person-in-the-middle and
protocol downgrade. These are general attacks on TLS and not
specific to DNS over TLS; please refer to the TLS RFCs for
discussion of these security issues. Clients and servers MUST
adhere to the TLS implementation recommendations and security
considerations of [BCP195].

edit: removed wrong quotation, sort of alternative fact ...:wink:

1 Like

I doubt that. Probably you haven't configured unbound/odhcpd correctly and your client didn't receive a dhcp address from your router - in this case simply configure a static address on your PC and re-connect to your router.

Sure, I was dramatizing it. I edited my previous post for more accuracy. I'll try searching around for a step-by-step to try to learn more.

Hi Guys,
I'm using unbound/odhcp and quad9 with TLS, and everything works fine.
Now I've a question, seems that name resolution takes more time using this setup. If I use the non-tls setup the name resolution is almost instantaneous, but with TLS enabled it takes like 1 second to resolve the name, you can notice this delay using any browser (I can hear a voice in my head saying why it's taking so long!).
Any experience with this? is there a way to minimize this delay?
My router is an Archer C7 v2