Support for doh and dot

New dns provider called it was build using same nextdns founder and technology so it is a really good option.


There was a failed attempt at PR to have these included in luci-app-https-dns-proxy (, if someone wants to address the issues with those PRs and resubmit, I'd gladly accept the PR.

1 Like

What is the status will this merge so we can have this on next release.

Reread what he wrote....

Why should OpenWrt funnel traffic to a for-profit DNS provider by default? And why do people mistrust the DNS servers of their for-profit ISP only to voluntarily funnel all their queries to a for-profit DNS provider?

1 Like claim to be a not for profit organisation and to not log any personally identifiable info. Is this wrong?

Well it's running on top of NextDNS infrastructure which likely will not supply the required resources out of sheer kindness.

and it was developed by the same team even

You probably know there are countries where your Internet activity is monitored by the government and can affect your social credit or make them sent you to forced re-education if not jail, so this kind of mistrust is understandable.

Although many people are unaware that loopholes in SNI, unreliable ECH, and other tracking methods make DNS encryption barely useful by itself as a privacy measure.

However there seem to be many cases when ISPs perform content filtering by DNS hijacking and encrypted DNS can solve the issue.

But I perfectly understand that OpenWrt needs to be small to fit as many devices as possible, and for this we need to sacrifice non-essential features.

1 Like

It totally is, but in such an environment I personally would not trust any DoX provider either. There’s things like lawful interception or mandatory data sharing with authorities. Also the sole act of using (non-standard) DoX/OpenWrt/etc. might already raise red flags

1 Like

Fortunately, in most cases the situation is not so severe, assuming you don't plan to intentionally break the so-called "law", but you also clearly don't want to assist the authorities in collecting the data.

Tor can be mostly banned except for some slow bridges with uncertain level of trust, and VPS/VPN is about at the same level of trust as those DoX providers.

If lawful interception and data sharing is a possibility for remote services, then it is a certainty for local ones, so you are basically caught between a rock and a hard place with bad and worse options.

I respectfully disagree with you and would encourage you to read up on NextDNS and They do offer a level of "free" services. Yes, their business model is also a tiered pricing where you subscribe if you need to increase your monthly query limit and/or you wish to tap into some of their more feature-rich capabilities. But if you don't need that, you can remain at the free level.

But what you're failing to recognize is that there are classes of internet consumers, such as parents, who desire help in keeping their kids safer online from domains of questionable quality and virtue. An ISP isn't going to provide that capability, generally, as it would be limiting to their customer base and they're in the business of making money.

Providers such as OpenDNS, Cloudflare, Cleanbrowsing, NextDNS,, etc offer domain-level help for parents, schools, religious institutions, and so forth to get a leg up on filtering of domains with undesirable content. This is a big reason that many consumers will look to non-ISP DNS.

So, I would ask that you broaden your lens here to not assume that privacy (and the trust/mistrust/distrust thereof) is the only factor in choice of DNS.

To be fair, custom DNS providers typically do not require mandatory encryption, so the mentioned use case should not be affected no matter whether DoX is preinstalled or not, and this shifts the problem to whether DNS encryption is considered essential to occupy the limited firmware space possibly sacrificing support for some low-end devices.

1 Like

Agreed as to the point about custom DNS providers not necessarily requiring mandatory encryption. But, on the same token, should one choose to use a custom DNS provider (for filtering purposes or otherwise), I certainly would hope they wouldn't have to sacrifice also having encrypted queries, if they desire that as well.

Fair point, but frankly, I'm not exactly sure what the OP was asking for in this case. Was the request to include DoX support OOB or just allow the DoX addresses to be included in luci-app-https-dns-proxy?

I'm not personally familiar with that luci app, so I can't speak with confidence around the request.

1 Like