This is what I do
On "/etc/config/dhcp"
# option resolvfile '/tmp/resolv.conf.auto' ## --- Make sure you disable (apply "#" in front) this to ignore isp's supplied dns
# option cachesize '1024' ## --- If your router have a big RAM, you can enable this option with dnsmasq-full installed
option noresolv '1' ## --- This will prevent the use of isp's dns
list server '/pool.ntp.org/1.1.1.1' ## --- Your router date & time must be correct in order to have sucessful tls init
list server '127.0.0.1#5453' ## --- Default stubby service port
On "/etc/config/network"
config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option username 'username'
option password 'password'
option peerdns '0' ## --- This will prevent the use of isp's dns
option dns '127.0.0.1' ## --- this will make sure the router itself can do "ping google.com"
If you have extra ROM+RAM you can assign some of RAM capacity for dns cache.
Bonus: How to install dnsmasq-full
cd /tmp
opkg update
opkg download dnsmasq-full ## --- 1st we need to download dnsmasq-full
opkg install dnsmasq-full ## --- Installation will fail as dnsmasq-full files are conflicting with exisiting dnsmasq
opkg remove dnsmasq ## --- You will have no access to internet after this
opkg install /tmp/dnsmasq-full(press Tab) ## --- Internet access will be restored after this
Bonus: You don't have to install ca-bundle/ca-certificates if you don't use cloudflare's (1.1.1.1)
Just make a duplicate of the file "/etc/stubby/stubby.yml.default", pick the desired resolver then rename the file to "stubby.yml"
To test:
- Go to https://www.dnsleaktest.com/ or
- On your router, go to status/realtime/connections
make sure ALL dns requests :53 from clients are ONLY goes into the router (NOT directly to internet)
and dns requests via tls :853 is ONLY goes to configured resolver or - Analyse your wan outgoing port :53 with wireshark