I recently decided to implement DNS over TLS and found that many tutorials were not oriented to those who are less tech savvy. This is a simple approach which allows you to do all configuration in LuCI without any CLI commands. I have to give credit to https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/, as that is where I got my setup instructions from, and just figured out how to do them in LuCI
- This setup expects you to use Cloudflare's DNS resolvers. If you want to use an alternative such as Google DNS, you will have to use some CLI.
- This tutorial is based on the latest master branch commit as of 2018-01-10. The steps may be similar for different versions or setups, but are not guaranteed. Most likely these steps are going to be the same for 18.06.1, but I don't quite remember the differences in LuCI.
- Log into LuCI at http://192.168.1.1/cgi-bin/luci/, go to System -> Software, and hit the Update Lists button.
- Filter down to find the package called "stubby", and click the Install button. For OpenWrt 18.06.1 users, also install "ca-certificates" and "ca-bundle". This is needed due to a missed dependency on the stubby package. Newer versions of OpenWrt corrected this.
- Go to System -> Startup, find stubby, and click the Start button. Also set stubby to "Enabled" on this same screen.
- Go to Network -> Interfaces. Click the edit button for WAN, go to advanced settings, and uncheck "Use DNS servers advertised by peer" and in "Use custom DNS servers" set it to 127.0.0.1. Then press Save & Apply. Repeat this same step for the WAN6 interface, using 0::1 instead of 127.0.0.1.
- Under Network -> DHCP and DNS, click the "Resolv and Hosts Files" tab, and put a check mark next to "Ignore resolve file". Press Save & Apply.
- Under Network -> DHCP and DNS, click the "General Settings" tab, set the "DNS forwardings" list to
- Go to System -> Startup, find "dnsmasq" and click "Restart".
Your done! To verify everything is working, open a new tab in your internet browser and try to go to some websites you don't normally go to. You can also go to https://www.cloudflare.com/ssl/encrypted-sni/ and press "Check My Browser". You should see green check marks for "Secure DNS" and "DNSSEC".