What is the most secure way todo DNS encryption?

i setup openwrt on my belkin RT3200 and i want to have qaud9 encrypted dns with dnssec and Secure SNI but i could not figure out how to setup DNScrypt correctly on my router and im not sure if thats the best method, id like to avoid my dns info going to google and cloudflare even if encrypted, id also like to force all dns to use this encryption so there is no leaks when i use a vpn on one of my devices, can someone help me with a step by step guide or point me in the right direction i am a fast learner :slight_smile: thank you all for this awesome community

some kind of dot proxy or program then enforce dns redirection / blocking via firewall rules.

personally I use AdGuard Home with blocking rules as it also provides adblocking/tracking filtering. My thread uses Cloudflare as upstream provider but nothing stopping you using other DNS providers.

1 Like

You could install the package luci-app-https-dns-proxy (it will install also needed dependencies) to encrypt DNS with https (DoH). The package includes pre-configured setup for Quad9 and many other providers from a drop down menu. It's working well for me on 22.03.2 stable currently, along with adblock.


thanks for replies, i was thinking about trying that, but DNSCrypt v2 supports anonymized dns and Oblivious DoH it seems like a better choice but i was unable to figure it out so far

please check https://openwrt.org/docs/guide-user/services/dns/start
most likely you'll find a guide you need.


yes that is where i started, i have not been able to find a conversation or debate as to what method is most secure or most private, and there are so many dns settings and options on openwrt it is very overwhelming to a newbie, for example if i choose one of these methods will i have to adjust dns setting on another page or app such as dnsmasq or dhcp

The List :

Paranoid mode : Run your own DNS server that pulls data from the root hosts directly. Technical skills required? Advanced Linux. Bind DNS servers are not simple. Enforced client settings. all other DoH/DoT providers blocked.

Private/Encrypted mode: Use AGH, Https dns proxy, stubby or variant of. Then pick any of multiple upstream encrypted DNS servers. Ensure your firewall only lets your router get dns queries and thus stop DoH/T from behind your router and only private queries out.

Regular user: ISP upstream dns. unencrypted.

Some further reading:




Like most things, it depends, but I thought Cloudflare put together a good overview.


Free cloud host with pihole installed, use dns hijacking for everything that isn't going to your box, at your home LAN.

The hardest part is to figure out the cloud infrastructure, not the Linux, and the Pi.


my understanding is that cloudflare and google are the ones pushing DoT and DoH because they own most of the servs used for these methods, im trying to avoid cloudflare and google if possible, dnscrypt also has more feature and less cons if i can figure out how to use it on openwrt, there are so many variables i think i got lost along the way

as @eginnc said, cloud flare is very open about their policies.

A simple method is to use their dns services using their service or WARP servers.


The old way was to use stubby or similar to encrypt your DNS queries and them look them up via TLS connections. Since then there has been multiple ways to do this. DoT, DoH and the newer but still not widespread QUIC method. That required some complex configuring and knowing linux and ssh commands.

Now there are plugins like https dns and AGH which are far simpler to setup.

Just to get you encrypted DNS simply use their warp plugin on your phones/pcs/laptops. A better way is to do it on your router and thus provide full protection behind your router.

Furthering that protection is adding in something like simple Adblock, AdGuard Home or a PiHole to do content/adblocking.

thank for reply but i am still confused lol, i dont need the full paranoid option but i would like to ensure that my firewall is handling the dns security correctly and that all other providers are blocked, the guide on DNSCrypt proxy 2 seems straight forward but i was not able to figure it out on my last few attempts and the amount of DNS options on openwrt is overwhelming for me as of now

"most secure" it depends on your paranoia level. @mercygroundabyss summed up your options.


this part i don't understand how could be achieved: DoH/T both based on legit protocol used for other purpose. thus deny port 443 which is used by DoH and HTTPS would mean to stop any legit https traffic too. the only way to restrict DoH/T in my opinion is to block known DoH DNS servers, not the "queries" as you cannot do that.

1 Like

Google should be avoided. However Cloudflare have had an audit and they Do NOT save your queries and are privacy focused. Their only aim is decent DNS in a secure manner for the world. However if you really don't want to use them there are multiple secure DNS services all over the world. Quad9 being one of them.

Go read the https://dnsprivacy.org site. It explains the problem, background and solutions available.

Mullvad and Quad9 are among dozens of pre-configured https-dns-proxy pull down menu options - not trying to convince you one way or the other, just letting you know Google and Cloudflare are not your only options with that package.

FWIW, I kept the Cloudflare default, replaced Google with Quad9, and called it a day. After a bit of research and response time testing I decided Cloudflare and Quad9 were decent options for my needs.

1 Like

Correct. There is also a DoT dns block you can use as well.

yes i prefer quad9, and the concerns with cloudflare go beyond dns

thank you, for ease of use i might go with that option, im still trying to figure out dnscrypt proxy 2

you have three aspects to consider:

  • how secure the protocol in use, i.e. in transit how secure it is
  • how trustworthy the DNS reply you receive, i.e. can middle man tamper dns reply, is source of answer trustworthy
  • how much upstream provider respects privacy, i.e. communication is logged, tracked, data is sold for sales etc by upstream

adguard home was already suggested, it supports many DNS providers: https://adguard-dns.io/kb/general/dns-providers/ which is a good starting point to find a comfortable upstream provider. as said google/cloudflare are not the only providers.

1 Like


I certainly understand skepticism but they were publicly audited. They also have multiple dns servers world wide and are usually the fastest to query.

There also filtered DNS services like AdGuard DNS and Cisco Umbrella where hostile servers are filtered and removed. As well as ad servers and family filtering options.

A better question to ask is what are you trying to achieve. Privacy? Filtering? Adblocking?

If its just encrypted dns then a plug-in with upstream private encrypted connection is fine.

If you want filtering / ad-blockign as well then you need other plugins or pihole or AdGuard Home.