Home » Networking » OpenWrt » Secure Dns Tls Openwrt Luci

OpenWRT: Secure DNS over TLS with LuCI [No Command Line]

This article will show you a quick and clean way of getting secure DNS over TLS running on OpenWRT – without resorting to the command line.

If follows on from our other OpenWrt Articles.

We’ll be using stubby – a local DNS resolver that will encrypt local DNS queries and forward them to an external secure DNS resolver Provided by Cloudflare.

Why Cloudflare?

Because it’s the default secure DNS resolver in the default stubby configuration, that means we don’t have to edit the config files, and Cloudflare’s servers are fine for general use.

Install Stubby

Log in to your OpenWrt router and navigate to:

System -> Software

… then, press the Update Lists button to get the list of installable packages. When it’s done, dismiss the box with the details of the downloaded lists.

In the Filter text box, enter the text ‘stubby’ to find the package we need.

openwrt secure dns 00002

Click the Install button next to the stubby package. Confirm by pressing Install again in the popup that appears.

When it’s done, dismiss the popup with the installation summary.

Set Stubby to Start Automatically

Navigate to:

System -> Startup

… scroll down to the stubby entry and ensure it is set to Enabled. Then, press Start next to the stubby entry to make sure it’s running.

openwrt secure dns 00003

Update Network Configuration to use Stubby/Secure DNS

Navigate to:

Network -> DHCP and DNS

…and go to the Resolve and Hosts Files tab. Check Ignore resolve file. This tells OpenWrt to ignore its own DNS configuration as it will be using stubby instead.

Hit Save and Apply to confirm the change.

Next, go to the General Settings tab. Scroll down to the DNS Forwardings setting – we will need to add two entries here:

openwrt secure dns 00001

This tells OpenWrt to use the newly installed stubby software package to resolve DNS – it runs on port 5453. The first entry is for IPv4, the second for IPv6.

Scroll down and hit Save and Apply to confirm the change. Make sure the change is applied by going to

System -> Startup

And restarting the dnsmasq service. You could also reboot OpenWrt to make sure all configuration is reloaded.

All done!

Test Secure DNS

Head over to:


…and press Check My Browser.

If everything’s working, you’ll see green checkmarks for Secure DNS and DNSSEC.

Photo of author
I'm Brad, and I'm nearing 20 years of experience with Linux. I've worked in just about every IT role there is before taking the leap into software development. Currently, I'm building desktop and web-based solutions with NodeJS and PHP hosted on Linux infrastructure. Visit my blog or find me on Twitter to see what I'm up to.

Leave a Comment