This article will show you a quick and clean way of getting secure DNS over TLS running on OpenWRT – without resorting to the command line.
We’ll be using stubby – a local DNS resolver that will encrypt local DNS queries and forward them to an external secure DNS resolver Provided by Cloudflare.
Because it’s the default secure DNS resolver in the default stubby configuration, that means we don’t have to edit the config files, and Cloudflare’s servers are fine for general use.
Log in to your OpenWrt router and navigate to:
System -> Software
… then, press the Update Lists button to get the list of installable packages. When it’s done, dismiss the box with the details of the downloaded lists.
In the Filter text box, enter the text ‘stubby’ to find the package we need.
Click the Install button next to the stubby package. Confirm by pressing Install again in the popup that appears.
When it’s done, dismiss the popup with the installation summary.
Set Stubby to Start Automatically
System -> Startup
… scroll down to the stubby entry and ensure it is set to Enabled. Then, press Start next to the stubby entry to make sure it’s running.
Update Network Configuration to use Stubby/Secure DNS
Network -> DHCP and DNS
…and go to the Resolve and Hosts Files tab. Check Ignore resolve file. This tells OpenWrt to ignore its own DNS configuration as it will be using stubby instead.
Hit Save and Apply to confirm the change.
Next, go to the General Settings tab. Scroll down to the DNS Forwardings setting – we will need to add two entries here:
This tells OpenWrt to use the newly installed stubby software package to resolve DNS – it runs on port 5453. The first entry is for IPv4, the second for IPv6.
Scroll down and hit Save and Apply to confirm the change. Make sure the change is applied by going to
System -> Startup
And restarting the dnsmasq service. You could also reboot OpenWrt to make sure all configuration is reloaded.
Test Secure DNS
Head over to:
…and press Check My Browser.
If everything’s working, you’ll see green checkmarks for Secure DNS and DNSSEC.