DNS over TLS on OpenWRT using stubby and Quad9 9.9.9.9

openwrt_stubby_quad9.md

This configures dnsmasq to forward queries to a locally running stubby which makes the DNS over TLS requests.

opkg update
opkg install stubby

Edit /etc/config/dhcp adding the following to the dnsmasq section:

# use stubby
option noresolv '1'
list server '127.0.0.1#5453'

Comment out all of the existing config resolver sections in /etc/config/stubby and instead add the following:

config resolver
       option address '9.9.9.9'
       option tls_auth_name 'dns.quad9.net'
       list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='

config resolver
        option address '149.112.112.112'
        option tls_auth_name 'dns.quad9.net'
        list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='

config resolver
        option address '2620:fe::9'
        option tls_auth_name 'dns.quad9.net'
        list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='

config resolver
        option address '2620:fe::fe'
        option tls_auth_name 'dns.quad9.net'
        list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='

Add the following to the config stubby 'global' section:

       option tls_cipher_list 'EECDH+CHACHA20'
       option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256'
       option tls_min_version '1.2'
       option tls_max_version '1.3'

Enable stubby and restart:

/etc/init.d/stubby enable
/etc/init.d/stubby restart
/etc/init.d/dnsmasq restart