This configures dnsmasq to forward queries to a locally running stubby which makes the DNS over TLS requests.
opkg update
opkg install stubby
Edit /etc/config/dhcp
adding the following to the dnsmasq
section:
# use stubby
option noresolv '1'
list server '127.0.0.1#5453'
Comment out all of the existing config resolver
sections in /etc/config/stubby
and instead add the following:
config resolver
option address '9.9.9.9'
option tls_auth_name 'dns.quad9.net'
list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='
config resolver
option address '149.112.112.112'
option tls_auth_name 'dns.quad9.net'
list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='
config resolver
option address '2620:fe::9'
option tls_auth_name 'dns.quad9.net'
list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='
config resolver
option address '2620:fe::fe'
option tls_auth_name 'dns.quad9.net'
list spki 'sha256//SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg='
Add the following to the config stubby 'global'
section:
option tls_cipher_list 'EECDH+CHACHA20'
option tls_ciphersuites 'TLS_CHACHA20_POLY1305_SHA256'
option tls_min_version '1.2'
option tls_max_version '1.3'
Enable stubby and restart:
/etc/init.d/stubby enable
/etc/init.d/stubby restart
/etc/init.d/dnsmasq restart