This article describe how to use DoH with Openwrt. Using dnscrypt-proxy 2 as up-stream DNS server and dnsmasq forward all the DNS queries to dnscrypt-proxy 2.
I do prefer to complie packages directly into Openwrt. If you prefer to install by opkg please switch to openwrt's original software feeds. Refer to this link for opkg installation: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#package-installation
Do NOT use the dnscrypt-proxy inside Luci --> Applications. I tried this version only support a very limited number of configurations which you also don't have much room for custom configuration.
Install the better version which is dnscrypt-proxy 2, you may complie from Network --> dnscrypt-proxy2 Here is a quick link to the Github page: https://github.com/DNSCrypt/dnscrypt-proxy
Following the official recommendation from: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks
-
Ignore ISP's default DNS.
Edit file
/etc/config/dhcpconfig dnsmasq # Ignore ISP's DNS by not reading upstream servers from /etc/resolv.conf option noresolv '1' # Ensures that /etc/resolv.conf directs local system processes to use dnsmasq and hence dnscrypt-proxy option localuse '1' # Disable dnsmasq cache because we don't want to cache twice and the dnscrypt-proxy cache is superior option cachesize '0' -
Setup NTP to work without DNS in China.
Edit file
/etc/config/systemUnder sectionconfig timeserver 'ntp'add below IPs:list server '203.107.6.88' #Aliyun in IPlist server '202.38.64.7' #ustc in IP -
Force LAN clients to send DNS queries with DoH using dnscrypt-proxy.
Add the following rules into
/etc/config/firewall:# Redirect unencrypted DNS queries to dnscrypt-proxy # This will thwart manual DNS client settings and hardcoded DNS servers like in Google devices config redirect option name 'Divert-DNS, port 53' option src 'lan' option dest 'lan' option src_dport '53' option dest_port '53' option target 'DNAT' # Block DNS-over-TLS over port 853 # Assuming you're not actually running a DoT stub resolver config rule option name 'Reject-DoT, port 853' option src 'lan' option dest 'wan' option dest_port '853' option proto 'tcp' option target 'REJECT' # Optional: Redirect queries for DNS servers running on non-standard ports. Can repeat for 9953, 1512, 54. Check https://github.com/parrotgeek1/ProxyDNS for examples. # Warning: can break stuff, don't use this one if you run an mDNS server config redirect option name 'Divert-DNS, port 5353' option src 'lan' option dest 'lan' option src_dport '5353' option dest_port '53' option target 'DNAT' -
Reload services:
/etc/init.d/firewall reload/etc/init.d/sysntpd restart/etc/init.d/dnsmasq restart
The default configuration file give you a pretty clear instruction. Also the common DoH services already been pre-defined. At most cases it's enough.
The config file is located /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
Here is a list of pre-defined public DoH servers: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md Setup your DoH servers such as:
server_names = ['alidns-doh', 'dnspod']
If you would like to setup a DoH server not available in the pre-defined list follow this guide for a static server: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration#an-example-static-server-entry
Setup your port which your dnscrypt-proxy listen to. Note that 53 usually in use by dnsmasq, 5353 could be used by other services. You may try and double check your system log when trying to start service.
- Restart the service:
/etc/init.d/dnscrypt-proxy restart
Add below to your configuration file:
[blocked_names]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
blocked_names_file = 'dnscrypt-blacklist-domains.txt'
log_file = 'dnscrypt-blacklist-domains.log'
log_format = 'tsv'
[blocked_ips]
blocked_ips_file = 'dnscrypt-blacklist-ips.txt'
log_file = 'dnscrypt-blacklist-ips.log'
log_format = 'tsv'
Setup a simple script to update these two lists.
nano /etc/dnscrypt-proxy2/update-dnscrypt-blacklist.sh
Here is the content of the script:
#!/bin/sh
# Download the updated files with timeout of 10 seconds
curl -m 10 -o /etc/dnscrypt-proxy2/dnscrypt-blacklist-domains.txt https://raw.githubusercontent.com/CNMan/dnscrypt-proxy-config/master/dnscrypt-blacklist-domains.txt
curl -m 10 -o /etc/dnscrypt-proxy2/dnscrypt-blacklist-ips.txt https://raw.githubusercontent.com/CNMan/dnscrypt-proxy-config/master/dnscrypt-blacklist-ips.txt
# Restart dnscrypt-proxy
/etc/init.d/dnscrypt-proxy restart
Make the script executable permission using chmod +x command.
chmod +x /etc/dnscrypt-proxy2/update-dnscrypt-blacklist.sh
Test the script by running it.
/etc/dnscrypt-proxy2/update-dnscrypt-blacklist.sh
Create a cron job to run the script weekly:
0 16 * * 5 /etc/dnscrypt-proxy2/update-dnscrypt-blacklist.sh
Now the script runs at 4 PM every Friday to update these two lists.
Try:
dnscrypt-proxy -resolve google.com
Resolver IP should not belong to your ISP.
In UI you could set DNS forward to "127.0.0.1#5335" if your dnscrypt-proxy listen to port 5335.
Or you can also setup in the dnsmasq config file.
Open /etc/config/dhcp add list server '127.0.0.1#5335' under config dnsmasq