A lean RFC8484-compatible (no JSON API support) DNS-over-HTTPS (DoH) proxy service which supports DoH servers ran by AdGuard, CleanBrowsing, Cloudflare, Google, ODVR (nic.cz) and Quad9. Based on @aarond10’s https-dns-proxy.
This proxy requires the following packages to be installed on your router:
ca-bundle. They will be automatically installed when you’re installing
If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.
luci-app-https-dns-proxy packages from Web UI or run the following in the command line:
opkg update; opkg install https-dns-proxy luci-app-https-dns-proxy;
Default configuration has service enabled and starts the service with Google and Cloudflare DoH servers. In most configurations, you will keep the default
DNSMASQ service installed to handle requests from devices in your local network and point
DNSMASQ to use
https-dns-proxy for name resolution.
By default, the service will intelligently override existing
DNSMASQ servers settings on start to use the DoH servers and restores original
DNSMASQ servers on stop. See the Configuration Settings section below for more information and how to disable this behavior.
Configuration contains the (named) “main” config section where you can configure which
DNSMASQ settings the service will automatically affect and the typed (unnamed) https-dns-proxy instance settings. The original config file is included below:
config main 'config' option update_dnsmasq_config '*' config https-dns-proxy option bootstrap_dns '220.127.116.11,18.104.22.168' option resolver_url 'https://dns.google/dns-query' option listen_addr '127.0.0.1' option listen_port '5053' option user 'nobody' option group 'nogroup' config https-dns-proxy option bootstrap_dns '22.214.171.124,126.96.36.199' option resolver_url 'https://cloudflare-dns.com/dns-query' option listen_addr '127.0.0.1' option listen_port '5054' option user 'nobody' option group 'nogroup'
update_dnsmasq_config option can be set to dash (set to
'-' to not change
DNSMASQ server settings on start/stop), can be set to
'*' to affect all
DNSMASQ instance server settings or have a space-separated list of
DNSMASQ instances or named sections to affect (like
'0 4 5' or
'0 backup_dns 5'). If this option is omitted, the default setting is
'*'. When the service is set to update the DNSMASQ servers setting on start/stop, it does not override entries which contain either
/, so the entries like listed below will be kept in use:
list server '/onion/127.0.0.1#65453' list server '/openwrt.org/188.8.131.52' list server '/pool.ntp.org/184.108.40.206' list server '127.0.0.1#15353' list server '127.0.0.1#55353' list server '127.0.0.1#65353'
The https-dns-proxy instance settings are:
|bootstrap_dns||IP Address||The non-encrypted DNS servers to be used to resolve the DoH server name on start.|
|dscp_codepoint||Integer [0-63]||Optional DSCP codepoint [0-63] to set on upstream DNS server connections.|
|listen_addr||IP Address||127.0.0.1||The local IP address to listen to requests.|
|listen_port||Port||5053 and up||If this setting is omitted, the service will start the first https-dns-proxy instance on port 5053, second on 5054 and so on.|
|logfile||Filepath||Full filepath to the file to log the instance events to.|
|polling_interval||Integer [5-3600]||120||Optional polling interval of DNS servers.|
|resolver_url||URL||The https URL to the RFC8484-compatible resolver.|
|proxy_server||URL||Local proxy server to use when accessing resolvers.|
|user||String||nobody||Local user to run instance under.|
|group||String||nogroup||Local group to run instance under.|
|use_http1||Boolean||0||If set to 1, use HTTP/1 on installations with broken/outdated
|verbosity||Integer||0||Logging verbosity level. Fatal = 0, error = 1, warning = 2, info = 3, debug = 4.|
|use_ipv6_resolvers_only||Boolean||0||If set to 1, forces IPv6 DNS resolvers instead of IPv4.|
This OpenWrt package wouldn’t have been possible without @aarond10’s https-dns-proxy and his active participation in the OpenWrt package itself. Thanks to @oldium and @curtdept for their contributions to this package. Special thanks to @jow- for general package/luci guidance.