Welcome to docs.openwrt.melmac.net!

DNS Over HTTPS Proxy (https-dns-proxy)


A lean RFC8484-compatible (no JSON API support) DNS-over-HTTPS (DoH) proxy service which supports DoH servers ran by AdGuard, CleanBrowsing, Cloudflare, Google, ODVR (nic.cz) and Quad9. Based on @aarond10’s https-dns-proxy.


Screenshots (luci-app-https-dns-proxy)



This proxy requires the following packages to be installed on your router: libc, libcares, libcurl, libev, ca-bundle. They will be automatically installed when you’re installing https-dns-proxy.

Unmet Dependencies

If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.

How To Install

Install https-dns-proxy and luci-app-https-dns-proxy packages from Web UI or run the following in the command line:

opkg update; opkg install https-dns-proxy luci-app-https-dns-proxy;

Default Settings

Default configuration has service enabled and starts the service with Google and Cloudflare DoH servers. In most configurations, you will keep the default DNSMASQ service installed to handle requests from devices in your local network and point DNSMASQ to use https-dns-proxy for name resolution.

By default, the service will intelligently override existing DNSMASQ servers settings on start to use the DoH servers and restores original DNSMASQ servers on stop. See the Configuration Settings section below for more information and how to disable this behavior.

Configuration Settings

Configuration contains the general (named) “main” config section where you can configure which DNSMASQ settings the service will automatically affect and the typed (unnamed) https-dns-proxy instance settings. The original config file is included below:

config main 'config'
  option update_dnsmasq_config '*'
  option force_dns '1'
  list force_dns_port '53'
  list force_dns_port '853'

config https-dns-proxy
  option bootstrap_dns ','
  option resolver_url 'https://dns.google/dns-query'
  option listen_addr ''
  option listen_port '5053'
  option user 'nobody'
  option group 'nogroup'

config https-dns-proxy
  option bootstrap_dns ','
  option resolver_url 'https://cloudflare-dns.com/dns-query'
  option listen_addr ''
  option listen_port '5054'
  option user 'nobody'
  option group 'nogroup'

General Settings


The update_dnsmasq_config option can be set to dash (set to '-' to not change DNSMASQ server settings on start/stop), can be set to '*' to affect all DNSMASQ instance server settings or have a space-separated list of DNSMASQ instances or named sections to affect (like '0 4 5' or '0 backup_dns 5'). If this option is omitted, the default setting is '*'. When the service is set to update the DNSMASQ servers setting on start/stop, it does not override entries which contain either # or /, so the entries like listed below will be kept in use:

  list server '/onion/'
  list server '/openwrt.org/'
  list server '/pool.ntp.org/'
  list server ''
  list server ''
  list server ''


The force_dns setting is used to force the router’s default resolver to all connected devices even if they are set to use other DNS resolvers or if other DNS resolvers are hardcoded in connected devices’ settings. You can additionally control which ports the force_dns setting should be actvive on, the default values are 53 (regular DNS) and 853 (DNS over TLS). If the listed port is open/active on OpenWrt router, the service will create a redirect to the indicated port number, otherwise the service will create a REJECT rule.

Instance Settings

The https-dns-proxy instance settings are:

Parameter Type Default Description
bootstrap_dns IP Address   The non-encrypted DNS servers to be used to resolve the DoH server name on start.
dscp_codepoint Integer [0-63]   Optional DSCP codepoint [0-63] to set on upstream DNS server connections.
listen_addr IP Address The local IP address to listen to requests.
listen_port Port 5053 and up If this setting is omitted, the service will start the first https-dns-proxy instance on port 5053, second on 5054 and so on.
logfile Filepath   Full filepath to the file to log the instance events to.
polling_interval Integer [5-3600] 120 Optional polling interval of DNS servers.
resolver_url URL   The https URL to the RFC8484-compatible resolver.
proxy_server URL   Optional HTTP proxy. e.g. socks5:// Remote name resolution will be used if the protocol supports it (http, https, socks4a, socks5h), otherwise initial DNS resolution will still be done via the bootstrap DNS servers.
user String nobody Local user to run instance under.
group String nogroup Local group to run instance under.
use_http1 Boolean 0 If set to 1, use HTTP/1 on installations with broken/outdated curl package. Included for posterity reasons, you will most likely not ever need it on OpenWrt.
verbosity Integer 0 Logging verbosity level. Fatal = 0, error = 1, warning = 2, info = 3, debug = 4.
use_ipv6_resolvers_only Boolean 0 If set to 1, forces IPv6 DNS resolvers instead of IPv4.

Please also refer to the Usage section at upstream README which may contain additional/more details on some parameters.


This OpenWrt package wouldn’t have been possible without @aarond10’s https-dns-proxy and his active participation in the OpenWrt package itself. Thanks to @oldium and @curtdept for their contributions to this package. Special thanks to @jow- for general package/luci guidance.