DoH and custom DNS servers with OpenWrt

Last updated on 2022-09-17 Tagged under  #network   #openwrt 

DNS-over-HTTPS (DoH) encrypts DNS traffic for greater privacy and security, and is enabled by default for Canadian users of Firefox.

Its configured in Firefox under Edit->Settings->General->Network Settings, where Enable DNS over HTTPS is checked.

DNS Use Provider for Canadians is CIRA Canadian Shield (Default).

Canadian Shield is a free DNS service offered in three levels:

Good stuff for web browsing on my own laptop!

How about extending the Canadian Shield service to include all devices on my home network?

I do this by configuring my router/gateway to use the custom DNS servers provided by CIRA. All DNS lookups will flow through the router and be passed on to these servers for resolution.

My setup

Current DNS

Login to the web console on router.

On Status->Overview under Network make note of the current DNS servers and their IP addresses of the DNS servers for IPv4 Upstream and IPv6 Upstream (these are most likely provided by the ISP).

Keep this information handy in case you need to revert the changes.

WAN interfaces

By default, OpenWrt itself acts as nameserver for the home network. Client devices receive the router's IP (default: 191.168.1.1). The WAN interfaces tell OpenWrt which external DNS servers it should actually use for IP address lookups.

Navigate to Network->Interfaces. I have a WAN interface for IPv4 and a WAN6 interface for IPv6.

Click on Edit for WAN.

Under the Advanced Settings tab:

Click Save.

Back on Interfaces there is a notice that Interface has X pending changes.

Pending changes

Click on the notice and Save & Apply the changes.

Repeat the procedure for WAN6 and add the custom DNS servers for IPv6.

Navigate back to Status->Overview and confirm the change in DNS addresses has been made.

Thanks for reading! Read other posts?

» Later: A backup you don't have to think about is a backup that gets done

« Earlier: Minimal Debian Bullseye