DoH and custom DNS servers with OpenWrt

Last edited on 2022-09-17 Tagged under  #network   #openwrt 

DNS-over-HTTPS (DoH) encrypts DNS traffic for greater privacy and security, and is enabled by default for Canadian users of Firefox.

Its configured in Firefox under Edit->Settings->General->Network Settings, where Enable DNS over HTTPS is checked.

DNS Use Provider for Canadians is CIRA Canadian Shield (Default).

Canadian Shield is a free DNS service offered in three levels:

  • Private offers encrypted DNS resolution but no cybersecurity or filtering (this is what is enabled in Firefox)
  • Protected adds security to the private service by blocking requests to domains known to contain malware or engage in phishing
  • Family adds to the protected service to include blocking pornographic content

Good stuff for web browsing on my own laptop!

How about extending the Canadian Shield service to include all devices on my home network?

I do this by configuring my router/gateway to use the custom DNS servers provided by CIRA. All DNS lookups will flow through the router and be passed on to these servers for resolution.

My setup

  • Internet service provider is Rogers
  • ISP-provided cable modem operates in bridge mode
  • OpenWrt installed on router
  • Dnsmasq (pre-installed) on router handles both DNS and DHCP for home network

Current DNS

Login to the web console on router.

On Status->Overview under Network make note of the current DNS servers and their IP addresses of the DNS servers for IPv4 Upstream and IPv6 Upstream (these are most likely provided by the ISP).

Keep this information handy in case you need to revert the changes.

WAN interfaces

By default, OpenWrt itself acts as nameserver for the home network. Client devices receive the router's IP (default: The WAN interfaces tell OpenWrt which external DNS servers it should actually use for IP address lookups.

Navigate to Network->Interfaces. I have a WAN interface for IPv4 and a WAN6 interface for IPv6.

Click on Edit for WAN.

Under the Advanced Settings tab:

  • Uncheck Use DNS servers advertised by peers
  • A Use custom DNS servers appears
  • Click the + to add the new DNS addresses for desired level of protection: CIRA DNS resolver addresses

Click Save.

Back on Interfaces there is a notice that Interface has X pending changes.

Pending changes

Click on the notice and Save & Apply the changes.

Repeat the procedure for WAN6 and add the custom DNS servers for IPv6.

Navigate back to Status->Overview and confirm the change in DNS addresses has been made.

Thanks for reading! Read other posts?

» Next: Zram swap on Debian and Linux Mint

« Previous: Build a custom kernel package for Debian