This article describes how to set up a local DNS caching server on OpenWrt, which forwards unresolved DNS queries to recursive resolvers through DNS-over-TLS, to prevent eavesdropping and tampering of DNS queries on their network path.
First, do some network configurations. Since we’re configuring openwrt as a DNS server instead of a router, we need to disable dnsmasq and odhcpd. In our example, the router IP address is 192.168.1.1 and the local domain name is “lan”, and we assign 192.168.1.53 to openwrt.
# service dnsmasq stop # service odhcpd stop # service dnsmasq disable # service odhcpd disable # uci set network.lan.ipaddr="192.168.1.53" # uci set network.lan.gateway="192.168.1.1" # uci commit # rm /etc/resolv.conf # echo -e "search lan\nnameserver 192.168.1.1" > /etc/resolv.conf # service network restart
Now install stubby and unbound:
# opkg update # opkg install stubby ca-certificates unbound unbound-control
Edit /etc/stubby/stubby.yml so that its upstream_recursive_servers section contains only trusted public resolvers, which support DNS-over-TLS, e.g.:
upstream_recursive_servers: # Cloudflare 220.127.116.11 and 18.104.22.168 - address_data: 22.214.171.124 tls_auth_name: "cloudflare-dns.com" - address_data: 126.96.36.199 tls_auth_name: "cloudflare-dns.com"
# service stubby restart
Configure unbound to forward the local zone “lan.” and the reverse zone “1.168.192.in-addr.arpa.” to the router, and all other DNS queries to stubby:
# uci set unbound.@unbound.domain_type="transparent" # uci commit # echo 'do-not-query-localhost: no local-zone: "1.168.192.in-addr.arpa." transparent' >> /etc/unbound/unbound_srv.conf # echo 'stub-zone: name: "lan." stub-addr: 192.168.1.1 stub-zone: name: "1.168.192.in-addr.arpa." stub-addr: 192.168.1.1 forward-zone: name: "." forward-addr: 127.0.0.1@5453' >> /etc/unbound/unbound_ext.conf # service unbound restart
Unbound is now ready to answer DNS queries at 192.168.1.53 for local LAN clients.