Setting up a DNS-over-TLS forwarding cache on OpenWrt Snapshot (r6693 or later)

This article describes how to set up a local DNS caching server on OpenWrt, which forwards unresolved DNS queries to recursive resolvers through DNS-over-TLS, to prevent eavesdropping and tampering of DNS queries on their network path.


OS: OpenWrt Snapshot (r6693 or later)
DNS Privacy stub resolver: Stubby
DNS resolver and cache: Unbound


First, do some network configurations. Since we're configuring openwrt as a DNS server instead of a router, we need to disable dnsmasq and odhcpd. In our example, the router IP address is and the local domain name is "lan", and we assign to openwrt.

# service dnsmasq stop
# service odhcpd stop
# service dnsmasq disable
# service odhcpd disable
# uci set network.lan.ipaddr=""
# uci set network.lan.gateway=""
# uci commit
# rm /etc/resolv.conf
# echo -e "search lan\nnameserver" > /etc/resolv.conf
# service network restart

Now install stubby and unbound:

# opkg update
# opkg install stubby ca-certificates unbound unbound-control

Edit /etc/stubby/stubby.yml so that its upstream_recursive_servers section contains only trusted public resolvers, which support DNS-over-TLS, e.g.:

# Cloudflare and
  - address_data:
    tls_auth_name: ""
  - address_data:
    tls_auth_name: ""

Restart stubby:

# service stubby restart

Configure unbound to forward the local zone "lan." and the reverse zone "" to the router, and all other DNS queries to stubby:

# uci set unbound.@unbound[0].domain_type="transparent"
# uci commit

# echo 'do-not-query-localhost: no
local-zone: "" transparent' >> /etc/unbound/unbound_srv.conf

# echo 'stub-zone:
  name: "lan."

  name: ""

  name: "."
  forward-addr:' >> /etc/unbound/unbound_ext.conf

# service unbound restart

Unbound is now ready to answer DNS queries at for local LAN clients.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.