You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
clear search
Home > Advanced Configurations > WiFi Routers > How to secure your DNS on a Linksys OpenWRT router
How to secure your DNS on a Linksys OpenWRT router
print icon

As you may or may not know, when your router resolves a DNS address, it is actually sending the DNS request out to an external DNS resolver, which by default is typically your ISP. This request goes out in the clear, meaning it isn’t encrypted, which means it’s not too hard for someone to get a look at which websites you’re visiting. And while it isn’t guaranteed your ISP is keeping logs of everywhere you go, there’s a pretty good chance they are. 

But guess what?

It doesn’t have to be this way.

VPN is one way to help hide your DNS lookups, but you can also utilize different forms of DNS resolution to encrypt your request AND get your lookup data away from your ISP. Even better, it’s actually REALLY EASY to set up.

To learn more about the two primary methods of securely sending DNS requests, head over to Cloudflare’s article here:

For our purposes, we’re going to set up DNS-over-HTTPS (DoH). Why? Since the DNS requests get mixed in with the rest of your port 443 data flow, they’re harder to separate. And that’s a Good Thing!

If you encounter any issues or need further assistance, please refer to the OpenWRT Forum or OpenVPN Documentation.

 

1. DNS Hijacking

This is pretty much taken from OpenWRT’s documentation on the subject here.

What we’re going to do in this step is make sure all outgoing DNS requests are caught by the router so they can be fed through a different package, which will encrypt them and send them via DoH to a resolver of our choice that isn’t your ISP.
 

First, navigate to Network->Firewall from the main menu of your Linksys OpenWRT router.
 



When you get there, click on the ‘Port Forwards’ tab. Then click on ‘Add’ to create a new port forwarding rule.
 


Finally, change your settings so they look just like the screenshot, click on ‘Save’ and then ‘Save & Apply’.

That’s all for that one.
 


2. HTTPS-DNS-PROXY

NOTE: These instructions assume you haven’t swapped out dnsmasq (the default dns daemon) for Unbound or similar.
 

First, we need to go over to System->Software to find and add the correct package.

Once you’re there, filter for Luci-app-http-dns-proxy. While my screenshot says ‘installed’ because I already added it, you should see an ‘install’ button. Go ahead and click it.

*For basic steps on software installation, click here.
 

 


Once it’s finished, go to Services->DNS HTTPS Proxy.
 


You should see this. Note that you can choose from a list of resolvers or add one of your own.
 


Recommendation: Read more about the different resolvers using the links provided in the package. Quad9 is generally rated as one of the most private and secure.

Note the option to Force Router DNS. This is a great option since it prevents other users from setting custom DNS in their web browser to get around any blocking you may have put in place (Adblock, for example).
 

3. Make sure it’s working

Since we went through the trouble of setting this up, we should probably confirm it’s working. The easiest way to do that is to head over to DNS leak test. Click on ‘Standard test’ and wait. The results should show servers for one of the resolvers in your list.
 


Since Google is still in my list, I know it’s working.

And that’s all there is to it. Your DNS requests are now encrypted with the rest of your SSL Internet traffic, making them harder to spy on. Awesome!

Was this support article useful?
0 out of 0 found this helpful

Contact Us:
Call Us Access our list of global support numbers
Reddit Join and subscribe to our Official Reddit Community
Chat Us We are here to help you with all the questions you have
close button
scroll to top icon