Last active
April 19, 2025 00:46
-
-
Save danpawlik/5d5cb5224625d9ed611fe30f57575d31 to your computer and use it in GitHub Desktop.
adguard dnsproxy on openwrt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| opkg update | |
| opkg install dnsproxy | |
| # Ensure, that the NTP server can work without DNS | |
| uci del system.ntp.server | |
| uci add_list system.ntp.server='194.177.4.1' # 0.openwrt.pool.ntp.org | |
| uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org | |
| uci add_list system.ntp.server='80.50.102.114' # 2.openwrt.pool.ntp.org | |
| uci add_list system.ntp.server='193.219.28.60' # 3.openwrt.pool.ntp.org | |
| uci commit system | |
| # Configure dnsproxy | |
| service dnsproxy stop | |
| # global options | |
| sed -i "5 s/option enabled '0'/option enabled '1'/g" /etc/config/dnsproxy | |
| sed -i "6 s/list listen_addr '127.0.0.1'/list listen_addr '127.0.0.53'/g" /etc/config/dnsproxy | |
| # enable cache | |
| sed -i "26 s/option enabled '0'/option enabled '1'/g" /etc/config/dnsproxy | |
| # change servers | |
| sed -i "45 s@list bootstrap 'tls://8.8.8.8'@list bootstrap 'tcp://8.8.8.8'@g" /etc/config/dnsproxy | |
| sed -i "46 s@list fallback 'tls://9.9.9.9'@list fallback 'tcp://9.9.9.9'@g" /etc/config/dnsproxy | |
| sed -i "47 s@list upstream 'tls://1.1.1.1'@list upstream 'https:\/\/dns.cloudflare.com\/dns-query'@g" /etc/config/dnsproxy | |
| sed -i "48i\ list upstream 'tls://dns.adguard.com'\\" /etc/config/dnsproxy | |
| sed -i "49i\ list upstream 'https://dns.adguard.com/dns-query'\\" /etc/config/dnsproxy | |
| # optional - if you want to use QUIC | |
| sed -i "12 s/option http3 '0'/option http3 '1'/g" | |
| sed -i "50i\ list upstream 'quic://dns.adguard.com'\\" /etc/config/dnsproxy | |
| service dnsproxy start | |
| service dnsmasq stop | |
| uci set dhcp.@dnsmasq[0].noresolv="1" | |
| uci set dhcp.@dnsmasq[0].localuse="1" | |
| uci set dhcp.@dnsmasq[0].cachesize='0' | |
| uci -q delete dhcp.@dnsmasq[0].server | |
| uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#5353" | |
| uci commit dhcp | |
| service dnsmasq start | |
| # Optional: Disable ISP's DNS server | |
| uci set network.wan.peerdns='0' | |
| uci set network.wan6.peerdns='0' | |
| uci commit network | |
| # Optional: Force LAN clients to send DNS queries to dnscrypt-proxy: | |
| ## 1. Divert-DNS, port 53 | |
| uci add firewall redirect | |
| uci set firewall.@redirect[-1].dest='lan' | |
| uci set firewall.@redirect[-1].target='DNAT' | |
| uci set firewall.@redirect[-1].name='Divert-DNS, port 53' | |
| uci set firewall.@redirect[-1].src='wan' | |
| uci set firewall.@redirect[-1].src_dport='53' | |
| uci set firewall.@redirect[-1].dest_port='53' | |
| uci commit firewall | |
| ## 2. Block DNS-over-TLS over port 853 | |
| uci add firewall rule | |
| uci set firewall.@rule[-1].name='Reject-DoT,port 853' | |
| uci add_list firewall.@rule[-1].proto='tcp' | |
| uci set firewall.@rule[-1].src='lan' | |
| uci set firewall.@rule[-1].dest='wan' | |
| uci set firewall.@rule[-1].dest_port='853' | |
| uci set firewall.@rule[-1].target='REJECT' | |
| uci commit firewall | |
| ## example config looks like: | |
| # | |
| ## For documents, please see https://github.com/AdguardTeam/dnsproxy#usage | |
| # | |
| #config dnsproxy 'global' | |
| # option enabled '1' | |
| # list listen_addr '127.0.0.53' | |
| # list listen_addr '::1' | |
| # list listen_port '5353' | |
| # option log_file '' | |
| # option all_servers '0' | |
| # option fastest_addr '0' | |
| # option http3 '0' | |
| # option insecure '0' | |
| # option ipv6_disabled '0' | |
| # option timeout '' | |
| # option max_go_routines '' | |
| # option rate_limit '' | |
| # option refuse_any '0' | |
| # option udp_buf_size '' | |
| # option verbose '0' | |
| # | |
| #config dnsproxy 'bogus_nxdomain' | |
| # list ip_addr '' | |
| # | |
| #config dnsproxy 'cache' | |
| # option enabled '1' | |
| # option cache_optimistic '0' | |
| # option size '65535' | |
| # option min_ttl '' | |
| # option max_ttl '' | |
| # | |
| #config dnsproxy 'dns64' | |
| # option enabled '0' | |
| # option dns64_prefix '64:ff9b::' | |
| # | |
| #config dnsproxy 'edns' | |
| # option enabled '0' | |
| # option edns_addr '' | |
| # | |
| #config dnsproxy 'private_rdns' | |
| # option enabled '0' | |
| # list upstream '127.0.0.1:53' | |
| # | |
| #config dnsproxy 'servers' | |
| # list bootstrap 'tcp://8.8.8.8' | |
| # list fallback 'tcp://9.9.9.9' | |
| # list upstream 'https://dns.cloudflare.com/dns-query' | |
| # list upstream 'tls://dns.adguard.com' | |
| # list upstream 'https://dns.adguard.com/dns-query' | |
| # | |
| #config dnsproxy 'tls' | |
| # option enabled '0' | |
| # option tls_crt '' | |
| # option tls_key '' | |
| # option https_port '8443' | |
| # option tls_port '853' | |
| # option quic_port '853' |
config dnsproxy 'tls' option enabled '0' option tls_crt '' option tls_key '' option https_port '8443' option tls_port '853' option quic_port '853'
where to find the option tls_crt ''
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Whole config looks like: