Today, we present a comprehensive guide on configuring DNS-Over-TLS for the ZBT-AR750, authored by Junade Ali. For those unfamiliar with DNS-Over-TLS, here's a brief overview:
Your ISP can monitor your online activities and sell this data to advertisers. DNS-Over-TLS is a new security measure that encrypts DNS requests, safeguarding against eavesdropping and manipulation of DNS data by man-in-the-middle attacks.
If you prefer to jump straight to the setup instructions, proceed to the next section. Otherwise, enjoy this introductory explanation.
Imagine you're at a restaurant needing to make a private call, but your phone's battery is dead. You borrow a friend's phone, step outside for privacy, and make the call. While the phone doesn't store the conversation, it logs the dialed number. Your friend can see who you called, which can reveal much about the conversation's nature.
Similarly, when browsing the internet, encryption protects our communication. HTTPS ensures that the conversation between your browser and the website is secure. However, before this connection, your browser makes a DNS query to determine the website's IP address. This query, if unencrypted, can reveal the websites you visit, even if the actual content is secured by HTTPS.
Traditional encryption methods for HTTP have been around for a while, but only recently has DNS encryption been standardized. Without DNS encryption, someone intercepting your connection can see and manipulate the websites you access.
This vulnerability is particularly exploited by entities running free Wi-Fi hotspots to sell user data or by hackers intercepting your network traffic. Switching your DNS resolver to Cloudflare's DNS Resolver enhances browsing speed and privacy by ensuring that your DNS queries aren't sold for targeted advertising.
This guide demonstrates how to configure an OpenWRT router to encrypt DNS traffic to Cloudflare Resolver, protecting devices in your network that don't support encrypted DNS protocols, like smart TVs or IoT devices.
Setting Up DNS-Over-TLS on OpenWRT (LEDE)
Over the weekend, I acquired the ZBT-AR750 router, known for its compact size and marketed as a "Travel Router." It functions as a Wi-Fi repeater and a traditional router, pre-installed with OpenWRT, an embedded Linux-based OS ideal for routers.
For those without LEDE pre-installed routers, you can follow along with any router supporting OpenWRT firmware. Note that flashing a router may carry risks depending on the device.
Configuring DNS-Over-TLS Support
The ZBT-AR750 router allows configuring upstream DNS resolvers through its web UI, but it initially sends queries unencrypted. To enable DNS-Over-TLS, we replace the default Dnsmasq resolver with Unbound and odhcpd.
First, SSH into your router and update the package list:
```bash
opkg update
opkg install unbound odhcpd unbound-control
opkg remove dnsmasq
```
Optionally, install the Luci app for Unbound:
```bash
opkg install luci-app-unbound
```
Next, configure Unbound to use Cloudflare's DNS resolvers with TLS encryption by editing `/etc/unbound/unbound_ext.conf`:
```bash
forward-zone:
name: "."
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-ssl-upstream: yes
```
Update `/etc/config/unbound` with required configuration parameters:
```bash
config unbound
option add_local_fqdn '1'
option add_wan_fqdn '1'
option dhcp_link 'odhcpd'
option dhcp4_slaac6 '1'
option domain 'lan'
option domain_type 'static'
option listen_port '53'
option rebind_protection '1'
option unbound_control '1'
```
Merge the following with `/etc/config/dhcp`:
```bash
config dhcp 'lan'
option dhcpv4 'server'
option dhcpv6 'server'
option interface 'lan'
option leasetime '12h'
option ra 'server'
option ra_management '1'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/var/lib/odhcpd/dhcp.leases'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
```
Enable and start Unbound:
```bash
service unbound enable
service unbound start
```
When intercepting DNS queries, you'll now see they are encrypted with TLS v1.2.
Conclusion
This post highlights how encrypting DNS traffic can enhance online privacy. By replacing Dnsmasq with Unbound, OpenWRT routers can leverage DNS-Over-TLS to secure web traffic.
Thank you to Junade Ali for allowing us to share this article, originally published on Cloudflare's website on April 9th, 2018: [Cloudflare Blog](https://blog.cloudflare.com/dns-over-tls-for-openwrt/)
About ZBT
ZBT excels in developing and manufacturing network devices, with over a decade of OEM/ODM expertise. Our product range includes openWRT Wi-Fi routers, 4G/5G routers, vehicle-mounted routers, access points, outdoor CPE, LTE CPE, EPON/GPON devices, and more. Each product is meticulously designed and patented for both aesthetics and software. At ZBT, we are dedicated to providing secure and reliable network solutions, empowering connectivity for homes, businesses, and specialized sectors like smart buildings and IoT networks.