📌 24 de Novembro, 2022

DD-WRT: Proper DNS With SmartDNS

Informática · ISP · Linux

📌 24 de Novembro, 2022

DD-WRT: Proper DNS With SmartDNS

Informática · ISP · Linux

In this article I’ll show you how to properly setup SmartDNS in DD-WRT. You’ll get advanced DNS caching, faster DNS using multiple resolvers and most importantly encrypted DNS with DoT (DNS over TLS) and DoH (DNS over HTTPS).

This article comes after months of collaboration with DD-WRT developers and users, a joint effort that led to a great, bug free implementation of SmartDNS which is tightly integrated with DD-WRT. If you plan to follow along make sure your router is running at least DD-WRT v3.0-r50927.

Traditionally DD-WRT uses dnsmasq for both DHCP and DNS which means that when you want to open a website your computer will get it’s IP from the dnsmasq instance running in your router. The latter will, in turn, gather that information usually from your ISP’s recursive DNS servers.

Although setup works it has major drawbacks:

  • Poor performance;
  • No support for encrypted DNS over DoH or DoT – prone to government surveillance and/or censorship since all your DNS requests are unencrypted;
  • Limited configuration.

Enter the World of SmartDNS

SmartDNS accepts DNS query requests from local clients, obtains DNS query results from multiple upstream DNS servers, and returns the fastest access results to clients. Avoiding DNS pollution and improving network access speed, supports high-performance ad filtering. Unlike dnsmasq’s all-servers, smartdns returns the fastest access resolution.

https://github.com/pymumu/smartdns/blob/master/ReadMe_en.md#faq

In short SmartDNS is a modern-day daemon built to tackle the issues of dnsmasq highlighted above.

1. Open Setup > Basic Setup and under Network Setup make sure you set the following options:

Make sure to set the Local DNS to the IP of your own router, without it the router itself won’t be able to do DNS resolution internally. It is also required to disable the Use dnsmasq for DNS option so SmartDNS can take over and serve your DNS directly to your devices.

2. Under Services > Services configure SmartDNS and disable all the DNS related dnsmasq options:

Under SmartDNS Resolver > Additional Options is where you can set your encrypted upstream DNS servers, those are the servers that will answer your DNS requests. For instance if you’ve looking for high performance and reasonable privacy you may choose Cloudflare like I did:

server-tls 1.1.1.1:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com
server-tls 1.0.0.1:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com
server-https https://1.1.1.1/dns-query -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com http-host cloudflare-dns.com
server-https https://1.0.0.1/dns-query -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com http-host cloudflare-dns.com

If you’ve IPv6 you may also add IPv6 DNS servers and enable Dualstack IP Selection:

server-tls [2606:4700:4700::1111]:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com
server-tls [2606:4700:4700::1001]:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com
server-https https://[2606:4700:4700::1001]/dns-query -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com http-host cloudflare-dns.com
server-https https://[2606:4700:4700::1111]/dns-query -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com http-host cloudflare-dns.com

I’ve included both DoT and DoH DNS servers (server-tls and server-https), both are encrypted and secure and SmartDNS will pick the faster protocol and server from the list automatically.

3. Save and Apply all settings. Enjoy!

Useful Tips

There are other configuration options for SmartDNS, for example:

cache-size 100 # Limits the number of cached DNS entries.
address /service.example.org/172.21.1.10 # Force service.example.org to resolve to 172.21.1.10.

I personally use the cache-size set to 100 in my R7000 in order to avoid filling the router’s RAM with cached DNS entries.