Integrate dnscrypt into local resolver

Submitted by -
Status: New Idea

Basically looking to have this functionality be available from the GUI:


I'd like to be able to have the following:

- Clients on LAN (including multiple VLANs) use the EdgeRouter for DNS

- EdgeRouter registers DHCP and other static entries in local DNS database (for split DNS)

- All other queries that would go to an external resolver instead go through DNSCrypt, which has its own config for what resolver(s) it will use

on ‎04-03-2018 11:52 AM

Additionally / alternatively support DoH (DNS over HTTPS) for providers that offer it such as Google DNS and CloudFlare's

on ‎04-04-2018 05:01 PM
I would be interested in this, if it means I can configure Cloudflare or Quad9 DNS to replace my ISP's DNS, and use DNS over TLS, or over HTTPS if that works better, considering the current failures getting Cloudflare DNS to work from U-verse connections, among many ISPs where it also fails.
on ‎04-09-2018 05:57 PM
There was a comment suggesting I could already use DNSMasq for DNSSEC replies, but that wasn't what I was asking for. I was asking for DNS over TLS as well. I would also like to be able to completely override upstream DHCP specified resolvers with my own list, instead of the scripts just slapping the DHCP servers onto resolv.conf automatically.
on ‎04-10-2018 08:15 AM

+1 for built-in support for DNS over TLS and over HTTPS, with easy configuration for Quad9, Google and Cloudflare servers.

on ‎04-11-2018 04:24 PM
on ‎04-11-2018 04:34 PM

@rohta It doesn't have to be Unbound, any other option that works well without losing the current dnsmasq features is fine.

‎04-11-2018 04:54 PM - edited ‎04-11-2018 04:59 PM

@xwiredI agree. I just mentioned here, because this is close-related. It could be Stubby, for example:

on ‎04-12-2018 12:17 AM
Can't be Stubby on Debian Wheezy, unless you also propose upgrading straight up to Sid.
on ‎04-12-2018 05:32 AM

@kode54 I wasn't aware about this limitation. Suggestions are welcome....

on ‎04-12-2018 02:45 PM
It's not so much a limitation of the software, as of the software being so new that it was only just added to recent versions of Debian. It also includes a lot of dependencies that are brand new as well. It could probably be backported, if someone were incredibly careful with that process.