openwrt guide

Enable DNSSEC & DoT
with Stubby on OpenWrt

A step-by-step guide for encrypting and validating your DNS on OpenWrt using Stubby. Involves YAML, a directory that ghosts you on reboot, and the rare joy of failing successfully.
1
Install Stubby
on stable releases
sh 
opkg update
opkg install stubby ca-bundle nano
๐Ÿ’ก
ca-bundle lets Stubby verify TLS certs from upstream servers. Skip it and enjoy mysterious failures at 1am.
2
Enable & Start Stubby
wake it up, watch it breathe
sh 
/etc/init.d/stubby enable
/etc/init.d/stubby start
logread -e stubby
3
The Directory That Doesn't Exist
create stubby's home for DNSSEC state

On OpenWrt, DNSSEC validation lives inside Stubby/getdns โ€” not in DoT itself. Stubby needs a writable directory. OpenWrt won't create it. Because of course it won't.

sh 
mkdir -p /var/lib/stubby
chown -R stubby:stubby /var/lib/stubby
๐Ÿซง
/var is RAM-backed on most OpenWrt devices โ€” it vanishes on every reboot like your will to live. Add those two lines to /etc/rc.local before exit 0 if Stubby doesn't recreate it on boot.
4
Set Manual Mode
make stubby.yml the actual boss

OpenWrt manages Stubby via UCI by default. Switch to manual mode so stubby.yml is in charge. Or as I like to call it: the "let me drive" setting.

โœ๏ธ edit
sh 
nano /etc/config/stubby
โš™๏ธ set this option
uci 
option manual '1'
5
Enable DNSSEC in stubby.yml
the two lines you actually came here for
โœ๏ธ edit
sh 
nano /etc/stubby/stubby.yml
โž• add / uncomment
yaml 
# Writable dir from Step 3
appdata_dir: "/var/lib/stubby"

# Enable DNSSEC validation
dnssec_return_status: GETDNS_EXTENSION_TRUE
6
Restart & Check Logs
the moment of truth. act casual.
sh 
/etc/init.d/stubby restart
logread -e stubby
๐ŸŒธ
If you see DNSSEC messages in the logs โ€” congratulations. Something is happening. That's more than most setups can say.
7
Test DNSSEC Validation
failing on purpose has never felt so right
๐Ÿ” if you have dig installed
sh 
# Normal domain โ€” should resolve fine
dig @127.0.0.1 -p 5453 example.com +dnssec
๐Ÿ’ฅ test a broken domain
sh 
# Intentionally broken DNSSEC โ€” should SERVFAIL
dig @127.0.0.1 -p 5453 dnssec-failed.org
๐ŸŽ‰
SERVFAIL on dnssec-failed.org = you win. DNSSEC validation is working. It's failing successfully. You did it. Go to sleep.
๐Ÿ›ก๏ธโœจ

Your DNS is encrypted & validated.

Your router is silently rejecting spoofed DNS responses while everyone else on the network has absolutely no idea. That's the dream.