HostuxDNS

OpenWrt can use HostuxDNS system-wide by forwarding local DNS traffic through https-dns-proxy. This keeps client devices on your LAN unchanged while the router upgrades queries to DNS over HTTPS.

This guide uses the standard OpenWrt flow: dnsmasq for local clients and https-dns-proxy for encrypted upstream DNS.

Update the package list, then install the proxy and the LuCI module:

opkg update
opkg install https-dns-proxy luci-app-https-dns-proxy

The package integrates with dnsmasq, which stays your LAN-facing resolver.

In LuCI, open Services > HTTPS DNS Proxy and add a new instance.

• Name: hostuxdns
• Resolver URL: https://dns.hostux.net/dns-query
• Bootstrap DNS: 46.226.108.173,46.226.109.82

If you want ad and tracker blocking on the router, use https://dns.hostux.net/ads instead of the standard endpoint.

Keep your LAN clients pointed at the router as usual. dnsmasq should forward queries to the local https-dns-proxy listener created by the package.

If multiple upstream resolvers are configured in OpenWrt, disable the ones you do not want to keep so HostuxDNS remains the active encrypted upstream.

The goal is simple: clients talk to the router, and the router talks to HostuxDNS over DoH.

Apply the LuCI changes or restart the services manually:

/etc/init.d/https-dns-proxy restart
/etc/init.d/dnsmasq restart

Then test name resolution from the router:

nslookup openwrt.org 127.0.0.1

If resolution works, LAN clients using the router as their DNS server will also use the encrypted HostuxDNS upstream.

DoH only in this guide

This walkthrough targets https-dns-proxy, so it uses DoH rather than DoT or DoQ.

Why bootstrap DNS matters

The router may need plain IP addresses to resolve dns.hostux.net before the encrypted proxy is fully available.

Official references

OpenWrt DoH with dnsmasq and https-dns-proxy