Possible to run CIRA in DOT mode with DNSFilter and dnsmasq?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
Running 386.1_2 (will go to 386.2 soon) on RT-AC1900P.

Current setup:
  • DNSFilter enabled in LAN -> DNSFIlter
    • Kids devices going to OpenDNS Family, e.g.:
  • WAN DNS as follows:
  • dnsmasq to resovle some domains:
    • Code:
      # cat /jffs/configs/dnsmasq.conf.add
      # Teksavvy DNS (ns.teksavvy.com, ns2.teksavvy.com)

Is it possible to have a future setup where:
  • I can keep using dnsmasq
  • Utilize DOT
    • default DNS goes to CIRA Protected
    • kids devices go to CIRA Family
Thanks for your responses and listening.


Part of the Furniture
DoT will not change your DNSMASQ add on settings.
In WAN Connect to DNS Server Automatically No
DNS Server 1
DNS Server 2
Enable DNSSEC and Rebind Protecton
Enable DNS ovet TLS and select the CIRA servers, two of them at least.

Set the kids to use the CIRA family. They will not have DoT protection, though. One way to work around this is to set up a Pi-Hole with Stubby added to connect to CIRA Family.
Might be better to set the whole router to CIRA Family and use other DNS servers for the Adult clients. Keep in mind that DNS filtering is not fool proof and kids can easily defeat it.

Can get complicated but can be made to work


Asuswrt-Merlin dev
You can only do a global DOT configuration, you cannot have different clients use different DOT servers.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!