Possible to run CIRA in DOT mode with DNSFilter and dnsmasq?


New Around Here
Running 386.1_2 (will go to 386.2 soon) on RT-AC1900P.

Current setup:
  • DNSFilter enabled in LAN -> DNSFIlter
    • Kids devices going to OpenDNS Family, e.g.:
  • WAN DNS as follows:
  • dnsmasq to resovle some domains:
    • Code:
      # cat /jffs/configs/dnsmasq.conf.add
      # Teksavvy DNS (ns.teksavvy.com, ns2.teksavvy.com)

Is it possible to have a future setup where:
  • I can keep using dnsmasq
  • Utilize DOT
    • default DNS goes to CIRA Protected
    • kids devices go to CIRA Family
Thanks for your responses and listening.


Part of the Furniture
DoT will not change your DNSMASQ add on settings.
In WAN Connect to DNS Server Automatically No
DNS Server 1
DNS Server 2
Enable DNSSEC and Rebind Protecton
Enable DNS ovet TLS and select the CIRA servers, two of them at least.

Set the kids to use the CIRA family. They will not have DoT protection, though. One way to work around this is to set up a Pi-Hole with Stubby added to connect to CIRA Family.
Might be better to set the whole router to CIRA Family and use other DNS servers for the Adult clients. Keep in mind that DNS filtering is not fool proof and kids can easily defeat it.

Can get complicated but can be made to work


Asuswrt-Merlin dev
You can only do a global DOT configuration, you cannot have different clients use different DOT servers.

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!