🍅 What is Tomato Firmware?
Tomato is an open-source alternative firmware for routers that offers advanced features, better performance, and enhanced control over your network. It's known for its clean interface and stability.
Why Configure Custom DNS?
Changing your router's DNS servers affects all devices on your network, providing:
- Enhanced Privacy: Avoid ISP tracking and data collection
- Better Performance: Faster domain name resolution
- Content Filtering: Block malware and adult content at DNS level
- Bypass Censorship: Access blocked domains in your region
- No Per-Device Setup: One configuration protects all devices
DNS Provider Options
🛡️ TorGuard DNS (Recommended)
Primary: 8.8.8.8
Secondary: 8.8.4.4
No-logs policy, optimized for VPN users, blocks malware
🔒 Cloudflare DNS
Primary: 1.1.1.1
Secondary: 1.0.0.1
Fast performance, privacy-focused, DNSSEC support
🌐 Quad9 DNS
Primary: 9.9.9.9
Secondary: 149.112.112.112
Blocks malicious domains, no-logs, non-profit
🚫 AdGuard DNS
Primary: 94.140.14.14
Secondary: 94.140.15.15
Blocks ads and trackers at DNS level
🔵 OpenDNS
Primary: 208.67.222.222
Secondary: 208.67.220.220
Content filtering options, owned by Cisco
⚠️ Google DNS
Primary: 8.8.8.8
Secondary: 8.8.4.4
Fast but collects data for advertising
Step-by-Step Configuration
-
Access Tomato Admin Panel
Open your web browser and navigate to your router's IP address:
http://192.168.1.1Common alternatives:
192.168.0.1,192.168.2.1, or10.0.0.1 -
Navigate to Network Settings
Click on Basic → Network in the navigation menu.
-
Configure Static DNS
Under the "Static DNS" section:
- Clear the "Use received DNS with user-entered DNS" checkbox
- Enter your preferred DNS servers in the provided fields
- For TorGuard DNS, enter:
8.8.8.8and8.8.4.4
-
Save Settings
Click the "Save" button at the bottom of the page.
-
Apply Changes
The router will apply changes immediately. No reboot required for DNS changes.
Advanced DNS Configuration
DNSSEC Configuration
To enable DNSSEC validation in Tomato (if supported by your build):
- Navigate to Advanced → DHCP/DNS
- Find the "DNSSEC" section
- Check "Enable DNSSEC"
- Select "Validate unsigned responses"
- Click "Save" to apply
⚠️ Note: DNSSEC requires compatible DNS servers. All providers listed above except Google DNS fully support DNSSEC.
DNS Feature Comparison
| Provider | Privacy | Speed | Malware Blocking | Ad Blocking | DNSSEC | DoH/DoT |
|---|---|---|---|---|---|---|
| TorGuard DNS | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | Optional | ❌ | ✅ | ✅ |
| Quad9 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ✅ | ❌ | ✅ | ✅ |
| AdGuard | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ✅ | ✅ | ✅ | ✅ |
| OpenDNS | ⭐⭐⭐ | ⭐⭐⭐⭐ | Optional | Optional | ❌ | ❌ |
| Google DNS | ⭐⭐ | ⭐⭐⭐⭐⭐ | ❌ | ❌ | ✅ | ✅ |
Testing Your DNS Configuration
Verify DNS Changes
After configuring DNS, test the changes:
-
Check Current DNS Servers
From a connected device, run:
# Windows nslookup google.com # macOS/Linux dig google.com -
Test DNS Resolution
Visit: DNS Leak Test
This shows which DNS servers are actually being used.
-
Verify DNSSEC
Visit: DNSSEC Validator
Should show green checkmarks if DNSSEC is working.
Troubleshooting Common Issues
DNS changes not taking effect
- Clear DNS cache on your devices:
- Windows:
ipconfig /flushdns - macOS:
sudo dscacheutil -flushcache - Linux:
sudo systemd-resolve --flush-caches
- Windows:
- Restart network interface or reboot device
- Check if ISP is forcing their DNS (try DNS over HTTPS)
Websites not loading after DNS change
This might indicate the DNS servers are unreachable:
- Verify DNS server IPs are correct
- Try alternative DNS servers temporarily
- Check if firewall is blocking port 53
- Ensure WAN connection is active
Slow DNS resolution
To improve DNS performance:
- Choose geographically closer DNS servers
- Enable DNS caching in Tomato (Advanced → DHCP/DNS)
- Consider using DNS-over-HTTPS if available
- Test different providers to find fastest for your location
DNS for Different Use Cases
🎮 Gaming
Use Cloudflare (1.1.1.1) or Google DNS for lowest latency. Avoid filtering DNS services.
🔒 Maximum Privacy
Use TorGuard DNS or Quad9. Enable DNSSEC and consider DNS-over-HTTPS.
👨👩👧👦 Family Protection
Use OpenDNS Family Shield (208.67.222.123, 208.67.220.123) or CleanBrowsing Family.
Additional Tomato DNS Options
For advanced users, Tomato offers additional DNS configuration options:
- DNS Rebind Protection: Prevents DNS rebinding attacks
- Intercept DNS: Forces all DNS queries through router's DNS
- Use dnscrypt-proxy: Encrypts DNS queries (requires compatible build)
- Custom dnsmasq config: Add custom DNS rules and overrides
✅ Best Practices
- Use at least two DNS servers for redundancy
- Choose servers from different providers when possible
- Test DNS performance regularly
- Keep router firmware updated for security
- Consider VPN for complete privacy (DNS alone isn't enough)
Need Help?
If you're experiencing DNS issues or need assistance choosing the best configuration:
Our team can help optimize your network configuration