Table of Contents

DNS

This manual will tell you how to implement DNS on Turris. The manual informs about the most common problems and settings.

DNS software on Turris

The operating system OpenWRT, which Turris OS is based on, has in it‘s default configuration dnsmasq in the role of DNS and DHCP server. Dnsmasq stays on Turris, but only in the role of the DHCP server. Turris and Omnia substitute the DNS resolver with a different implementation:

  1. Turris uses the DNS resolver Unbound
  2. Omnia uses the DNS resolver Knot resolver (also known under the abbreviation kresd).

That is the reason why changes made in the DNS settings in LuCI won‘t manifest.

This adjustment has a very simple reason: the Turris project aims at improving Internet security and one of the technologies, which it supports, is also DNSSEC. The original dnsmasq wasn‘t capable of validating DNSSEC entries which is why it had to be replaced. Dnsmasq remained in the role of the DHCP server – as there was no reason for it to be replaced here and the option to configure it via the LuCI interface also remained.

Even though the newest versions of dnsmasq support DNSSEC, we are not considering returning it to it‘s role of the DNS resolver just yet, because we are not yet satisfied with the quality of implementation.

DNSSEC on Turris

The DNSSEC technology ensures that for those domains, which are signed electronically, it can be verified that on the way between client and server the response wasn‘t forged. This is a defense against a type of attack known as DNS spoofing.

DNSSEC support is required on Turris in order for the router to function correctly. Without DNSSEC the router and the Turris switchboard wouldn't communicate. A common case of failures is caused by a user adjustment in the DNS software – when the dnsmasq server is elevated to the role of the main resolver.

DNS and forwarding

Another common issue arises when “DNS forwarding” is enabled, but the ISP doesn‘t support DNSSEC technology. In the default Turris configuration, DNS forwarding is enabled.

Let‘s have a look at what is going on:

  1. If forwarding is turned off, then Turris asks for information directly from the authoritative servers, which are spread across the Internet. What this procedure looks like is described for example on Wikipedia.
  2. If forwarding is turned on, then all queries are sent to the DNS server of your provider. Your provider either sends the query into the Internet or responds to it directly from his local cache. After the Turris resolver gets an answer, it just checks signature validity.

The advantage of forwarding is the fact that Turris will ask those servers, which a large number of clients asks (all clients of your ISP) and there is a bigger chance that the answer will be in cache and hence the server will be able to give it incomparably faster.

Two common problems can be solved by turning off forwarding:

  1. ISP doesn‘t support DNSSEC. In that case Turris will receive answers without signature. This will be detected as an error by the resolver, because the configuration of the resolver requires the answers from the root DNS servers to be signed.
  2. Old versions of the DNS BIND server contain an error, which doesn‘t process the so called Wildcard DNS records (i.e.: *.turris.cz, which would refer to all sub domains of the turris.cz domain) as it should. If your ISP uses one of these versions, then Turris won‘t get the right signatures and validation will fail.

In both cases, this is a problem on the side of the ISP, who cannot differentiate Turris software and an attempted attack using DNS. This is why DNSSEC validation fails and the client in the network doesn‘t get an answer (in order to prevent the client getting counterfeit data).

In the Foris user interface under the tab DNS, you will find a simple test, which checks the current DNS setting on your router. On the same page you can turn forwarding on on or off.