The Problem Here
The reForis interfaces only allows the selection of 1 DNS server for the router.
and checking the config files, I see in /etc/config/resolver
Could I add a 2nd option forward_ , and would it be recognised / ignored / crash?
The documentation in wiki.turris.cz/en/public/dns_knot_misc
provides no guidance, it just talks of adding one DNS service.
OR, as an alternative possibility,
what would happen if i added lines to /etc/config/network such as:
ok, I tried it.
Problem is while it allows 2 IPv4 + 2 IPv6 addresses, it only allows one hostname.
The result is that /tmp/kresd.config looks like this:
so must be that the wrong certificate will be used for the 2nd entry.
The only way around this is to specify no TLS, which means we have unencrypted
and MITM-able DNS - seems like a bad idea.
I could edit the file by hand to put in the correct host name, but of course it is just a tmp file so will be recreated whenever a crow flies overhead.
You could add your own config file, put these forwarding instructions in there (even 4 should work) and in reForis uncheck forwarding so that it doesn’t clash.
EDIT: I don’t think I’ve seen that done, but I believe that the combined config should be OK.
yes, I had to put on 2 pairs of glasses to write it.
Will try tomorrow.
Assuming it doesn’t crash / lock up, key problem will be how to work out if all 3 DNS servers are actually being used. I believe Leaktest is the standard way.
I tested today for about 8 hours over all possible configurations
and documented my test results.
No matter what I do, or what configuration I use, the router uses Cloudflare for DNS.
It seems to be either hard-coded somewhere
or there is another overriding config file somewhere.
To summarise the many tests into just two key results:
1 even if I set to Google (or Quad 9) in the GUI
and dont include a config file - the router still uses Cloudflare.
I checked /etc/config/resolver has option forward_custom '99_google'
2 If I add a /etc/kresd/custom.conf,
with just Google and Quad9
the same - Uses Cloudflare.
I tested with both option forward_custom '99_quad9_filtered'
and no option forward_custom statement
in /etc/config/resolver.
Testing Hygiene matters:
3 I confirmed that Leaktest was working correctly by setting
my laptop’s DNS to 1.1.1.1 9.9.9.9 8.8.8.8.
Leaktest correctly showed all the DNS servers being used.
But If I set the laptop’s DNS to the ip of the router,
only Cloudflare gets used.
4 Between every change I rebooted to ensure that everything relevant got restarted.
Every other device in the network was turned off,
so no chance of other random DNS requests interfering.
I would start from the fact that in general systems use secondary DNS only when the first doesnt respond in time. Dnsleak is doing some tricks to discover all of them configured
ok, I did a FACTORY RESET
made no other changes,
then in the GUI set the DNS server to Quad9-Filtered.
then did a leaktest and got:
one unknown (possibly Quad9) response and the rest Cloudflare responses.
I then changed the DNS server to Google.
did another Leaktest, and all results were Cloudflare.
so, it seems that Cloudflare is hard-coded somewhere.
Is it possible that there is some error in Google or Quad9 setup
(eg the certificates are expired)
and the system falls back to Cloudflare?
On which machine/system are you testing with dnsleaktest? Maybe the problem doesnt lay in Omnia. If its android then there is setting “Private DNS” somewhere in settings and it has hardcoded Cloudflare
No, I managed that carefully.
I tested with all other machines/phones/devices off except the router and the testing laptop,
and the laptop was set to get its dns from the router
(easy to confirm with ‘resolvectl status’ or nmcli).
BUT
one funny thing happened today.
I had set the DNS server to Google
(in case there was a problem with Quad9) - but still got Cloudflare.
I then turned off DNSSEC in the reForis gui
and then the leaktest gave me Google !!!
However after turning DNSSEC on again , then off, and rebooting,
it went back to Cloudflare
and no turning on/off DNSSEC gave me back Google.
You can inspect /tmp/kresd.config (the generated configuration). There’s no hard-coding for forwarding anywhere in the code. Only fallback for root server addresses (non-forwarding mode).