DNS: does not resolve locally using DNS forwarding


local resolver does not work (as needed). i need to use local company DNS servers and i tried to configure them in Luci web on Network: DHCP and DNS: General settings: DNS forwardings and/or by configuring knot-resolver by policies in /etc/kresd/custom.conf (using option include_config ‘/etc/kresd/custom.conf’ in /etc/config/resolver section kresd) but the only result is that /tmp/resolv.conf.auto looks ok for me but /etc/resolv.conf has just “nameserver”. And it does not resolve anything. Even if I specify DNS server “nslookup desired.address.com dns_server”. When copy /tmp/resolv.conf.auto into /etc/resolv.conf everything starts to work like a sharm.
Syslog is full of complaints about root servers reachability…

Hello. I see what you’ve tried, but I’m not sure what setup you actually want to achieve. Let me list few general simple options I can see; all assume you start from clean/default setup and just do a couple clicks in the Foris web UI:

  1. vanilla DNS, i.e. “forwarding” disabled in Foris/DNS. Omnia will ask individual authoritative servers directly, and validate their answers (unless you disable DNSSEC).
  2. vanilla DNS through ISP’s servers, i.e. “forwarding” enabled in Foris/DNS and DNSSEC not disabled. Omnia will behave similarly to (1) but send all queries to your ISP’s servers instead of authoritative ones. If your ISP’s servers are from the stone age (or misconfigured) or if the ISP intentionally changes DNS data*, you will have problems with this.
  3. only caching your ISP’s DNS, i.e. “forwarding” enabled and DNSSEC validation disabled. This may be the fastest and easiest; you put your trust about good DNS data fully into your ISP (and obtain that data over unsecured link to the ISP).

Note: what “ISP’s servers” are depends on your WAN setup:

  1. with “automatic/DHCP”, they are whatever addresses Omnia gets over DHCP protocol on WAN;
  2. with “static/manual” they are the addresses you put in there :slight_smile:

* there may be various reasons to change DNS, ranging from protection against malware, over govermentally forced blocking, adding internal names in a company, up to serving ads instead of non-existing domains.

Thanks a lot. Foris was the key. Disable “Use forwarding” and disable DNSSEC did the trick.

Yeah :slight_smile: glad to help :slight_smile:

1 Like