DNS problems - can't resolve api.turris.cz

Dear experts, since a couple of days, I have problems with DNS forwarding.

Please note that I’m just a user (I can ssh to my Turris Omnia to follow instructions but they have to be pretty literal, step-by-step commands).

This is my version as reported by Foris:

Device Turris Omnia - RTROM01
Serial number 47244687325
Turris OS version 3.8
Kernel version 4.4.87-cb5e816fa6b1a6b5342df69755869d71-2

So here are my symptoms:

  • My Android device can connect to WiFi but says “Connected, no Internet”.
  • My laptop could connect, but couldn’t resolve any addresses - I had to manually enter Google’s in the connection settings to be able to post here.

So I saw this post which mentions to do this:

root@turris:~# cat /var/resolv.conf.auto
# Interface wan

But when I try ping, this happens:

root@turris:~# ping google.com
ping: bad address 'google.com'

Or this:

root@turris:~# nslookup google.com
Address 1:

nslookup: can't resolve 'google.com': Try again

On the Foris DNS connection test, these are the results:

Test type Status
IPv4 connectivity OK
IPv4 gateway connectivity Error
IPv6 connectivity Error
IPv6 gateway connectivity OK
DNS Error

I am not sure what is going on or how I can fix it. Any help would be appreciated.

1 Like

Please see Turris OS 3.8 is out! and my other post just below that for your options. I find it very likely that your situation is equivalent.

Thanks. Just reading your message I didn’t get simply what I should do, so for the benefit of others I’ll repeat the relevant information from the other thread here:

In Foris on the DNS page,

  • untick Use forwarding
  • tick Disable DNSSEC

This is currently working for me. The thread vcunat referred to mentions that the problem was caused by the update to version 3.8.

Two questions remain though:

  1. If my Turris is not forwarding DNS queries (since I disabled it), how is it possible for LAN clients to resolve any URLs? This seems not logical to me, especially since I used to have Use forwarding enabled previously.
  2. Similar with the DNSSEC setting: This used to be enabled and working fine, so what changed that I had to disable it?

You don’t need both changes in Foris. Either will suffice, most likely.

  1. “forwarding” means that kresd only asks a couple particular recursive servers (typically those provided by ISP but it’s configurable). Not forwarding means “iteration”: kresd will ask authoritative servers directly. (This is not a good place to explain how DNS works.)
  2. up to 3.8, the forwarding mode did not (try to) validate DNSSEC.