DNS problems - can't resolve api.turris.cz

cgelinek · September 16, 2017, 3:18am

Dear experts, since a couple of days, I have problems with DNS forwarding.

Please note that I’m just a user (I can ssh to my Turris Omnia to follow instructions but they have to be pretty literal, step-by-step commands).

This is my version as reported by Foris:

Device Turris Omnia - RTROM01
Serial number 47244687325
Turris OS version 3.8
Kernel version 4.4.87-cb5e816fa6b1a6b5342df69755869d71-2

So here are my symptoms:

My Android device can connect to WiFi but says “Connected, no Internet”.
My laptop could connect, but couldn’t resolve any addresses - I had to manually enter Google’s 8.8.8.8 in the connection settings to be able to post here.

So I saw this post which mentions to do this:

root@turris:~# cat /var/resolv.conf.auto
# Interface wan
nameserver 192.168.0.1
nameserver 59.86.160.27
nameserver 125.213.172.129

But when I try ping, this happens:

root@turris:~# ping google.com
ping: bad address 'google.com'

Or this:

root@turris:~# nslookup google.com 59.86.160.27
Server:    59.86.160.27
Address 1: 59.86.160.27

nslookup: can't resolve 'google.com': Try again

On the Foris DNS connection test, these are the results:

Test type Status
IPv4 connectivity OK
IPv4 gateway connectivity Error
IPv6 connectivity Error
IPv6 gateway connectivity OK
DNS Error
DNSSEC Error

I am not sure what is going on or how I can fix it. Any help would be appreciated.

vcunat · September 16, 2017, 11:27am

Please see Turris OS 3.8 is out! and my other post just below that for your options. I find it very likely that your situation is equivalent.

cgelinek · September 20, 2017, 12:08am

Thanks. Just reading your message I didn’t get simply what I should do, so for the benefit of others I’ll repeat the relevant information from the other thread here:

In Foris on the DNS page,

untick Use forwarding
tick Disable DNSSEC

This is currently working for me. The thread vcunat referred to mentions that the problem was caused by the update to version 3.8.

Two questions remain though:

If my Turris is not forwarding DNS queries (since I disabled it), how is it possible for LAN clients to resolve any URLs? This seems not logical to me, especially since I used to have Use forwarding enabled previously.
Similar with the DNSSEC setting: This used to be enabled and working fine, so what changed that I had to disable it?

vcunat · September 20, 2017, 7:17am

You don’t need both changes in Foris. Either will suffice, most likely.

“forwarding” means that kresd only asks a couple particular recursive servers (typically those provided by ISP but it’s configurable). Not forwarding means “iteration”: kresd will ask authoritative servers directly. (This is not a good place to explain how DNS works.)
up to 3.8, the forwarding mode did not (try to) validate DNSSEC.