DNS: which resolver to use?


For now, with Omnia Turris 3.8, I switched to dnsmasq-full.

However it appears to me that knot-resolver stuff now has the main feature I was missing: Putting dhcp names into DNS. At least Forris gives the option to enable this. I bet this is handled by the script /etc/resolver/dhcp_host_domain_ng.py.

However according to Foris DNSSEC does not work anymore. I think it didn´t work before as I moved knot-resolver to use port 153 to avoid clashes, yet the Foris web gui showed DNSSEC as working.

So which resolver to use… what are the advantages / disadvantages of each one?

So far I like that with dnsmasq I appear to have everything in one integrated package without glue scripts. I am also much more familiar with dnsmasq.

Well prior this new feature in 3.8, I used to apply some hacks from these forums to enable DHCP names resolution via DNS (by knot/kresd).

The problem was that this was prone to breaking after Turris updates. I decided to stop relying on this and realized that I need that only for a few known machines in my LAN. So I configured DHCP to assign them “Static leases” via luci/admin/network/dhcp. And then I defined hostnames for those same static IPs via luci/admin/network/hosts. This has been working well for me without breakages. I assume generated /tmp/hosts/dhcp from hostnames gets somehow recognized by knot (kresd).

Now when updated to 3.8+ I enabled their glue script and I can confirm this Foris’s setting works well with knot and all DHCP names are resolvable through DNS as [name].lan. This does not interfere with my own fixed hostnames settings, because they should provide the same name/IP pairs as automatic list generated by /etc/resolver/dhcp_host_domain_ng.py. And if automated script breaks in the future for some reason, my hostnames solution will still work for names I care about.

Thanks, Darwin. Are you otherwise happy with knot/kresd? I bet they may have some advantages over using dnsmasq, like DNSSEC, but as I didn´t dive deeply into it, I don´t know what to choose here. Well for now dnsmasq-full just works fine enough. But I like to review the decision at a later time.

Does the dnsmasq-full version provided by Turris support DNSSEC? I know the source version does, but it’s not clear to me that the version provided by Turris does.

I don’t have strong feelings about DNS resolvers as long as they work for me :slight_smile: From my perspective it would be better if everything was done by dnsmasq and configurable via LuCi. Right now it is quite confusing that Turris’s LuCi offers DNS-related settings and tweaking it has no effect.

True. I keep hoping they’ll either abandon the Foris interface or make stuff only available in the Foris interface also available in the OpenWRT interface.

Even better, I think, would be to pour the resources going into Foris into something like JUCI or Gargoyle. I personally like the OpenWRT interface, but I would never want to give that to my parents. Honestly Foris is just not feature complete.

Sorry for hijacking the thread.

I just switched to kresd as well and the dnssec resolver test at https://dnssec.vs.uni-due.de/ confirms that the resolver is validating DNSSEC signatures. I will see how that goes.