For now, with Omnia Turris 3.8, I switched to dnsmasq-full.
However it appears to me that knot-resolver stuff now has the main feature I was missing: Putting dhcp names into DNS. At least Forris gives the option to enable this. I bet this is handled by the script /etc/resolver/dhcp_host_domain_ng.py.
However according to Foris DNSSEC does not work anymore. I think it didn´t work before as I moved knot-resolver to use port 153 to avoid clashes, yet the Foris web gui showed DNSSEC as working.
So which resolver to use… what are the advantages / disadvantages of each one?
So far I like that with dnsmasq I appear to have everything in one integrated package without glue scripts. I am also much more familiar with dnsmasq.
Well prior this new feature in 3.8, I used to apply some hacks from these forums to enable DHCP names resolution via DNS (by knot/kresd).
The problem was that this was prone to breaking after Turris updates. I decided to stop relying on this and realized that I need that only for a few known machines in my LAN. So I configured DHCP to assign them “Static leases” via luci/admin/network/dhcp. And then I defined hostnames for those same static IPs via luci/admin/network/hosts. This has been working well for me without breakages. I assume generated /tmp/hosts/dhcp from hostnames gets somehow recognized by knot (kresd).
Now when updated to 3.8+ I enabled their glue script and I can confirm this Foris’s setting works well with knot and all DHCP names are resolvable through DNS as [name].lan. This does not interfere with my own fixed hostnames settings, because they should provide the same name/IP pairs as automatic list generated by /etc/resolver/dhcp_host_domain_ng.py. And if automated script breaks in the future for some reason, my hostnames solution will still work for names I care about.
Thanks, Darwin. Are you otherwise happy with knot/kresd? I bet they may have some advantages over using dnsmasq, like DNSSEC, but as I didn´t dive deeply into it, I don´t know what to choose here. Well for now dnsmasq-full just works fine enough. But I like to review the decision at a later time.
Does the dnsmasq-full version provided by Turris support DNSSEC? I know the source version does, but it’s not clear to me that the version provided by Turris does.
I don’t have strong feelings about DNS resolvers as long as they work for me From my perspective it would be better if everything was done by dnsmasq and configurable via LuCi. Right now it is quite confusing that Turris’s LuCi offers DNS-related settings and tweaking it has no effect.
True. I keep hoping they’ll either abandon the Foris interface or make stuff only available in the Foris interface also available in the OpenWRT interface.
Even better, I think, would be to pour the resources going into Foris into something like JUCI or Gargoyle. I personally like the OpenWRT interface, but I would never want to give that to my parents. Honestly Foris is just not feature complete.
I just switched to kresd as well and the dnssec resolver test at https://dnssec.vs.uni-due.de/ confirms that the resolver is validating DNSSEC signatures. I will see how that goes.
From my perspective it would be better if everything was done by dnsmasq and configurable via LuCi. Right now it is quite confusing that Turris’s LuCi offers DNS-related settings and tweaking it has no effect.