Foris - add option for custom DNS servers

zemunonixo · July 1, 2019, 9:23am

Please update forris so that IP’s and DNSCRYPT hashes can be added instead of the dropdown ! Then wouldn’t have such issues.

vcunat · July 1, 2019, 10:33am

dnscrypt isn’t supported there, and that seems unlikely to change in future. (Perhaps you meant something else.)

zemunonixo · July 1, 2019, 11:01am

Thats the point. DNSCRYPT HASH should be there and is very important as are ability to add IP’s & domains.

DNSCRYPT v2 is available but only as a manual install.

Setting DNS in luci/admin/network/dhcp or on interfaces doesn’t work as expected

vcunat · July 1, 2019, 11:24am

The dnscrypt protocol is not supported, so the dnscrypt hash doesn’t make any sense there/

zemunonixo · July 1, 2019, 11:43am

Not supported? If you mean by knot resolver ok but that should be addressed very quickly as it really should be.

dnscrypt protocol is supported by OpenWRT but you have to manually install dnscrypt-proxy v2

The separate issue is that even setting DNS in luci/admin/network/dhcp or on interfaces doesn’t work as expected. Appears that Knot resolver is not respecting the settings. Can knot resolver be turned off completely ?

ssdnvv · July 1, 2019, 11:51am

There are very many threads concerning this topic existing in this forum. Just use search functionality.
But if you do so, be aware that dns will break with every update.

anon50890781 · July 1, 2019, 11:56am

How so? It is possible to disable/remove knot and deploy another scenario, which requires of course more manual effort (in depth knowledge) to set up, but that does not necessarily break anything, if set up correctly.

zemunonixo · July 1, 2019, 12:00pm

There doesnt seem to be much choice. My recently arrived Mox is an expensive brick otherwise. The current available settings in forris & luci or rather lack thereof means its a manual install anyway. DISAPPOINTED

Thanks - I will take a look at turning knot off.

vcunat · July 1, 2019, 12:07pm

No, that’s not planned and very unlikely to happen. (I’m Knot Resolver developer.) Basically everyone in the past few years has been shifting to IETF-standardized protocols, in particular DNS over TLS and lately over HTTPS, too. Both of these run on the well-maintained TLS protocol.

Probably, but I haven’t seen references here on the forum – I can only remember people wanting to switch from Knot Resolver or Unbound “back” to Dnsmasq.

ftmx · July 1, 2019, 12:35pm

This is a misleading statement. It has to be manually installed, configured, and maintained separately from all the other packages. The same can be done in the Turris OS, with the only exception that OpenWRT does not overwrite your settings during the upgrade.

ftmx · July 1, 2019, 1:30pm

Well, unless I am misinterpreting this, I am seeing a lot of support for dnscrypt as well; especially and including the big players.

vcunat · July 1, 2019, 1:42pm

That’s a wrong link (so I don’t know what you refer to).

ftmx · July 1, 2019, 1:53pm

Apologies. I fixed the link: https://dnscrypt.info/public-servers

ljelinek · July 1, 2019, 2:14pm

dnscrypt is defective by design in several ways and thus it shouldn’t be spreaded. DNS over TLS is a much better (and proposed as a standard) way how to ensure DNS security.

anon50890781 · July 1, 2019, 2:17pm

Unless TLS1.3 is deployed DoT has its own issues owed to the shortcomings of previous TLS versions.

It was however revealing when the dnscrypt-proxy long time maintainer vacated that spot end '17 / beg '18 that he was not convinced of dnscrypt going to make it into the major league or even to become a standard.

zemunonixo · July 1, 2019, 2:20pm

@ ftmx sorry I should have been more clear. v1 is available as a package hence no issue; v2 which is what’s really required would be a manual install currently but hopefully there will be a package soon.

vcunat Knot Resolver Team, ljelinek Turris Team

Thats very narrow minded. Nor does make any sense. DNSCRYPT v2 hash/stamp enables easily and secure connection with Doh or TLS ! So if not planned / not likely to happen I for one have no interest in using Knot.

I will try to take a look and see if anyone has successfully removed Knot and installed v2

Can you address why DNS settings in luci/admin/network/dhcp or on interfaces are being ignored in favour of the default settings?

Starting to think it maybe time to post a listing in marketplace for a couple of spanking new Mox. The only reason I bought Mox was for secure DNS & OpenVPN Client both of which are proving to be a pain in the ass. It’s taking way too much effort to setup and there is no documentation so go round in circles.

zemunonixo · July 1, 2019, 2:25pm

vcunat · July 1, 2019, 2:27pm

The dnscrypt hash is somehow related to DoH or DoT (DNS over HTTPS or TLS)? Sounds like you’re mixing the software with the protocol. Forwarding over TLS is supported and the other side is verified (in the usual way, typically “web CA”).

anon50890781 · July 1, 2019, 2:28pm

DoH is for client apps and not caching resolvers.

Search results for 'dnscrypt' - OpenWrt Forum order%3Alatest

https://twitter.com/jedisct1/status/928942292202860544?lang=de

zemunonixo · July 1, 2019, 2:32pm

Going back to the original point and title of the thread

Foris - add option for custom DNS servers

What is needed is the ability to add custom DNS by IP, domain and sdns:// stamp both upstream and downstream.