Please update forris so that IP’s and DNSCRYPT hashes can be added instead of the dropdown ! Then wouldn’t have such issues.
dnscrypt isn’t supported there, and that seems unlikely to change in future. (Perhaps you meant something else.)
Thats the point. DNSCRYPT HASH should be there and is very important as are ability to add IP’s & domains.
DNSCRYPT v2 is available but only as a manual install.
Setting DNS in luci/admin/network/dhcp or on interfaces doesn’t work as expected
The dnscrypt protocol is not supported, so the dnscrypt hash doesn’t make any sense there/
Not supported? If you mean by knot resolver ok but that should be addressed very quickly as it really should be.
dnscrypt protocol is supported by OpenWRT but you have to manually install dnscrypt-proxy v2
The separate issue is that even setting DNS in luci/admin/network/dhcp or on interfaces doesn’t work as expected. Appears that Knot resolver is not respecting the settings. Can knot resolver be turned off completely ?
There are very many threads concerning this topic existing in this forum. Just use search functionality.
But if you do so, be aware that dns will break with every update.
How so? It is possible to disable/remove knot and deploy another scenario, which requires of course more manual effort (in depth knowledge) to set up, but that does not necessarily break anything, if set up correctly.
There doesnt seem to be much choice. My recently arrived Mox is an expensive brick otherwise. The current available settings in forris & luci or rather lack thereof means its a manual install anyway. DISAPPOINTED
Thanks - I will take a look at turning knot off.
No, that’s not planned and very unlikely to happen. (I’m Knot Resolver developer.) Basically everyone in the past few years has been shifting to IETF-standardized protocols, in particular DNS over TLS and lately over HTTPS, too. Both of these run on the well-maintained TLS protocol.
Probably, but I haven’t seen references here on the forum – I can only remember people wanting to switch from Knot Resolver or Unbound “back” to Dnsmasq.
This is a misleading statement. It has to be manually installed, configured, and maintained separately from all the other packages. The same can be done in the Turris OS, with the only exception that OpenWRT does not overwrite your settings during the upgrade.
Well, unless I am misinterpreting this, I am seeing a lot of support for dnscrypt as well; especially and including the big players.
That’s a wrong link (so I don’t know what you refer to).
Apologies. I fixed the link: https://dnscrypt.info/public-servers
dnscrypt is defective by design in several ways and thus it shouldn’t be spreaded. DNS over TLS is a much better (and proposed as a standard) way how to ensure DNS security.
Unless TLS1.3 is deployed DoT has its own issues owed to the shortcomings of previous TLS versions.
It was however revealing when the dnscrypt-proxy long time maintainer vacated that spot end '17 / beg '18 that he was not convinced of dnscrypt going to make it into the major league or even to become a standard.
@ ftmx sorry I should have been more clear. v1 is available as a package hence no issue; v2 which is what’s really required would be a manual install currently but hopefully there will be a package soon.
Thats very narrow minded. Nor does make any sense. DNSCRYPT v2 hash/stamp enables easily and secure connection with Doh or TLS ! So if not planned / not likely to happen I for one have no interest in using Knot.
I will try to take a look and see if anyone has successfully removed Knot and installed v2
Can you address why DNS settings in luci/admin/network/dhcp or on interfaces are being ignored in favour of the default settings?
Starting to think it maybe time to post a listing in marketplace for a couple of spanking new Mox. The only reason I bought Mox was for secure DNS & OpenVPN Client both of which are proving to be a pain in the ass. It’s taking way too much effort to setup and there is no documentation so go round in circles.
The dnscrypt hash is somehow related to DoH or DoT (DNS over HTTPS or TLS)? Sounds like you’re mixing the software with the protocol. Forwarding over TLS is supported and the other side is verified (in the usual way, typically “web CA”).
DoH is for client apps and not caching resolvers.