Let’s say I want to change DNS on my Turris Omnia to this IP 51.254.25.115
which is an OpenNIC DNS server.
I couldn’t find any option to do this in the basic user interface nor the advanced one (luci).
My understanding is that Turris Omnia contains knot DNS resolver and /etc/resolv.conf is set to itself (nameserver 127.0.0.1)
I am aware that I could maybe change /etc/resolv.conf directly and replace 127.0.0.1 with 51.254.25.115 but I don’t want to do it this way. I would like to keep knot as my DNS resolver.
So should I somehow configure my local knot DNS server to not only work with ICANN controlled root servers but also to start making DNS lookups for OpenNIC alternative DNS tree? How do I do this?
I wouldn’t expect alternative DNS roots to have a place in the GUI, being quite a niche stuff (no offense meant).
You could choose where to forward DNS in Foris in case you had static WAN configuration; I don’t know of any other clickable options (I’m not too well informed on that), in particular I don’t think there’s any way to configure knot-resolver via luci.
Note: in any case, alternative DNS roots won’t validate via DNSSEC, at least not with the default trust anchor. I assume they provide their own, and it’s not difficult to change that in custom knot-resolver configuration, but it’s still a question whom you trust more
Hi vcunat, thanks for your answer,
here are some followup questions:
Is there any way to set up knot-resolver via command line?
I could connect to turris with SSH.
But I need to know the sequence of commands to execute. So that I can add OpenNIC DNS servers to some list where knot-resolver is doing the domain lookups. If this is possible to be done (is it?), then I should be able to ping grep.geek (a domain on alternative DNS tree)
My other question is,
Could knot-resolver be configured in such a way, that I could use both - the default DNS and OpenNIC DNS and knot-resolver would be smart enough to validate DNSSEC based on the default DNS?
EDIT:
maybe what I am looking for is called DNS zone forwarding. Because I wanna use classical DNS, but for some specific domains like .coin or .geek I wanna use OpenNIC DNS server to resolve these.
but it won’t be 100%. (You also need to uncheck forwarding in Foris so your ISP’s servers don’t take precedence.) It will use standard servers and DNSSEC validation for everything – except for the list of suffixes you specify (and those won’t be validated at all).
Still, knot-resolver doesn’t count on the DNS tree being inconsistent, so e.g. if someone makes a query for geej., e.g. by accidental typo, it will get into its cache this record from official root
gea. 86400 IN NSEC gent. NS DS RRSIG NSEC
proving that there’s nothing at all between those two names, and after that it will always immediately reply that **.geek. does not exist (without asking any servers). I see no way how to disable that by configuration ATM, except give up validation everywhere…