How to change DNS to some specific DNS server IP so that I can resolve OpenNIC domains?

Let’s say I want to change DNS on my Turris Omnia to this IP 51.254.25.115
which is an OpenNIC DNS server.

I couldn’t find any option to do this in the basic user interface nor the advanced one (luci).

My understanding is that Turris Omnia contains knot DNS resolver and /etc/resolv.conf is set to itself (nameserver 127.0.0.1)

I am aware that I could maybe change /etc/resolv.conf directly and replace 127.0.0.1 with 51.254.25.115 but I don’t want to do it this way. I would like to keep knot as my DNS resolver.

So should I somehow configure my local knot DNS server to not only work with ICANN controlled root servers but also to start making DNS lookups for OpenNIC alternative DNS tree? How do I do this?

Thank you

I wouldn’t expect alternative DNS roots to have a place in the GUI, being quite a niche stuff (no offense meant).

You could choose where to forward DNS in Foris in case you had static WAN configuration; I don’t know of any other clickable options (I’m not too well informed on that), in particular I don’t think there’s any way to configure knot-resolver via luci.

Note: in any case, alternative DNS roots won’t validate via DNSSEC, at least not with the default trust anchor. I assume they provide their own, and it’s not difficult to change that in custom knot-resolver configuration, but it’s still a question whom you trust more :wink:

Hi vcunat, thanks for your answer,
here are some followup questions:

Is there any way to set up knot-resolver via command line?
I could connect to turris with SSH.
But I need to know the sequence of commands to execute. So that I can add OpenNIC DNS servers to some list where knot-resolver is doing the domain lookups. If this is possible to be done (is it?), then I should be able to ping grep.geek (a domain on alternative DNS tree)

My other question is,
Could knot-resolver be configured in such a way, that I could use both - the default DNS and OpenNIC DNS and knot-resolver would be smart enough to validate DNSSEC based on the default DNS?

EDIT:
maybe what I am looking for is called DNS zone forwarding. Because I wanna use classical DNS, but for some specific domains like .coin or .geek I wanna use OpenNIC DNS server to resolve these.

That’s a possible approach, e.g. simply adding configuration

policy.add(policy.suffix(policy.STUB('51.254.25.115'),
  policy.todnames({ 'coin.', 'geek.', 'libre.' })))

but it won’t be 100%. (You also need to uncheck forwarding in Foris so your ISP’s servers don’t take precedence.) It will use standard servers and DNSSEC validation for everything – except for the list of suffixes you specify (and those won’t be validated at all).

Still, knot-resolver doesn’t count on the DNS tree being inconsistent, so e.g. if someone makes a query for geej., e.g. by accidental typo, it will get into its cache this record from official root

gea.                    86400   IN      NSEC    gent. NS DS RRSIG NSEC

proving that there’s nothing at all between those two names, and after that it will always immediately reply that **.geek. does not exist (without asking any servers). I see no way how to disable that by configuration ATM, except give up validation everywhere…

1 Like

I forgot – this is how you add custom configuration: https://doc.turris.cz/doc/en/public/dns_knot_misc#adding_custom_configuration

Thanks for your reply,

I have tried this but it still doesn’t want to resolve grep.geek

I have all these checkboxes unchecked
image

I got this in /etc/config/resolver
image

/etc/kresd/custom.conf
image

then I restart resolver with /etc/init.d/resolver restart

then ping and nslookup fails

Could this be cache issue? If so, how do I clear my cache?

Yes, it’s answered in 0ms, so it’s fully from cache. The records with the proof have a very long TTL (24h).

You can:

  • ssh to the router
  • enter knot-resolver CLI via socat - /tmp/kresd/tty/*
  • cache.clear()
  • ctrl+d to exit the CLI
1 Like

Awesome, it works now. Thank you very much for your assistance.

image