Hello,
is there a way how to force Knot-resolver not to use DNS servers from my provider but some other like NIC.C|, Google, Opendns etc? To be honest I am not able to even found config file on Omnia on place mnetioned in Knot-resover documentation.
First, you can disable DNS forwarding in the Foris interface, so your Omnia do the full DNS recursion itself.
Second, you can set up custom DNS servers in the wan
interface setup. But be aware that using some broken-by-design upstream DNS servers like OpenDNS will not work properly since fake data returned by them would fail the DNSSEC validation.
Hey @Ondrej_Caletka, if you don’t mind, can you elaborate about them being broken-by-design, I admit knowing little about DNS. Is it about plain text transfers?
It’s about faking answers. AFAIK, one of the features of services like OpenDNS is that they will not deliver you some answers, or they would even deliver you some fake answers - like an information page about blocked website, etc.
This is something that DNSSEC technology prevents from happening. If somebody modifies the DNSSEC-signed data on their way, the validator will detect it and discard bogus answers. The same happens if the upstream resolver does not support DNSSEC and strips DNSSEC signatures out of the DNS messages passing through.
My ISP do not support DNSSEC, I am forwarding DNS queries to DNS.WATCH.
/etc/config/network
[...] config interface 'wan' option ifname 'eth1' option proto 'dhcp' option peerdns '0' list dns '84.200.69.80' list dns '2001:1608:10:25::1c04:b12f' list dns '84.200.70.40' list dns '2001:1608:10:25::9249:d69b' [...]
Hi,
I added dns using LuCi.
My /etc/config/network is like:
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '8.8.8.8 8.8.4.4'
When I test my DNS on https://www.perfect-privacy.com/dns-leaktest/
It shows my ISP DNS.
Did you test your DNS?
Did you modify the config file using command line or the LuCi interface?
Have you restarted the resolver service?
You can also look into /vat/resolv.conf.auto
to see which DNS upsrream DNS servers are configured.
Using DNS.WATCH https://www.perfect-privacy.com/dns-leaktest/ show the correct DNS: 84.200.69.80
I modified the config file using command line.
I tried other services CZ.NIC ODVR and Google, in both cases the result was good (Using CZ.NIC ODVR I go to US, too far. After read Google DNS privacy terms, I will to use Google…).
I rebooted the Omnia, and the new DNS settings got applied.
Thank you.
Leonardo, Thank You. I had DNSSEC error on connection test and addiing your two lines to /etc/config/network wan section fixed it. Rookie sweating bullets here until your answer.
I used https://www.dnssec.cz/ for confirmation after a good test on the router itself.
Or “dnsmasq” has support for DNSSEC or https://www.dnssec.cz/ don’t do the test well.
I am using “dnsmasq” as DNS resolver:
netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:www 0.0.0.0:* LISTEN 2519/lighttpd
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN 2479/dnsmasq
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1819/sshd
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN 2519/lighttpd
tcp 0 0 :::www :::* LISTEN 2519/lighttpd
tcp 0 0 :::domain :::* LISTEN 2479/dnsmasq
tcp 0 0 :::ssh :::* LISTEN 1819/sshd
tcp 0 0 :::https :::* LISTEN 2519/lighttpd
udp 0 0 0.0.0.0:domain 0.0.0.0:* 2479/dnsmasq
udp 0 0 0.0.0.0:bootps 0.0.0.0:* 2479/dnsmasq
udp 0 0 :::dhcpv6-client :::* 2164/odhcp6c
udp 0 0 :::dhcpv6-server :::* 1273/odhcpd
udp 0 0 :::dhcpv6-server :::* 1273/odhcpd
udp 0 0 :::domain :::* 2479/dnsmasq
raw 0 0 :::58 ::%3069188752:* 58 2164/odhcp6c
raw 0 0 :::58 ::%3069188752:* 58 1273/odhcpd
raw 0 0 :::58 ::%3069188752:* 58 1273/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 3910 2825/lxc public @/srv/lxc/public/command
unix 2 [ ACC ] STREAM LISTENING 2884 2520/python /tmp/fastcgi.python.socket-0
unix 2 [ ACC ] STREAM LISTENING 1104 766/ubusd /var/run/ubus.sock
unix 2 [ ACC ] STREAM LISTENING 937 1823/syslog-ng /var/syslog-ng.ctl
unix 2 [ ACC ] STREAM LISTENING 4569 2785/lxc server @/srv/lxc/server/command
Test result of DNSSEC
DNSSEC SECURITY TEST
DNSSEC secured
Everything is allright, your computer is secured by DNSSEC when accessing internet resources. You are secured against domain name spoofing. Enjoy your internet surfing …
PS: I am forwarding DNS queries to Google:
cat /tmp/resolv.conf.auto
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
I am test it using “chromium” but using “curl” I get same result, I think… I don’t understand ČESKY:
curl https://www.dnssec.cz/ | grep -i "Vše je v pořádku"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16626 <p>Vše je v pořádku, Váš poÄŤĂtaÄŤ je pĹ™i pĹ™Ăstupu k internetovĂ˝m sluĹľbám a zdrojĹŻm zabezpeÄŤen technologiĂ DNSSEC, je tedy ochránÄ›n proti podvrĹľenĂ domĂ©novĂ˝ch jmen v internetovĂ˝ch adresách. MĹŻĹľete v klidu dál surfovat ...</p> </div>
0 16626 0 0 31217 0 --:--:-- --:--:-- --:--:-- 31193
Yes, it says DNSSEC is OK. It makes sense, as Google PDNS validates everything, just as our public servers do, so invalid records won’t be returned and SERVFAIL comes instead. This approach can’t protect you from attacks on the path between you and those servers, but you probably know that…
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
seems not to be enough, kresd is still occasionally forwarding my requests the ISP’s stupid DNS-servers.
Update: ok, added the v6 addresses to the wan6 interface and also added the peerdns option there. Now everything is fine.
config interface 'wan'
option proto 'pppoe'
option username '$USER'
option password '$PASSWORD'
option ipv6 '1'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option ifname 'eth1.7'
option mtu '1492'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
By the way, according to the openwrt documentation (https://wiki.openwrt.org/doc/uci/network - see bottom) you might want to have the list order reversed.
option peerdns '0'
list dns '8.8.4.4'
list dns '8.8.8.8'
list dns '2001:4860:4860::8844'
list dns '2001:4860:4860::8888'
# the priority is: the last dns listed will be the first one
# to be chosen for the name resolution