How to configure Knot-resolver to use specific DNS servers


#1

Hello,
is there a way how to force Knot-resolver not to use DNS servers from my provider but some other like NIC.C|, Google, Opendns etc? To be honest I am not able to even found config file on Omnia on place mnetioned in Knot-resover documentation.


#2

First, you can disable DNS forwarding in the Foris interface, so your Omnia do the full DNS recursion itself.

Second, you can set up custom DNS servers in the wan interface setup. But be aware that using some broken-by-design upstream DNS servers like OpenDNS will not work properly since fake data returned by them would fail the DNSSEC validation.


Turris 3.3 DNS forwarding ignored
#3

Hey @Ondrej_Caletka, if you don’t mind, can you elaborate about them being broken-by-design, I admit knowing little about DNS. Is it about plain text transfers?


#4

It’s about faking answers. AFAIK, one of the features of services like OpenDNS is that they will not deliver you some answers, or they would even deliver you some fake answers - like an information page about blocked website, etc.

This is something that DNSSEC technology prevents from happening. If somebody modifies the DNSSEC-signed data on their way, the validator will detect it and discard bogus answers. The same happens if the upstream resolver does not support DNSSEC and strips DNSSEC signatures out of the DNS messages passing through.


#5

My ISP do not support DNSSEC, I am forwarding DNS queries to DNS.WATCH.

/etc/config/network

  [...]
  config interface 'wan'
          option ifname 'eth1'
          option proto 'dhcp'
          option peerdns '0'
          list dns '84.200.69.80'
          list dns '2001:1608:10:25::1c04:b12f'
          list dns '84.200.70.40'
          list dns '2001:1608:10:25::9249:d69b'
  [...]

#6

Hi,
I added dns using LuCi.
My /etc/config/network is like:

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

When I test my DNS on https://www.perfect-privacy.com/dns-leaktest/
It shows my ISP DNS.
Did you test your DNS?

Did you modify the config file using command line or the LuCi interface?


#7

Have you restarted the resolver service?
You can also look into /vat/resolv.conf.auto to see which DNS upsrream DNS servers are configured.


#8

Using DNS.WATCH https://www.perfect-privacy.com/dns-leaktest/ show the correct DNS: 84.200.69.80

I modified the config file using command line.

I tried other services CZ.NIC ODVR and Google, in both cases the result was good (Using CZ.NIC ODVR I go to US, too far. After read Google DNS privacy terms, I will to use Google…).


#9

I rebooted the Omnia, and the new DNS settings got applied.

Thank you.


#10

Leonardo, Thank You. I had DNSSEC error on connection test and addiing your two lines to /etc/config/network wan section fixed it. Rookie sweating bullets here until your answer.:slight_smile:
I used https://www.dnssec.cz/ for confirmation after a good test on the router itself.


#11

Or “dnsmasq” has support for DNSSEC or https://www.dnssec.cz/ don’t do the test well.

I am using “dnsmasq” as DNS resolver:

netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      2519/lighttpd
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      2479/dnsmasq
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      1819/sshd
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      2519/lighttpd
tcp        0      0 :::www                  :::*                    LISTEN      2519/lighttpd
tcp        0      0 :::domain               :::*                    LISTEN      2479/dnsmasq
tcp        0      0 :::ssh                  :::*                    LISTEN      1819/sshd
tcp        0      0 :::https                :::*                    LISTEN      2519/lighttpd
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           2479/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           2479/dnsmasq
udp        0      0 :::dhcpv6-client        :::*                                2164/odhcp6c
udp        0      0 :::dhcpv6-server        :::*                                1273/odhcpd
udp        0      0 :::dhcpv6-server        :::*                                1273/odhcpd
udp        0      0 :::domain               :::*                                2479/dnsmasq
raw        0      0 :::58                   ::%3069188752:*         58          2164/odhcp6c
raw        0      0 :::58                   ::%3069188752:*         58          1273/odhcpd
raw        0      0 :::58                   ::%3069188752:*         58          1273/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING       3910 2825/lxc public     @/srv/lxc/public/command
unix  2      [ ACC ]     STREAM     LISTENING       2884 2520/python         /tmp/fastcgi.python.socket-0
unix  2      [ ACC ]     STREAM     LISTENING       1104 766/ubusd           /var/run/ubus.sock
unix  2      [ ACC ]     STREAM     LISTENING        937 1823/syslog-ng      /var/syslog-ng.ctl
unix  2      [ ACC ]     STREAM     LISTENING       4569 2785/lxc server     @/srv/lxc/server/command

Test result of https://www.dnssec.cz/:

DNSSEC SECURITY TEST

DNSSEC secured
Everything is allright, your computer is secured by DNSSEC when accessing internet resources. You are secured against domain name spoofing. Enjoy your internet surfing …

PS: I am forwarding DNS queries to Google:

cat /tmp/resolv.conf.auto
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4

I am test it using “chromium” but using “curl” I get same result, I think… I don’t understand ČESKY:

curl https://www.dnssec.cz/ | grep -i "Vše je v pořádku"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16626    <p>Vše je v pořádku, Váš počítač je při přístupu k internetovým službám a zdrojům zabezpečen technologií DNSSEC, je tedy ochráněn proti podvržení doménových jmen v internetových adresách. Můžete v klidu dál surfovat ...</p> </div>
0 16626    0     0  31217      0 --:--:-- --:--:-- --:--:-- 31193

#12

Yes, it says DNSSEC is OK. It makes sense, as Google PDNS validates everything, just as our public servers do, so invalid records won’t be returned and SERVFAIL comes instead. This approach can’t protect you from attacks on the path between you and those servers, but you probably know that…


#13
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'

seems not to be enough, kresd is still occasionally forwarding my requests the ISP’s stupid DNS-servers.

Update: ok, added the v6 addresses to the wan6 interface and also added the peerdns option there. Now everything is fine.

config interface 'wan'
	option proto 'pppoe'
	option username '$USER'
	option password '$PASSWORD'
	option ipv6 '1'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option ifname 'eth1.7'
	option mtu '1492'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

#14

By the way, according to the openwrt documentation (https://wiki.openwrt.org/doc/uci/network - see bottom) you might want to have the list order reversed.

option peerdns '0'
list dns '8.8.4.4'
list dns '8.8.8.8'
list dns '2001:4860:4860::8844'
list dns '2001:4860:4860::8888'
# the priority is: the last dns listed will be the first one
# to be chosen for the name resolution