With Turris, you can easily disable forwarding - that means all the DNS resolution is done on your own router, DNSSEC signatures are verified there as well, so you can trust those records more than what your ISP provides.
Does the phrase “all the DNS resolution is done on your own router” imply that there should be no queries sent to DNS instance(s) owned by my IPS? If this is expected can you please clarify how the resolution flow takes place?
Here are my configurations for the both use cases.
The most likely cause is that your ISP intercepts unencrypted DNS. That seems not too rare. You can try – there’s also non-encrypted Google option in the list.
That is, if your assessment is right about who is the last in the chain asking the authoritative DNS servers. When your router connects into wider internet, it will be from some IP of your ISP and NAT may obscure the situation somewhat; there are various sites that will show your public/NAT address, at least when http(s) is used but protocol typically doesn’t make a difference.
Yes, with non-encrypted Google option it shows Google DNS hosts.
So as I understand it’s some kind of obscurity.
By the way, when I changed the configuration manually noticed that the pin is commented out for cloudflare (probably it’s become outdated).
I think to update it to the correct one and start using it.
However, I’m pretty sure that the config changes will be lost with the update.
Found the article net/resolver-conf · test · Turris / Turris OS / Turris OS packages · GitLab with the recommendation
create dns_server section /etc/config/resolver with same name as is defined in config file and change value of desired variable
tried to set:
config resolver ‘99_cloudflare’
option description ‘test’
But this doesn’t override anything.
Tried a few other combinations also without luck.
Do you have by any chance a working snippet of the configuration?
For this I’ve been using the one-click way in Foris interface, and that always seemed to work fine on my Omnia. I actually know very little about the uci middle-config. (I know the kresd-end config format very well, too.)