ISP provided DNS resolver is used when forwarding is disabled


Recently started using Turris router which I think is the great product.

Using typical dns leak reporting sites I noticed the following:

  1. If I setup custom forwarding to use cloudflare (TLS) than the used DNS is displayed as some host owned by CloudFlare ISP which is quite expected.

  2. If I setup no forwarding at all than the used DNS is displayed as some host owned by my ISP which may or may not be expected.

According to the forum topic:

With Turris, you can easily disable forwarding - that means all the DNS resolution is done on your own router, DNSSEC signatures are verified there as well, so you can trust those records more than what your ISP provides.

Does the phrase “all the DNS resolution is done on your own router” imply that there should be no queries sent to DNS instance(s) owned by my IPS? If this is expected can you please clarify how the resolution flow takes place?

Here are my configurations for the both use cases.

  1. /etc/config/resolver:
    config resolver ‘common’
    option forward_upstream ‘0’

  2. /etc/config/resolver:
    config resolver ‘common’
    option forward_custom ‘99_cloudflare’
    option forward_upstream ‘1’

The most likely cause is that your ISP intercepts unencrypted DNS. That seems not too rare. You can try – there’s also non-encrypted Google option in the list.

That is, if your assessment is right about who is the last in the chain asking the authoritative DNS servers. When your router connects into wider internet, it will be from some IP of your ISP :wink: and NAT may obscure the situation somewhat; there are various sites that will show your public/NAT address, at least when http(s) is used but protocol typically doesn’t make a difference.

Thanks for quick response.

Yes, with non-encrypted Google option it shows Google DNS hosts.
So as I understand it’s some kind of obscurity.

By the way, when I changed the configuration manually noticed that the pin is commented out for cloudflare (probably it’s become outdated).
I think to update it to the correct one and start using it.
However, I’m pretty sure that the config changes will be lost with the update.
Found the article net/resolver-conf · test · Turris / Turris OS / Turris OS packages · GitLab with the recommendation

create dns_server section /etc/config/resolver with same name as is defined in config file and change value of desired variable

tried to set:
config resolver ‘99_cloudflare’
option description ‘test’

But this doesn’t override anything.
Tried a few other combinations also without luck.
Do you have by any chance a working snippet of the configuration?

CloudFlare is authenticated via its domain name (like it’s common for https). AFAIK they don’t claim anything about pin stability.

For this I’ve been using the one-click way in Foris interface, and that always seemed to work fine on my Omnia. I actually know very little about the uci middle-config. (I know the kresd-end config format very well, too.)