No name resolution for


I’m on TurrisOS 5.0.4.
For the second time this week kresd is not able to resolve www.lwn.nt.

root@turris:~# dig

; <<>> DiG 9.16.3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54699
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;			IN	A

;; Query time: 0 msec
;; WHEN: Wed Aug 26 10:30:40 CEST 2020
;; MSG SIZE  rcvd: 40

If I go to I see

id 64753 
opcode QUERY 
rcode NOERROR 
flags QR RD RA ;

If I’m directly connected to the router of my ISP I can also resolve the name.

The is part of /etc/config/resolve:

config resolver 'common'
	list interface ''
	list interface '::0'
	option port '53'
	option keyfile '/etc/root.keys'
	option verbose '0'
	option edns_buffer_size '4096'
	option msg_buffer_size '65552'
	option msg_cache_size '20M'
	option net_ipv6 '1'
	option net_ipv4 '1'
	option prefered_resolver 'kresd'
	option ignore_root_key '0'
	option prefetch 'yes'
	option static_domains '1'
	option dynamic_domains '1'
	option forward_upstream '1'

Yesterday I had the same problem but suddenly it was working again.

Any idea what the problem could be?
Any idea how I could debug the issue?



I’d personally avoid forwarding to ISP resolvers, at least in general. In comparison to non-forwarding mode it’s adding another layer where things can go wrong, especially if the ISP doesn’t care for DNSSEC – in that case they often break some necessary records in edge cases.

Thanks a lot. I disabled forwarding and now it is working.

I understood the respective text in Foris in that way that it was recommended to use forwarding.


I think the main reason for that (and for the mode being the default) was that in practice some ISPs offered services that depend on DNS records injected at their recursive servers, so without forwarding those services won’t work.

With “services” you mean the redirection to some ISP page you get if you make a typo in the domain?

Nooo, that’s a mis-service :slight_smile: I think it was things like IPTV boxes.

:slight_smile: I agree about the mis-service. This is why I put it in quotes.

I don’t have an IPTV box so I don’t have to worry about them.

As an example, my ISP (telefonica/o2 in germany) only resolves the names of his SIP servers on his own DNS-Servers, asking for the same name on any other DNS server yields nothing. I opted for configuring the ISP’s dns servers in my VoIP base-station and use no-forwarding and DNSSEC fon the router (omnia TOS v.5.0.4).