Not using DNS forwarding for greater privacy and security

DNS is a key part of the Internet as we know it. We rely on DNS information everyday. Every time you enter URL into your browser or send an e-mail, you rely on some DNS resolver. Typically, those DNS resolvers are provided to you by your ISP. But do you realise how much power he has over you that way? He can log every server you are visiting regardless of whether you use encrypted connection. But he can do even more - he can forge the entries and send you to a different server than you were asking for. In some countries he is even obliged to do so by law for some specific servers.

Luckily for our users, Turris routers come equipped with their own resolver, so you don’t have to trust and depend on your ISP. Turris routers use your ISPs DNS servers by default if they work good enough - there is a check for it in first run wizard. Reasoning behind that is that we found out that some ISPs are doing sometimes quite crazy stuff. Some are blocking DNS traffic that doesn’t go to their resolvers. Some of them are injecting entries to redirect you to their local mirrors. Some of them are using some weird tricks to propagate IP TV with broken DNS. So when deciding what should be the default mode, we were cautious and used forwarding if it worked to avoid various problems people could encounter.

With Turris, you can easily disable forwarding - that means all the DNS resolution is done on your own router, DNSSEC signatures are verified there as well, so you can trust those records more than what your ISP provides. He can still track you - dumping all DNS traffic is not that hard, but it is a bit harder then watching resolver logs. For signed domains, he can’t inject any malicious forwarding and he is probably not going to block just some selected servers just in case you run your own resolver. So you can avoid some censorship.
Now how to disable forwarding and gain some more privacy and security? With Turris routers, it is really easy. You just go to Foris web interface, to the DNS tab, uncheck ‘Use forwarding’ and hit ‘Save’ button. Done. But as mentioned earlier, you might encounter some issues depending on what your ISP does with DNS traffic. If you hit some issues, we would be happy to hear about what issues did you encounter and who is your ISP. If there would be some common pattern to what is not working, we might figure out some workaround and make it available or we can try to help you press your ISP to fix their network.


Great post, this is something I would like to see in docs. doesn’t exist yet. There is a czech page (not sure if it contains all the info from your post).

Lack of documentation or joint documentation for both routers where they differ (LED / setting intensity for example) is (after all those months) a little bit disappointment for me.

There is a link to the original article on the Turris website. It is available in both (Czech/English) languages and moreover there is a picture from Foris DNS section.

Great post, but it would be even better to post it after fixing issues in knot-resolver which make many people enable forwarding.

I know it’s fixed upstream, the fixed packages even seem to be in rc, but still this post would be more usable for people after the fix is actually there.

For example:

We will work on documentation intensively and gap between czech and english doc should be covered in near future. If anybody can help, please let me know, there is even small budget for that :slight_smile:

Fixed package is now in RC and will be distributed in stable next week (hopefully).

In case forwarding is turned off and there is request for DNS which local resolver do not know, which DNS is being contacted? Am I able to define servers which will be queried in case local resolver does not have record ion its own database?


I live in USA and am currently trying to purchase a router, but saw your post. My knowledge of Czech is zero, sadly, but could I help as an English reader, proofer, editor?

The (anycasted) addresses of root servers are built into kresd, and the rest is given by standard delegations (NS+glue records) over authoritative servers, just as any resolver should do it if it does no forwarding.