Setting own DNS server

dns
knot

#1

I have Omnia Turris with Turris OS 3.11 using kresd as resolver and dnsmasq as DHCP.

Now my provider’s DNS server seems to have serious faults recently, not resolving certain domains to an IP address like other DNS servers do. Also for privacy reasons I thought about setting my own DNS servers anyway.

How would I do that with Turris OS? In Foris I see an option to choose either provider DNS servers or one of CZ.NIC, CloudFlare, Google or Quad9. When I choose for example CZ.NIC I get option forward_custom '00_odvr-cznic' in config resolver 'common' in /etc/config/resolver.

How can I tell it to choose my own? kresd does not seem to take the ones I set in LuCI / Network / DHCP and DNS which are stored as list server entries in config dnsmasq in /etc/config/dhcp. I get that, as kresd is not dnsmasq. But for kresd how do I set my own?

PS: BTW the CZ.NIC option did not work. It returned answers like:

; <<>> DiG 9.11.5 <<>> startpage.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1900
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;startpage.com.                 IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 08 14:24:10 CET 2019
;; MSG SIZE  rcvd: 42

#2

Yes, unfortunately some minority of networks is unable to initiate TCP to the cz.nic resolvers. We still haven’t found out what’s happening in there.

I suppose you considered the iteration mode (i.e. working without any other resolver by simply unchecking “forwarding”) and want to avoid it due to privacy. For that you should know that ATM the names you connect to via https currently almost always leak to the ISP via SNI, until ESNI gets deployed (more widely; even the standard isn’t finished yet).

I believe it will be easiest for you to (1) uncheck “forwarding” in the Foris/DNS UI and (2) set up additional custom configuration file that does the TLS forwarding you like. Docs: (a) adding custom config, (b) TLS_FORWARD action.


#3

Thanks for your answer.

Well I thought about not using forwarding at all like I do with using unbound resolvers on my server virtual machines (where I do not use kresd, cause it does not seem to come with an init script, and I use Devuan on those VMs).

I meanwhile read https://doc.turris.cz/doc/en/public/dns_knot_misc

I may just uncheck the forwarding option as the quad9.net TLS forwarding option also failed to answer some requests already and I am back to provider DNS at the moment. It is strange. I never had DNS issues in years.

As for privacy… I am not really sure what would be best.


#4

Ah, I completely missed that I can just disable the DNS forwarding in Foris. Now done that. I bet that would be the most robust setting as it does not rely on a forwarding DNS server.


#5

Yes, we (meaning upstream kresd) currently only do packaging for distributions that (incidentally) all have systemd. And there’s some macOS support via homebrew, but that’s a different story. So there’s been little reason to write init scripts for kresd; I find that rather error-prone. Oh, there are some kresd init scripts for Turris OS, actually :slight_smile: but those will be probably too specific to this use case.

If you really don’t trust your ISP privacy-wise even with DNS names you resolve, the only usable option seems to tunnel all traffic to someone whom you trust (more than that ISP)… or use some more elaborate way, e.g. Tor. In future, after ESNI gets widespread, I suppose it will be often enough to only “tunnel DNS” and leave the rest to https, but we’re not there yet.


#6

@helios21 Personally I am using Quad9 for the performance but NIC.CZ should also be trusted (shouln’t it?:smile:)


#7

Well as said, CZ.NIC did not appear to work here. Anyway, going without forwarding DNS for now.


#8

I get that. However… for several reasons I like to have my servers – and probably soon also my laptop – go without systemd. However, discussing that would be off-topic here.