Sketchy DNS resolution on Omnia

Hi everyone,

My Turris Omnia started recently (around 6th October) to fail when resolving some web pages. I did not change any setting, however it seems that problems are mostly with generally less frequently visited sites, e.g. is resolving fine, synology pages are failing. Sometimes multiple reloads in the web browser do the trick and web page resolves, sometimes it does not. When I bypassed Omnia everything works fine.

I am currently on Turris OS 3.10.7.

I have tried some tinkering with DNS settings, however those rendered Omnia not resolving at all, so I had to revert to the latest snapshot.

What can be causing this issue?

Which resolver are you using?

I am using unbound and got similar resolution failure since a few weeks ago. Restarting the resolver is enough to make thinks working again. I did not have time to investigate further though.

I did not change anything in the configuration and also based on /etc/config/resolver preference

option prefered_resolver 'kresd'

I believe I am using Knot resolver…

Yes, that’s the default on Turris Omnia.

I know about some issues that appear the same way, also from a few forum users, but those started much earlier than this month and reverting seems not a good way for that one (it would need to go far back and thus bring security issues). Gathering verbose logs would confirm if it’s likely to be the same issue.

You may prefer to send the logs privately or provide just the relevant portion (shortly around the query time), as longer lists of resolved names themselves are often considered private.

I have exactly the same issue, using knot and latest TurrisOS. I will try to send some logs @vcunat next week when i‘m home…

So you guys have confirmed about the DNS resolve issue and it has not been fixed right?

At the moment what is the best config to use? Because for the past couple of months i just put only the address of the repo and project manually in the hosts file to at least get a pkgupdate resolv and with it having newer Turris-OS updates.

For reference, logs for the OP indicated it’s most likely caused by the ISP intercepting DNS packets. I haven’t noticed any message from protree yet.

There is one elusive unsolved issue. It only causes occasional problems for some domains AFAIK, so if your DNS doesn’t work at all (not clear from what you write), it’s probably something else. Forwarding should work around the linked issue, but that setup is sensitive to “quality” of the forwarded-to servers, and with ISPs it relatively often leads to problems on some names. (They tend to use BIND versions that are several years old and thus buggy around some edge cases.)

You may also like Using dns over tls or https, but there you give your data to yet another party, so it depends… I don’t think any of the options is always superior.

Yes, I am waiting for a domain to not resolve… Currently all seems to run stable

1 Like

Looks like the DNS over TLS/HTTPS solves the issue.

I‘m still waiting for a domain to fail resolving… Still no forwarding enabled. Seems stable atm…