Slow DNS resolution - just me? [solved]

I also used Opendns on my old router assigned to some devices (especially those used by children). However if I’m not mistaken Opendns doesn’t support DNSSEC so it would effectively turned off the DNSSEC validation on the router. It was mentioned in https://www.turris.cz/forum/topic_show.pl?tid=388 (sorry it’s in Czech).

So it’s on my todo list to investigate the best option to block certain site for certain computers in the network.

Ok - so did a bit of reading and digging around, turns out the DNSEC resolution is slower than I’d become used to. I eventually disabled DNSSEC + Knot and let dnsmasq pick up queries via port 53 and now everything works as I expected including ipset (dnsmask-full) I now just need to get VPN working…

Thanks for the tips!

Personally I would have just set up local DNS cache, though it is preferable to use external storage for it, so on the default config your solution is sort of okay (minus security ofcourse).

I’m waiting for a Pci-e adapter to add a mini-SSD then will give that a go!
A more secure / cached combination would be preferable to just nuking security in the vain pursuit of speed.

Cheers!

How did you disable kresd please? I have zero experiences with OpenWRT, this is so much different than traditional Linux. Thanks!

@lzap I’m afraid I did it the worst way (probably) as I’m still setting up / working on my build.

You should be able to run the /etc/init.d/ scripts with the disable option to prevent it coming up on boot:
/etc/init.d/kresd disable
/etc/init.d/unbound disable
opkg remove dnsmasq (only if you need ipset support)
opkg install dnsmasq-full (only if you need ipset support)
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart

Make sure you put something in the /etc/resolv.conf or via Luci or the foris admin pages otherwise name resolution will probably fail.

Other people here mentioned this means that they will come back due to the automatic updates? - so you could do what I did and just add an exit to the init script but it’s probably not a great idea…

Cheers.

1 Like

The services will stay in the same state, the installed packages, however, can be rolled back by the updater.

You also probably had to delete this line from /etc/config/dhcp:

config dnsmasq
    …
    option port '0'

@Ondrej_Caletka Yes, you’re right - good point.
I changed via luci to 53 but didnt know setting dnsmasq port to 0 disabled name resolution.

Cheers!

Also be wary of /etc/cron.d/watchdog, as it tries to start /etc/init.d/resolver which can in turn start kresd on port 53 and screw everything up. I also found a bug in dnsmasq-full when it will give you a DHCPNAK if you reconnect to quickly (happens when you roam between dumb APs connected to omnia for example). This doesn’t happen on non-full dnsmasq.

1 Like

Thanks for this info, there is something wrong with the way the ‘out-of’the’box’ version of Turris is providing DNS which broke my Garmin Index Scales, with the dnsmasq-full installed and running, it now works!

My DNS also seems extremely slow but I think Omnia is already using dnsmasq out-of-the-box. Plus your comments are worrying me a bit. Is this a good solution if updates or watchdog could mess up the dns? I’m tempted to try but don’t know if I should touch default dns setup?

The default DNS setup is knot-resolver in forwarding mode. You can try to disable forwarding, as that’s just a simple checkbox, though for most people it should be faster with forwarding.

when i enable forwarding the turris cant connect to internet for some reason. any thoughts?

Probably open a new topic (and mention me), as it probably isn’t the same problem as discussed here. In there, start by describing how your DNS is configured. (e.g. just DHCP from your ISP?)

what im referring to is in the beginning setup wizard of the turris omnia is asks about dns forwarding and when trying to connect to internet it fails, so it turns it off and then it successfully connects to internet.

for me the omnia takes ~24ms for a request with forwarding on when I turn it of the delay drops to 0ms :slight_smile:
the knot configuration is simply BAD since it it undocumented and crazy useless…

bypassing the ISPs DNS-servers or using your own is simply a no go with knot in place o.O

If you use the checkbox to disable forwarding, you do bypass the ISPs DNS servers (unless they specifically intercept the packets). EDIT: it will just iterate over the authoritative servers directly.

how did you turn it off? if i may ask

So far I have only turned forwarding off in the turris web UI.

I find it a bit disconcerting, that the set-up makes it so hard to change the DNS server.

Using forwarding is a useful feature, not beeing able to influence it is bad.

I added the configuration to the normal openwrt places and went off, only now to discover, that my router has used the ISPs DNS servers all along. :hushed:

1 Like