Turris OS 3.11.11 is released!

Dear Turris users,

We released Turris OS version 3.11.11 from RC to everyone. This release is primarily a security one as there is updated Knot Resolver, which fixes CVE-2019-193318 in Knot Resolver, which is fixed in this release.


• Merry Christmas!
• knot-resolver: security update

Package, which is installed for everyone during limited time:
christmas - Shine the router like Christmas tree.
It’s written in Python. Source code is located here.

You can change colors, modify options as you want. More details can be found in community documentation: https://wiki.turris.cz/doc/en/public/christmas

We wish you a Merry Christmas!


What are the updates made in luci-samba-app?

anbody having issues with dns ? not sure if it is related or there is other cause

In this release, there were no updates for luci-samba-app. Did you update from Turris OS 3.11.10 or from earlier versions? In Turris OS 3.11.9, there were bug fixes regarding security in LuCI. Each change in LuCI changes the hash, which can be related to what you see.

Turris 1.x or Turris Omnia? Are you using forwarding, if yes to which server? Did you try to change it?

##### Update notifications #####
 • Installed version 4.3.0-1 of package knot-resolver
 • Installed version 0.3-3.6-1 of package christmas
 • Installed version 3.11.11 of package turris-version
 • Installed version git-19.348.72681-ab520f1-1 of package luci-app-samba4
 • Installed version git-19.348.72681-ab520f1-1 of package luci-i18n-samba4-cs
 • Installed version git-19.348.72681-ab520f1-1 of package luci-i18n-samba4-en

I see the update of luci-app-samba4. This router runs stable updates without approval.

A post was split to a new topic: Turris OS 3.11.11 kresd error (chybí port pro google)

1 Like

Yes, i use the dns forwarding to cloudflare. Turris omnia. I see there was a bug for google dns, is there the same problem for other providers ?

Nope. That was just for Google. Can you try to use different one to see if it is better?

Yes, none of the options for dns provider is working and further i have a lot of kresd errors in the log:

2019-12-19 20:12:17 err kresd[3899]: [priming] cannot resolve address ‘c.root-servers.net.’, type: 28
2019-12-19 20:12:17 err kresd[3899]: [priming] cannot resolve address ‘a.root-servers.net.’, type: 1
2019-12-19 20:12:17 err kresd[3899]: [priming] cannot resolve address ‘g.root-servers.net.’, type: 28
2019-12-19 20:12:17 err kresd[3899]: [priming] cannot resolve address ‘a.root-servers.net.’, type: 28
2019-12-19 20:12:17 err kresd[3899]:

Furthemore nslookup says:
;; connection timed out; no servers could be reached

I did rollback witxh schnapps rollback before the last update and dns is working again - disabled updates for now

I have the same DNS problem, I had to disable forwarding and also DNSSec. But it seems to be still quite unstable and really slow, so I’ll probably rollback which I’m not happy about.

1 Like

Guys, I’d like to hear more about your issues and for that, we will need more details. Unfortunately, what you included in your post it means that it cannot resolve those addresses. It can be possible that the internet connection does not work or there might be another issue.

Can you please send us diagnostics and as well with verbose logging from Knot Resolver for debugging DNS problems?

Currently i dont have logs as i did rollback. Connectivity worked, i could ping by ip address. None of the dns options in ui worked, so i did rollback just before the update. I even tried to add the missing google port but it did not do anything, dns servers were still not accessible. I tried all the dns options in ui and disabled dns sec, but the test you have in ui showed error for all combinations.

I’m sorry, if I will have some time I’ll provide more info but currently I need a working internet (and my second Turris Omnia which I could use for diagnostics of such problems is still with you in Prague).

What I can say is that I use DNSSec, forwarding and CZ.NIC TLS servers. Also “lan” as a suffix for local resolutions. Nothing special actually; but after the update the tests in Foris for DNS were failing. When I disabled DNSSec and forwarding it worked for some names but not for others, also it was really slow (ie. in the tests, normally they take 2s, with new version it’s around 15s).

Btw. when I rollback to pre-update snapshot then the updates are automatically installed after some time, even thought I use updates with approval. I would expect that after rollback I need to approve it. Now I just set 20 days of delayed updates as I don’t won’t this not working update to have automatically installed again.

I have just sent the requested verbose logs and diagnostics to your support e-mail. I hope it will help you to debug the problem. It’s really strange. Also I was frightened for a moment as my router couldn’t start properly after rollback, it restarted itself 4 or 5 times, it was really strange. Thanks in advance

1 Like

I’ve just a question about something I noticed recently, but maybe it’s not connected to the 3.11.11 update.

When I restart TO, it’s unable to resolve local machine names until they renew their DNS lease. Is that expected behavior? I haven’t noticed it before, but it’s possible that I just haven’t tried reaching other devices so shortly after restart… If it is expected, is there anything I can do to fix this? I have an external drive connected and I’m resolving using kresd (I think; maybe it’d be nice to add a line to Foris DNS page telling which resolver is being used).

That seems very unlikely to be related (to the DNS problems posted above).

Diagnostics sent, i temporarily let the router update, it went to 3.11.12 and i immediately lost all DNS again, while IP only traffic was not affected

1 Like

BTW a suggestion for improvement. What about running the connectivity tests after an update and rolling the update back if the test fails automatically ?

If you are using 6in4, IPv6 test fails.