This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at https://docs.turris.cz/.
This manual will tell you how to implement DNS on Turris. The manual informs about the most common problems and settings.
The operating system OpenWRT, which Turris OS is based on, has in it‘s default configuration dnsmasq in the role of DNS and DHCP server. Dnsmasq stays on Turris, but only in the role of the DHCP server. Turris and Omnia substitute the DNS resolver with a different implementation:
That is the reason why changes made in the DNS settings in LuCI won‘t manifest.
This adjustment has a very simple reason: the Turris project aims at improving Internet security and one of the technologies, which it supports, is also DNSSEC. The original dnsmasq wasn‘t capable of validating DNSSEC entries which is why it had to be replaced. Dnsmasq remained in the role of the DHCP server – as there was no reason for it to be replaced here and the option to configure it via the LuCI interface also remained.
Even though the newest versions of dnsmasq support DNSSEC, we are not considering returning it to it‘s role of the DNS resolver just yet, because we are not yet satisfied with the quality of implementation.
The DNSSEC technology ensures that for those domains, which are signed electronically, it can be verified that on the way between client and server the response wasn‘t forged. This is a defense against a type of attack known as DNS spoofing.
DNSSEC support is required on Turris in order for the router to function correctly. Without DNSSEC the router and the Turris switchboard wouldn't communicate. A common case of failures is caused by a user adjustment in the DNS software – when the dnsmasq server is elevated to the role of the main resolver.
Another common issue arises when “DNS forwarding” is enabled, but the ISP doesn‘t support DNSSEC technology. In the default Turris configuration, DNS forwarding is enabled.
Let‘s have a look at what is going on:
The advantage of forwarding is the fact that Turris will ask those servers, which a large number of clients asks (all clients of your ISP) and there is a bigger chance that the answer will be in cache and hence the server will be able to give it incomparably faster.
Two common problems can be solved by turning off forwarding:
*.turris.cz, which would refer to all sub domains of the turris.cz domain) as it should. If your ISP uses one of these versions, then Turris won‘t get the right signatures and validation will fail.
In both cases, this is a problem on the side of the ISP, who cannot differentiate Turris software and an attempted attack using DNS. This is why DNSSEC validation fails and the client in the network doesn‘t get an answer (in order to prevent the client getting counterfeit data).
In the Foris user interface under the tab DNS, you will find a simple test, which checks the current DNS setting on your router. On the same page you can turn forwarding on or off.