DNS settings in reForis⚓︎
What is DNS?⚓︎
The Domain Name System (DNS) is a system which translates name addresses (such as
www.turris.cz) to IP addresses (e.g.
22.214.171.124 for IPv4 or
2001:1488:ac15:ff80::69 for IPv6) and vice versa. It is one of the key parts of the Internet.
For example, if you want to visit a webpage in your browser your computer sends a DNS request to the “nearest” DNS server. This server responds directly (if it has already acquired the address) or it recursively queries other DNS servers (the ISP’s ones or the authoritative ones which maintain the DNS records) and then sends the address to your computer.
In most cases, your computer sends DNS queries to your router (ie. Turris) which must be configured properly. This documentation page explains how to set it.
What is DNSSEC?⚓︎
Plain DNS responses have a big problem. Their data is transmitted without any measure for their integrity. It means if it is changed during the transfer you can’t detect it in any way. Some “bad guy” sitting on the wire can send you his own DNS record instead of the true one and you have no chance to disclose it. This attack is known as DNS spoofing.
For example, you request the IP address(es) for
www.turris.cz and you should currently get that it is an alias for turris.cz and it has the addresses
2001:1488:ac15:ff80::69. But somebody (e.g. a dissatisfied employee at your ISP) can change it to something else and your browser displays another page than you want.
- is based on authoritative data, and
- is unchanged (has its original form).
DNSSEC works properly only if the whole DNS record chain (from the root zone to the records you are requesting) is consistently signed and all DNS servers are correctly configured. The root zone keys are signed by complicated and secure procedures called Root KSK Ceremonies. The root zone signs the lower level zones (for TLDs) and so on.
To make DNSSEC work properly is also necessary to support it by all DNS servers/resolvers in the chain between you and the authoritative DNS servers. This usually include your router and your ISP’s DNS servers (if used). Read below how to set your Turris to work with DNSSEC.
DNS in reForis⚓︎
Turris uses its own DNS resolver with DNSSEC support. It is capable of working independently or it can forward your DNS queries to your ISP’s DNS resolver. Usually, it is better to use the ISP’s resolver in networks where it works properly. If it does not work for some reason, it is necessary to use direct resolving without forwarding.
DNS forwarding is enabled by default. It means all DNS queries are sent to your ISP’s DNS forwarding servers (or other DNS forwarders if set so – see below). This is the very recommended setting and should be left unchanged unless there is a very good reason to change it.
What may be such reason? For example, DNSSEC on your ISP’s DNS servers is broken and the DNS over TLS (DoT, see below) port is blocked.
Predefined DNS forwarders⚓︎
There are multiple forwarders which can be used:
Other forwarders than your ISP’s one are used via a special technology named DNS over TLS (DoT). Regular DNS queries and responses (including the DNSSEC ones) are transferred in a plain format and can be intercepted by anybody who has access to the lines and nodes (including your ISP of course). If you want to keep your DNS communication in secret you can use DoT/TLS instead.
DNS over TLS keeps DNS traffic in secret but is a bit slower than the standard DNS communication.
CZ.NIC is the Czech national domain registry operator (and the creator of your Turris).
Cloudflare is a world-wide cloud service provider.
Google is a well-known a ubiquitous Internet company.
Quad9 Filtered is a forwarder which blocks domains with malicious content (like phishing or malware). It is provided by Quad9, a non-profit organization dedicated to secure DNS services.
Quad9 Unfiltered is also forwarder by Quad9 but without blocking malicious domains. Use it if you encounter problems with blocking legitimate content by the Quad Filtered forwarder.
If none of the predefined forwarders fits your needs there is also a possibility to set a custom forwarder. Press the Add custom forwarder button (see the above picture) to specify it.
You can specify up to two IPv4 addresses and two IPv6 addresses. At least one of addresses (of any version) must be always specified. There are the following types of TLS:
- No TLS – the standard DNS protocol is used (no encryption).
- Hostname – DoT is used and the DNS forwarders are validated using the hostname in the TLS certificates (all of the forwarders must have the same name).
- Pin – DoT is used and the DNS forwarders are validated using the public key pin of the certificate (which must be the same for all forwarder addresses).
If you use the third option the pin must be a Base64-encoded SHA-256 hash as defined in RFC 7469.
Disabling DNSSEC is highly discouraged. It should be done only temporarily in these cases:
Your ISP’s DNS servers are broken and you can’t use any other forwarding options nor to disable forwarding at all (typically your ISP blocks the ports used for DNS and DoT communication with “foreign” servers). In such case request your ISP to fix its DNS servers or consider to migrate to another ISP.
You experience strange behavior where you browse the web or use other Internet services and you suspect it may be caused by broken DNSSEC. If disabling DNSSEC fix these problems it converts to (1). Otherwise you should reenable DNSSEC and investigate elsewhere.
If you try to uncheck the Enable DNSSEC checkbox you will have to confirm that you would really like to do that.
DHCP clients in DNS⚓︎
You can enable DHCP client names in the local DNS. This is disabled by default. If you enable this you will able to resolve IP addresses for local hostnames. It can be useful if computers provide various services to each other (e.g. file sharing, DLNA media services…).
When a computer requests its IP address via DHCP it sends its hostname (this is the name you can see at the LAN page in the DHCP clients list). Remember each computer in your LAN must have an unique name to work properly. Ambiguous names will lead to unpredictable results.
After you have set the DNS settings you can test the connectivity. Remember to press the Save button before you start the test. Note that sometimes it takes a while before the connection is fully initialized. So it might be useful to wait for a while before running this test.
What particular results mean:
- DNS – your router can successfully execute DNS queries and get responses,
- DNSSEC – your router can successfully execute DNSSEC queries and get correct (trustfully signed and intact) responses.