Adguardhome: Bootstrapping DOH and DOT uses system resolver on Windows

Well, it seems that CloudFlare DNS is not reachable from your place. You should contact your internet service provider and report this issue.

When it happened, I can use nslookup to use 1.1.1.1 to query.
So I can reach Cloudflare DNS at that time.
I try setting 8.8.8.8:53, the problem still happened.

@bestpika maybe the issue is with their DNS-over-HTTPS server only?

What does AGH print to the log?

Here is the log: log.zip
Flush system DNS cache before run service can reproduce this problem.
After setting a DNS (direct use IP) then apply (at log line 326) and the error is gone.

@bestpika could you please run AGH with -v parameter so that it printed more information? I can't see what's the root cause of the issue from the log.

log.zip

Step:

1. Run ipconfig /flushdns
2. Run AdGuardHome.exe -v

When error, I can query DNS use 1.1.1.1 or 8.8.8.8.

line 3124: add DNS tls://1.1.1.1

2019/05/20 17:01:23 17520#67 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for cloudflare-dns.com in 9999 milliseconds using 1.1.1.1:53: i/o timeout

Bootstrap DNS is set to 1.1.1.1 and it fails to resolve the IP addresses.
I have no clue why it works using nslookup, though:(

Try changing bootstrap DNS to 8.8.8.8 and see if there's any change

2019/05/20 17:01:23 17520#68 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for cloudflare-dns.com in 10000 milliseconds using 8.8.8.8:53: i/o timeout

In this log, 8.8.8.8 can't resolve too.

After line 4243, it can get the IP address.
And it uses tls://1.1.1.1 not bootstrap DNS.

What happened after 4243?

I have no idea.
But I set tls://1.1.1.1 at upstream DNS at line 1807.

@szolin plz take a look, maybe you can see what's wrong here

If my upstreams DNS have any IP based DNS (like 1.1.1.1:53 or tls://1.1.1.1), I won't get any error.

Does it work if you disable browsing security?

So there's possibly an issue when:

1. Parallel resolution is enabled
2. Browsing security is enabled
3. All upstreams require bootstrapping

@szolin plz don't miss this

I disable

• protection_enabled
• filtering_enabled
• safebrowsing_enabled

still get the error.

Please clear system DNS cache before the test.

I disabled all filter.
It gets no error.
So the problem is caused by updating filter?

Not really, it looks as if it randomly fails to resolve the upstream's domain name. I don't know why, though.

Oh, I try again, it got error too.

All disabled, still error.

Try a different bootstrap DNS.

Try 176.103.130.130 and remove other addresses.

I try

• 101.101.101.101
• 168.95.1.1
• 1.1.1.1
• 8.8.8.8
• 176.103.130.130

(only set one bootstrap DNS) and get the same error.

Only upstream DNS have IP based DNS won't get the error.

Then I have no idea what's wrong, and I cannot reproduce this issue.

I'll reopen this issue, maybe @szolin will see something

By the way, my two computers are behind the wireless ap (different model).

It does not matter.

For some reason, for the first minute or so, AGH fails to bootstrap the addresses of the upstream servers. Maybe some firewall messes with it, maybe something else, I can only say what I see in the log.

This is clearly not a bug, but something specific to your computer configuration.

I used AdGuard desktop on the same computer.
Does it cause the problem?

I doubt it

I delete my configuration and use the wizard to create the configuration and get the same problem.

This is default configuration: AdGuardHome.zip

Again, it has little to do with AGH itself.

As I said, something is not okay with your computer configuration:
https://github.com/AdguardTeam/AdGuardHome/issues/770#issuecomment-493930324

I try DNSPROXY and get the same problem.

Step:

1. ipconfig /flushdns
2. dnsproxy -v -o ./log.txt -l 127.0.0.1 -b 80.80.80.80:53 -z -u tls://dns.google -s

Log: https://github.com/AdguardTeam/AdGuardHome/files/3214633/log.txt

Additional information

I only set 127.0.0.1 as the system DNS.

@ameshkov I have over 3 computers (include VM) have the same problem.
Did you use Windows 7/8/8.1/10 to test this problem?

The problem consists of using domains in the "Upstream DNS servers".

The bootstrap servers I use are 8.8.8.8 and 1.1.1.1 - they work when the SYSTEM DNS (The one in the network card's IPv4 settings) is not changed to 127.0.0.1.

As soon as I change the SYSTEM dns to 127.0.0.1 - AdGuard is unable to resolve the upstream DNS hostnames and the whole system looses DNS. It's like there are no bootstrap DNS servers at all.

If I place a tls://1.1.1.1 in Upstream DNS - I got resolve and adguard processes the system's DNS queries.

@Onepamopa just in case, what OS are you using?

Windows 10 64 bit

Interesting, two identical issues both on Windows. This might be a bug of golang, we'll take a look at it.

Still does not work, this issue should not be closed.

When SYSTEM resolver is set to AGH (127.0.0.1), AGH will not resolve the host names of Upstream DNS servers. Bootstrap DNS servers not working in this case.

Steps to reproduce:

1. Set up AGH with the following Upstream DNS servers:
   https://dns.cloudflare.com/dns-query
   sdns://AgUAAAAAAAAAACAe9iTP_15r07rd8_3b_epWVGfjdymdx-5mdRZvMAzBuQ5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs

1. Set your desired bootstrap DNS servers.
2. Save settings.

3. Open network card's properties, go to TCP/IP and set DNS servers to: 127.0.0.1

4. System immediately looses DNS.

5. Open DNS serttings of AGH and click: "Test upstreams".
6. You will see red popups showing "Unable to resolve xyz whatever".

This indicates the bootstrap DNS servers are NOT USED AT ALL to resolve hostnames for upstream DNS servers.

Reopened and assigned back to v0.97.

@szolin could you please take a look at this?

@Onepamopa Can you attach new logs with v0.96-hotfix?

@szolin I will do that tomorrow.

I see what is going on - it's related to IPv6. I have IPv6 disabled on my network card, but adguard tries to connect using IPv6:
2019/06/13 17:11:13 19420#256 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): Dialing to [2606:4700::6810:f8f9]:443 2019/06/13 17:11:13 19420#178 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): dialer failed to initialize connection to [2606:4700::6810:f8f9]:443, in 10000 milliseconds, cause: dial tcp [2606:4700::6810:f8f9]:443: i/o timeout 2019/06/13 17:11:13 19420#178 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): Dialing to [2606:4700::6810:f9f9]:443 2019/06/13 17:11:13 19420#58 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): dialer failed to initialize connection to [2606:4700:4700::1111]:853, in 10001 milliseconds, cause: dial tcp [2606:4700:4700::1111]:853: i/o timeout 2019/06/13 17:11:13 19420#58 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): Dialing to [2606:4700:4700::1001]:853 2019/06/13 17:11:13 19420#43 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): dialer failed to initialize connection to [2606:4700:4700::1001]:853, in 10001 milliseconds, cause: dial tcp [2606:4700:4700::1001]:853: i/o timeout 2019/06/13 17:11:13 19420#43 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): Dialing to [2606:4700:4700::1111]:853 2019/06/13 17:11:13 19420#49 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): dialer failed to initialize connection to [2606:4700:4700::1111]:853, in 10000 milliseconds, cause: dial tcp [2606:4700:4700::1111]:853: i/o timeout 2019/06/13 17:11:13 19420#49 [debug] github.com/AdguardTeam/dnsproxy/upstream.createDialContext.func1(): Dialing to [2606:4700:4700::1001]:853

I suggest an option to enable/disable IPv6.

@szolin @ameshkov

@Onepamopa thanks for the log, please wait till the next update.

Please attach the complete log, we need to see why there are no IPv4 addresses which AGH can use.

@Onepamopa