Adguardhome: Force DNS Redirection

Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used.

I don't understand how a router can mess with DoH/DoT.

Are you sure AdGuard Home is really used by the device you're using to test this?
Do you see these DNS queries in the AdGuard Home log?

I am sure that ALL DNS request from my network are going to AdguardHome as I can see them in the query log. I have checked different browsers on the same and different machines all give the same reult: the AdguardHome settings are ignored.
As a proof that it in principle is working I have the most recent version of Firefox, about:config networktrr.mode=2 using the preset cloudflare dns servers set to work in DoH mode. In that case I bypass AdguardHome, yet aforementioned test urls show that DoH is actually used. Switching this back to mode=0 returns that DNS is neither not using anything set in AdguardHome.

On 23.10.2019, at 10:29, Andrey Meshkov notifications@github.com wrote:

Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used.

I don't understand how a router can mess with DoH/DoT.

Are you sure AdGuard Home is really used by the device you're using to test this?
Do you see these DNS queries in the AdGuard Home log?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdGuardHome/issues/1111?email_source=notifications&email_token=ALXIFWD3JVWGYR6LIAJZQRDQQADNRA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECARRGA#issuecomment-545331352, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALXIFWAA24QSI6AOPMOETG3QQADNRANCNFSM4JD5Q5JA.

As a final test I was taking the AdguardHome server offline by pulling the ethernet cable…no DNS queries are possible and I get no website loaded in a browser.

On 23.10.2019, at 10:29, Andrey Meshkov notifications@github.com wrote:

Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used.

I don't understand how a router can mess with DoH/DoT.

Are you sure AdGuard Home is really used by the device you're using to test this?
Do you see these DNS queries in the AdGuard Home log?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdGuardHome/issues/1111?email_source=notifications&email_token=ALXIFWD3JVWGYR6LIAJZQRDQQADNRA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECARRGA#issuecomment-545331352, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALXIFWAA24QSI6AOPMOETG3QQADNRANCNFSM4JD5Q5JA.

Let's see what's in AG Home logs then.

1. Configure AdGuard Home to collect logs:
   
   
   
   • Specify log_file
   
   
   • Set verbose to True
   
   
2. Restart AdGuard Home and reproduce the issue
3. Post the log file here.

OK:
Here is the log, still no success on the diagnostic urls mentioned above but according to the log as far as I understand it, Adguard connects just fine…mhhh.

https://gist.github.com/ameshkov/f5ff592e07adca7de3f221590f74b8c2

you can only redirect outbound dns traffic on your router, no dns resolver can handle that. You suspect your ISP intercepting DNS on router1 so on router2 everything should be okay -> validate that with logs/tcpdump also validate your dns redirect on router2 by manually setting a client's dns to a random external one and do some lookups they should be redirected to adguard. Your redirect rules must not include the adguard's addresses.

whats the output of on adguard/client/router of:

• curl -H 'accept: application/dns-message' -v 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump

• nslookup -d2 google.com (windows client)

• dig google.com (linux client)
• https://1.1.1.1/help
• your adguard config

sample tcpdump for router2 validation eth0 being the lan facing interface
tcpdump -i eth0 -n udp port 53 or tcp port 53

Thank you very much for your response.
I was banging my head for a while after that initial message. However, due to other unrelated reasons I was changing my VPN provider last week. And because I want to use AdguardHome i needed to “outsource” the DNS lookups to AdguardHome, which is why I was so much into making it as secure as possible. Turns out after my change to the new VPN setup on Router 2, everything is fine. I have no explanation for any of it. Now DNS queries run over DoH and are DNSSecure as it should be. So, clearly no issue with AdguardHome.
What my initial VPN provider did to the DNS queries however is a mystery to me.

Thanks!

On 30.10.2019, at 23:02, Martin Spitz <[email protected] notifications@github.com> wrote:

you can only redirect outbound dns traffic on your router, no dns resolver can handle that. You suspect your ISP intercepting DNS on router1 so on router2 everything should be okay -> validate that with logs/tcpdump also validate your dns redirect on router2 by manually setting a client's dns to a random external one and do some lookups they should be redirected to adguard. Your redirect rules must not include the adguard's addresses.

whats the output of on adguard/client/router of:

curl -H 'accept: application/dns-message' -v 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump

nslookup -d2 google.com http://google.com/ (windows client)

dig google.com http://google.com/ (linux client)

https://1.1.1.1/help https://1.1.1.1/help
your adguard config

sample tcpdump for router2 validation eth0 being the lan facing interface
tcpdump -i eth0 -n udp port 53 or tcp port 53

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdGuardHome/issues/1111?email_source=notifications&email_token=ALXIFWHWJVFH7XITARWZDTLQRH76ZA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECV5GOQ#issuecomment-548131642, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALXIFWC6TIXRQTC2B5KMEFTQRH76ZANCNFSM4JD5Q5JA.

glad it works, I'm not a fan of bloating issuetrackers with opinions but I'll play devils advocate for a bit:

A few things to think about with using 3rd party vpn and DoH upstreams, none of of those magically give you "more security" in fact you achieve the opposite (less security) by handing your traffic and/or name resolution to an additional party, which are most of the time profit-orientated busineses and you entirely rely on their claims and security. without esni in larger scale DoH brings little to no benefit as your isp would still see your connect to the IP address. Well, you rule out _everyone listening on the wire_ at least, so theres something.

i guess in most cases running a local resolver and using your isps upstream dns is probably faster (in numbers, I dont think a human can distinguish between a lets say 17ms and a 54ms dns query) and leaves out other people entirly, which means no loss of security.

without esni in larger scale DoH brings little to no benefit as your isp would still see your connect to the IP address

ESNI by itself is quite a problematic standard (at least in its current state) pushed by a few CDNs.