Adguardhome: Device Identifier - DNS-over-TLS and DNS-over-HTTPS

Oh, interesting idea, I really like it!

We could use a different approach, though. We could extend "settings -> clients -> add client" dialog and allow settings this "subdomain" identifier there. This way you don't just identify the device, but you can also have different per-client settings.

That sounds cool! You could sign me up for beta testing if required 😄

I would like to work on this feature, is it possible ?

@Jbbouille we're going to start working on it soon so I guess we may overlap here

建议在这个基础上可以增加对不同的域名(客户端)配置不同的拦截模式

@CalmLong

这有意义，谢谢。

我觉得如果 TLS 证书有一些”SAN“（subject alternative name），我们可能允许用几个域名。
但是我不想我们应该允许用一些证书，这是太复杂了。

Proposed implementation:

1. [ ] Allow wildcard certificates in the Encryption settings
2. [ ] Improve wording in the "Server name" field: https://uploads.adguard.com/up04_AdGuard_Home_3s1g4.png We should explain that if "Server name" is not set, we should accept TLS connections for any domain.
3. [ ] Allow setting custom strings as Client ID. These strings should be validated (i.e. needs they can be used as a domain name component): https://uploads.adguard.com/up04_AdGuard_Home_278y0.png
4. [ ] Once this identifier is configured, you can use a special domain name while configuring your client.
   Example:
   
   
   
   1. AdGuard Home domain name example.org.
   
   
   2. In AdGuard Home you add a client with identifier my-client.
   
   
   3. On the client device you can now configure:
      
      
      
      
      
      • DNS-over-TLS: tls://my-client.example.org
      
      
      
      • DNS-over-QUIC: quic://my-client.example.org
      
      
      
      • DNS-over-HTTPS: https://example.org/dns-query-my-client
      
      
      
   
   
5. [ ] Don't forget to add this description to the "Identifier" field in the UI.
6. [ ] If some client uses an address matching the above pattern, let's add it to "Clients (runtime)" automatically.
7. [ ] TODO: Query log and Dashboard UI for this new identifier

@ameshkov
I have a suggestion for the routes.

For the DNS-over-HTTPS currently NextDNS uses:
https://dns.nextdns.io/ACCOUNT_ID/DEVICE_ID

Maybe for AdGuardHome it could be
https://example.com/dns-query/DEVICE_ID/

This would make sense with the current routing of DoH.

@ameshkov i think for DoT, DoQ instead of subdomain it's better to use like nextdns devide-id--domain.tld the "--" let us identify the client without having to create a wildcard certificate (not possible on some configuration with some domain provider) and/or can be messy to generate easily.

edit : in my case my dns server is on a dns subdomain with a certificate who cover only the dns, like that if my dns is hacked they can't use the certificate to redirect my other domain (it's my treat model).

@michaelb-ae -- is just a part of the domain name, it does not mean you don't need a wildcard certificate. Or you can use a certificate with multiple subaltnames which include your devide-id--domain.tld

@ameshkov, as I understand it, now we need to properly document it and close the issue?

@ainar-g well, it kinda is documented already: https://github.com/AdguardTeam/AdGuardHome/wiki/Clients

Ah, I see. Then the remaining bugs and improvements should probably become separate issues, like #2607.