Force DNS Redirection

[ghost]

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Problem Description

I have an ISP-issued modem/router that provides the internet connection (Router 1). Behind it I have my Wifi router providing the actual connectivity to all other devices (Router 2). I am forcing all dns queries to my AdguardHome server (Raspberry Pi 3B+) by setting the IP address of the AdguardHome server as the sole static DNS address in Router 2 and tick "Force DNS Redirect" (in DD-WRT firmware) to make sure everything runs via Adguard. So far so good.

The problem is that the ISP modem/router is apparently forcing any DNS request to whatever is set in that modem (Router 1), and it is not possible to enable DoH or DoT on that device. Whatever I set as upstream DNS servers in AdguardHome is completely ignored. Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used. I checked with https://1.1.1.1/help and https://www.cloudflare.com/ssl/encrypted-sni/

Proposed Solution

I am not sure if this is at all possible but an elegant solution to this problem would be if you could add a feature similar to DD-WRT firmware that forces any DNS requests that reach AdguardHome and are not filtered to exclusively be redirected to whatever is set in AdguardHome. Also, I am pretty sure that I am not the only one having a similar issue as most of us don't own there internet connection I would assume.

Alternatives Considered

Additional Information

[ameshkov]

Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used.

I don't understand how a router can mess with DoH/DoT.

Are you sure AdGuard Home is really used by the device you're using to test this?
Do you see these DNS queries in the AdGuard Home log?

[ghost]

I am sure that ALL DNS request from my network are going to AdguardHome as I can see them in the query log. I have checked different browsers on the same and different machines all give the same reult: the AdguardHome settings are ignored. As a proof that it in principle is working I have the most recent version of Firefox, about:config <about:config> networktrr.mode=2 using the preset cloudflare dns servers set to work in DoH mode. In that case I bypass AdguardHome, yet aforementioned test urls show that DoH is actually used. Switching this back to mode=0 returns that DNS is neither not using anything set in AdguardHome.

…

On 23.10.2019, at 10:29, Andrey Meshkov ***@***.***> wrote: Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used. I don't understand how a router can mess with DoH/DoT. Are you sure AdGuard Home is really used by the device you're using to test this? Do you see these DNS queries in the AdGuard Home log? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1111?email_source=notifications&email_token=ALXIFWD3JVWGYR6LIAJZQRDQQADNRA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECARRGA#issuecomment-545331352>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALXIFWAA24QSI6AOPMOETG3QQADNRANCNFSM4JD5Q5JA>.

[ghost]

As a final test I was taking the AdguardHome server offline by pulling the ethernet cable…no DNS queries are possible and I get no website loaded in a browser.

…

On 23.10.2019, at 10:29, Andrey Meshkov ***@***.***> wrote: Thus, although I have Cloudflare's DoH or DoT set as upstream DNS servers in AdguatdHome I can clearly detect that these aren't used. I don't understand how a router can mess with DoH/DoT. Are you sure AdGuard Home is really used by the device you're using to test this? Do you see these DNS queries in the AdGuard Home log? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1111?email_source=notifications&email_token=ALXIFWD3JVWGYR6LIAJZQRDQQADNRA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECARRGA#issuecomment-545331352>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALXIFWAA24QSI6AOPMOETG3QQADNRANCNFSM4JD5Q5JA>.

[ameshkov]

Let's see what's in AG Home logs then.

1. Configure AdGuard Home to collect logs:
   • Specify log_file
   • Set verbose to True
2. Restart AdGuard Home and reproduce the issue
3. Post the log file here.

[ghost]

OK: Here is the log, still no success on the diagnostic urls mentioned above but according to the log as far as I understand it, Adguard connects just fine…mhhh. https://gist.github.com/ameshkov/f5ff592e07adca7de3f221590f74b8c2

[phixion]

you can only redirect outbound dns traffic on your router, no dns resolver can handle that. You suspect your ISP intercepting DNS on router1 so on router2 everything should be okay -> validate that with logs/tcpdump also validate your dns redirect on router2 by manually setting a client's dns to a random external one and do some lookups they should be redirected to adguard. Your redirect rules must not include the adguard's addresses.

whats the output of on adguard/client/router of:

• curl -H 'accept: application/dns-message' -v 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump

• nslookup -d2 google.com (windows client)

• dig google.com (linux client)

• https://1.1.1.1/help

• your adguard config

sample tcpdump for router2 validation eth0 being the lan facing interface
tcpdump -i eth0 -n udp port 53 or tcp port 53

[ghost]

Thank you very much for your response. I was banging my head for a while after that initial message. However, due to other unrelated reasons I was changing my VPN provider last week. And because I want to use AdguardHome i needed to “outsource” the DNS lookups to AdguardHome, which is why I was so much into making it as secure as possible. Turns out after my change to the new VPN setup on Router 2, everything is fine. I have no explanation for any of it. Now DNS queries run over DoH and are DNSSecure as it should be. So, clearly no issue with AdguardHome. What my initial VPN provider did to the DNS queries however is a mystery to me. Thanks!

…

On 30.10.2019, at 23:02, Martin Spitz ***@***.*** ***@***.***>> wrote: you can only redirect outbound dns traffic on your router, no dns resolver can handle that. You suspect your ISP intercepting DNS on router1 so on router2 everything should be okay -> validate that with logs/tcpdump also validate your dns redirect on router2 by manually setting a client's dns to a random external one and do some lookups they should be redirected to adguard. Your redirect rules must not include the adguard's addresses. whats the output of on adguard/client/router of: curl -H 'accept: application/dns-message' -v 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB <https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB>' | hexdump nslookup -d2 google.com <http://google.com/> (windows client) dig google.com <http://google.com/> (linux client) https://1.1.1.1/help <https://1.1.1.1/help> your adguard config sample tcpdump for router2 validation eth0 being the lan facing interface tcpdump -i eth0 -n udp port 53 or tcp port 53 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1111?email_source=notifications&email_token=ALXIFWHWJVFH7XITARWZDTLQRH76ZA5CNFSM4JD5Q5JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECV5GOQ#issuecomment-548131642>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALXIFWC6TIXRQTC2B5KMEFTQRH76ZANCNFSM4JD5Q5JA>.

[phixion]

glad it works, I'm not a fan of bloating issuetrackers with opinions but I'll play devils advocate for a bit:

A few things to think about with using 3rd party vpn and DoH upstreams, none of of those magically give you "more security" in fact you achieve the opposite (less security) by handing your traffic and/or name resolution to an additional party, which are most of the time profit-orientated busineses and you entirely rely on their claims and security. without esni in larger scale DoH brings little to no benefit as your isp would still see your connect to the IP address. Well, you rule out everyone listening on the wire at least, so theres something.

i guess in most cases running a local resolver and using your isps upstream dns is probably faster (in numbers, I dont think a human can distinguish between a lets say 17ms and a 54ms dns query) and leaves out other people entirly, which means no loss of security.

[ameshkov]

without esni in larger scale DoH brings little to no benefit as your isp would still see your connect to the IP address

ESNI by itself is quite a problematic standard (at least in its current state) pushed by a few CDNs.