KingBravery
Senior Member
Now, I'm using v1.0.3. Do I need to update to latest version or just use that version?
AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)
- Thread starter SomeWhereOverTheRainBow
- Start date
SomeWhereOverTheRainBow
Part of the Furniture
Some basics:Thank you for the great work on this, @SomeWhereOverTheRainBow! I got this installed last night on my AC86U, upgraded to the latest version this morning, wanted to ask a few questions, and pass along a few observations of before/after?
First off... I previously had my router setup to utilize Quad9's DoT service... and that seemed to be working quite well. After getting AGH installed, I noticed it made a few changes to my setup, and wanted to make sure that this is by design, and is configured this way so that AGH works properly?
First off, it seems it changed my DNS Privacy Protocol to "None"... Before it had "DoT" selected. But now there's a new message underneath stating that the DNSFilter is now enabled.
View attachment 39021
So, under LAN->DNS Filter, it switched the DNSFilter to "ON", as it was previously off... and the only selection present is "Router"
View attachment 39022
Not being familiar with how these settings behave in conjunction with AGH, is this all correct to allow AGH to continue using DoT? This is what I currently have in my upstream settings, utilizing the "Parallel Requests" option:
Code:[/router.asus.com/]192.168.1.1:553 [/www.asusnetwork.net/]192.168.1.1:553 [/www.asusrouter.com/]192.168.1.1:553 [/use-application-dns.net/]192.168.1.1:553 [/dns.resolver.arpa/]192.168.1.1:553 [/lan/]192.168.1.1:553 [//]192.168.1.1:553 tls://dns-family.adguard.com tls://dns.quad9.net tls://security.cloudflare-dns.com https://doh.opendns.com/dns-query
The thing that worries me is that the [//]192.168.1.1:553 would seem to be able to bypass the requirement to use TLS and hit the plain DNS servers setup under the WAN DNS section? Isn't that a catch-all?
When looking at the log, all my entries say "Type A, Plain DNS"... which concerns me as well. Would it still say "Plain DNS" if TLS is working, or would it say "TLS DNS"? Just not sure what this means.
View attachment 39026
Also, is there any way to test or validate that outgoing DNS requests from AGH are going over TLS?
From a performance aspect, I noticed some strange entries under %VSZ... is 200.7% of virtual memory an expected figure?
View attachment 39023
From a load aspect, it runs pretty lean... but did notice a loss of available RAM... probably between 50-75MB. I'll keep my eye on this to see if it settles more over time.
View attachment 39024
Appreciate your hard work, your lightning-fast support, fixes and updates for everyone using your AGH implementation! Thanks in advance for your feedback on this above!
- Make sure you are using a swap of atleast 2gb.
- Stubby is turned off by design because using adguardhome allows both DoT servers in the upstream, or may act as a Remote DoT server for users enables it. (truely to prevent any conflicts or miss configurations).
- If you enable DNSfilter in the DNSfilter one question of the installer it enforces AdGuardHome as DNS on your network by setting DNSfilter global to router. The second DNSFilter question on the installer allows users to leave custom configurations. If you say don't leave custom configurations, you will lose any of your own defined rules, everything will be forced to Router.
- The private reverse looks used will only talk to dnsmasq, because local= rules are defined in dnsmasq.conf to define local traffic preventing upstream leakage. in regards to the [//] look at this post http://www.snbforums.com/threads/re...dguardhome-installer-amaghi.76506/post-735717 . it covers unqualified names.
- To tell if your using DoT or DoH, just plug in cloudflare as your server for either, and run the cloudflare help test. https://1.1.1.1/help
- The only other way to test you are using such is to use a TCP dump with wireshark.
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
it is your choice on what you do, but if you do, please use the download link on the first forum post so you will be using the corrected installer during your update.
Viktor Jaep
Part of the Furniture
Got that covered
In my case, I just want to use DoT servers for upstream purposes. Not running anything locally.
I guess that was a little confusing... the question asked "do you want SOME DNS traffic to only go through AGH"... I selected "no" in this case, wanting all traffic to go through AGH.
In doing so, was that normal behavior, that the installer turned off my DoT setting on my WAN DNS page, and enabled the DNS Filter setting, selecting Router?
What happens if I change my WAN DNS back to DoT enabled for Quad9? Would that bork AGH? When I install an update, would it just disable it again?
Thanks for the link... I read through this whole thread, and didn't pick up on that. I will just comment it out for now and see if has any adverse behaviors. I am not using any unqualified names locally.
So I did have a DoT cloudfare upstream server in my list... I gave it try, and it did come back as DoT being enabled. Thanks!
That's a lot of effort. LOL
So I take it that the "Plain DNS" mentioned in the log is just a normal message then, even if DoT is working?
Thanks for your help!
Last edited:
johndoe85
Senior Member
Which one is the private key and cert used from DDNS letsencrypt? domain.asuscomm.com ?View attachment 38356
This part here, I got it setup reusing the certificate cert and private key from the Asus DDNS "Let's Encrypt". I don't want to have generate separate certificate just for Adguard Home.
I found a detail instruction how Adguard, Unbound, and DOT/DOH/DOQ configuare but it's alittle over my head.
OpenWrt AdGuard Home 101 ( UNBOUND )
Now, I am going to take you to " back in the day " hearkening the good ole' times of yore - maybe some will remember " The Blue Lights In The Basement " we pay tribute in the time honored tradition of the " Intro " ( yes - it is mandatory ) showcasing these classics -- https://www.youtube.com/wat...forums.torguard.net
EDIT:
It seems to be:
cert: /jffs/.le/domain.asuscomm.com/fullchain.cer
private key: /jffs/.le/domain.asuscomm.com/domain.asuscomm.com.key
SomeWhereOverTheRainBow
Part of the Furniture
Yes, all of what you experienced is normal behavior, and you will only experience it running the installer. Stubby is initially turned off when you launch into the main menu. This is by design, to prevent any listening address issues that might arise in the future. For example, try running DoT on AdGuardHome and Stubby at the same time. Let me know if it works. While, you may have the intentions of using your setup your own way. I have to factor in the what-if during install time less everyone reports issues to me because they didn't realize they left stubby on, or they didn't realize they forgot to clear DHCP 1 thus their DNS request are going around adguardhome instead of using adguardhome.
If you tell it No that you do no not want to redirect DNS ( in the first question), the normal behavior is to turn off DNSFilter.
If you tell it Yes that you do want to redirect DNS ( in the first question), the normal behavior is to turn on DNSFilter.
If you answer No (in the second question) you are effectively telling it to clear all your custom DNS filter rules while setting DNSFilter global to router.
If you answer Yes (to the second question), you are effectively telling it to leave your custom settings alone, while only changing DNSFilter global to router.
I feel as though I am being as clear as I can be without reinventing the wheel on these matters.
johndoe85
Senior Member
how have you guys solved the local NTP updating after a reboot when using AdGuard home and unbound with DoT enabled in AdGuard home?
after a reboot it takess ~6 minutes for AdGuard home starts and unbound does not follow, thanks to this NTP issue. Unbound wants NTP to start and NTP cant sync because unbound does not start. It's a stupid loop.
config
after a reboot it takess ~6 minutes for AdGuard home starts and unbound does not follow, thanks to this NTP issue. Unbound wants NTP to start and NTP cant sync because unbound does not start. It's a stupid loop.
config
Viktor Jaep
Part of the Furniture
Thanks so much for the further detail on this! I appreciate it very much, and helps further my understanding of its behavior in relation to the DNSfilter and DoT.
SomeWhereOverTheRainBow
Part of the Furniture
what version of the installer are you using? Also, make sure you have your NTP servers in unbound listed as insecure so it is not trying to run DNSSEC on them. Here is an example. Unbound could be waiting for NTP for dnssec, but unable to resolve because it needs accurate time to perform DNSSEC, it could be failing to resolve the domains associated with NTP servers because it is waiting for accurate time.Thus we have to tell it the time servers are insecure so it is not attempting to perform looks ups with dnssec on them.
Code:
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"However, I find it interesting that you say you cannot resolve NTP for six minutes. AdGuardHome runs as S99 which is after unbound even starts. DNSMASQ isn't requested to step out of the way until AdGuardHome starts. Since the router relies on DNSMASQ in general for initial NTP lookups, something is wrong with your configuration in general.
Last edited:
cptnoblivious
Senior Member
I wonder if anyone has had a chance to try and get Adguard to work with YazFi Guest?
No matter what I point the DNS entry to, I get 'no internet'. Work fine when Adguard is uninstalled.
I've tried using the router guest IP as the DNS, tried the router LAN IP, tried outside DNS servers. Nothing seems to work
Edit: using adguard installer 1.1.1 and Latest version of YazFi
Edit#2: Problem was with VPN redirection
No matter what I point the DNS entry to, I get 'no internet'. Work fine when Adguard is uninstalled.
I've tried using the router guest IP as the DNS, tried the router LAN IP, tried outside DNS servers. Nothing seems to work
Edit: using adguard installer 1.1.1 and Latest version of YazFi
Edit#2: Problem was with VPN redirection
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
so say for example your using 192.168.7.0/24 as your address subnet for guest clients. You need to put 192.168.7.1 in the DNS server slot and tell yazfi to enforce the dns. for example
Last edited:
cptnoblivious
Senior Member
You're too quick.
It's a problem with my VPN setup (I was redirecting to VPN which doesn't work).
Once I disable the redirect to VPN I got connected.
SomeWhereOverTheRainBow
Part of the Furniture
You probably need to establish a rule that says address specifically from 192.168.7.1 (if that is the address for DNS), travels via the wan. Allow all other traffic after from that subnet to travel the VPN. Or you will have to specifically define the DNS server of your VPN inside AdguardHome, or you need to specify a route that establishes 192.168.7.1 must go via the VPN if you want it tunneled.You're too quick.
It's a problem with my VPN setup (I was redirecting to VPN which doesn't work).
Once I disable the redirect to VPN I got connected.
cptnoblivious
Senior Member
a
I had that, my VPN director rules seem to have broken. I'm testing right now to see if I can get the VPN rules back and the turn the redirection back on to see what happens.
cptnoblivious
Senior Member
Routing through VPN works, YazFi directing to VPN and using the router as DNS works, BUT, I'm getting ads.
I.E. I pick an app, open it, there are ads. I close the app, I switch to the LAN network, no ads.
I'll do a reboot and do some more testing.
Attachments
SomeWhereOverTheRainBow
Part of the Furniture
can you screen shot the settings that allow you to use AdGuardHome, but no ads. , also you probably have to tell the VPN server to Advertise No DNS, otherwise you could be use both the DNS of AdguardHome, and the vpn server.
Last edited:
cptnoblivious
Senior Member
The LAN network works consistently (it's the default rule in VPN Director)
The settings I screenshot above are unchanged.
What I'm wondering is if I need to change any interface settings in AdGuard itself for the 192.168.6.0/24 network.
SomeWhereOverTheRainBow
Part of the Furniture
I am pretty sure what is happening is your VPN is using its DNS along side AdGuardHome. So you are not seeing the blocks of AdGuardHome, because the looks of clients are going to both AdGuardHome and the VPN. Tell the VPN to not advertise itself as DNS. Set Accept DNS configuration to disabled.
cptnoblivious
Senior Member
SomeWhereOverTheRainBow
Part of the Furniture
The VPN DNS server rule i am pretty sure were maybe even adding iptable rules which made your clients circumvent using AdGuardHome for DNS, especially if they came before the ones for the YazFi guestnetworks, But I am not too sure about this aspect. But at least I was correct that clients were using the VPN servers DNS instead of AdGuardHome.That was it!
Similar threads
Similar threads
Similar threads
-
DomainVPNRouting Domain VPN Routing v3.0.3 ***Release***
- Started by Ranger802004
- Replies: 45
-
-
amtm amtm 5.0 - the Asuswrt-Merlin Terminal Menu, November 17, 2024- Started by thelonelycoder
- Replies: 61
-
Entware Possible to install jdownloader on asuswrt-merlin router with entware??
- Started by JeyJ
- Replies: 9
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
-
scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024
- Started by thelonelycoder
- Replies: 85
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1