Adguard Home - "disable" bootstrap DNS Servers for 100% encrypted DNS via 443 / 853

[breathless]

I have Adguard Home setup on my Asus RT-AX88U.

Here is my upstream server config:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
sdns://AwcAAAAAAAAABzEuMS4xLjEAFmNsb3VkZmxhcmUtZG5zLmNvbTo4NTM
sdns://AwcAAAAAAAAABzEuMC4wLjEAFmNsb3VkZmxhcmUtZG5zLmNvbTo4NTM
#DoH
sdns://AgcAAAAAAAAABzEuMC4wLjEAEmRucy5jbG91ZGZsYXJlLmNvbQovZG5zLXF1ZXJ5
#DoQ
quic://94.140.14.140

I read that if you use DNSCrypt dns stamps with the appropriate hostname / ip / port, you can negate the need to use the Bootstrap servers at all and thus eliminate the Plain DNS requests that occur outside the WAN. So I added cloudflare 1.1.1.1 and 1.0.0.1 to the DoT section as SDNS and 1.1.1.1 to the DoH section as SDNS and they seem to be working according to Adguard Home test, and cloudflare's https://1.1.1.1/help tool

Basically, I want all DNS requests outside my WAN to be encrypted, with no port 53 traffic. I want all DNS requests outside my wan to be encrypted through port 443 / 853, so that when I check my query log, I don't have a billion Plain DNS requests (I know requests within my LAN will still be plain).

When I remove the bootstrap servers and save, they automatically get added back to defaults. Any way to disable the bootstrap entirely, or is there an easier way to do what I'm trying to do?

Thanks!

 

[oOMrYairOo]

how much ram sucking adguard home on ax88u?

 

[breathless]

how much ram sucking adguard home on ax88u?

My Ram usage at idle is 97%, but it was also like that before Adguard. How can I parse the ram usage to see what is using what?

Idle CPU usage is basically nothing

 

[Tech9]

My Ram usage at idle is 97%

You have USB attached storage with Samba.

how much ram sucking adguard home on ax88u?

Last time I've tested it on similar hardware RT-AX86U the router had about 400MB RAM available (or about 60% usage) with AdGuard Home installed and TrendMicro components running. It jumps to 97% when you have Samba active - the RAM is used for buffers. What is using RAM info - top in ssh.

 

[breathless]

I've disabled the USB drive SAMBA and Media Server (FTP is also disabled) and the RAM usage remains exactly the same even after a reboot. The "top" command doesn't seem to show mem usage per process, unless thats what the VSZ is... in which case its Adguard Home causing the high mem usage.

I was able to add the following as my bootstrap servers and the setting stayed:

tls://1.1.1.1:853
tls://1.0.0.1:853


How can I test this to see if the only dns requests outside of my LAN are via HTTPS or TLS? Below is the result of a "DNS Leak Test" website. It seems that my requests are "processed" as TLS, but the request is going out as a mixture of Plain and HTTPS:

It would be nice to have a "strict" setting in the Adguard interface like the Asus router firmware does for TLS to be able to troubleshoot this.

I'm also curious why DNSSEC only occasionally works even though the setting is checked...

 

[Tech9]

I've disabled the USB drive SAMBA and Media Server (FTP is also disabled) and the RAM usage remains exactly the same even after a reboot.

How big is the blocklist you are using in AdGuard Home? I was testing with built-in AdGuard blocklists - both advertisement and all security, 9x lists all together. I believe it was about 200K entries total. If you have entries in millions - your router is not the right hardware to run AdGuard Home on. There is quite a difference between running it on the router and on something better. I did both tests on AX86U and on mini-ITX quad-core x86 2.2GHz with 8GB RAM and SSD drive running Ubuntu server. Guess which installation was flying and which one was dragging. Not only the interface was much smoother on the x86 hardware, but also the response time was lower. I mean... you have to fit in your limited router hardware somehow.

How can I test this to see if the only dns requests outside of my LAN are via HTTPS or TLS?

See the ? in circle icon? Click on it for more information. Or mouse over... I don't have it running at the moment.

 

[breathless]

Fair point, I had every single filter enabled. However, I disabled every single filter to test and the RAM usage stays at 97%

Doesn't the question mark you referenced show you which upstream server eventually handled the request (the response)? Those show the TLS / HTTPS servers properly in my case, but the outgoing request showing in the crossed out eye symbol on the left shows whether the request was encrypted or not "on its way out"...? Isn't that more relevant whether that says Plain or HTTPS / TLS assuming that its not a request that is within LAN?

 

[Tech9]

I disabled every single filter to test and the RAM usage stays at 97%

You have something else running on this router. The screenshot above shows about 130MB used as cache.

Doesn't the question mark you referenced show you which upstream server eventually handled the request (the response)?

Yes, but it also shows the port used - 443 for DoH and 853 for DoT. You don't need to use both at the same time.

 

[Gary_Dexter]

I'm also curious why DNSSEC only occasionally works even though the setting is checked...

The site/domain has to support it as well

 

[breathless]

You have something else running on this router. The screenshot above shows about 130MB used as cache.

All I have on the router is as shown, other than Unbound, which I just installed last night (to no effect on memory that I can tell). For troubleshooting I've disabled Skynet and temporarily disabled Adguard Home. After disabling Adguard, the memory usage dropped to 800mb used, which is still a lot.

Any idea how I can get more granular information about memory usage? Using the "top" command doesn't show or seemingly allow the showing of memory usage in the same way that it allows under typical usage


For instance, I can't use the following command to get more info: top -o %MEM

It tells me the usage is wrong, and I drop the -o and it still tells me the usage is wrong - this time the % is wrong. Obviously I just don't know how to use it...

 

[Gary_Dexter]

View attachment 48474

All I have on the router is as shown, other than Unbound, which I just installed last night (to no effect on memory that I can tell). For troubleshooting I've disabled Skynet and temporarily disabled Adguard Home. After disabling Adguard, the memory usage dropped to 800mb used, which is still a lot.

Any idea how I can get more granular information about memory usage? Using the "top" command doesn't show or seemingly allow the showing of memory usage in the same way that it allows under typical usage


For instance, I can't use the following command to get more info: top -o %MEM

AGH uses a lot of RAM if you have a lot of blocklists or a large number of blocked hosts.

 

[Tech9]

Any idea how I can get more granular information about memory usage?

I'm sorry @breathless, but I look at installations like this as temporary. When I was testing AdGuard Home on AX86U I was using SanDisk Ultra Flair USB stick and the poor thing collecting heat from the router plus generating own heated up to 62C and almost burned my fingers. Your setup is as reliable as your USB stick. You can solve the memory "issue", but you have more reliability related issues to solve.

 

[breathless]

According to everything that I've read, the maxed out memory thing is not really a concern due to a good portion of it being cache, etc.

Here is my updated config (I'm currently experimenting with Unbound):

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
127.0.0.1:5653
tcp://127.0.0.1:5653

Question.... What does removing tcp://127.0.0.1:5653 from that list do? Do those tcp requests go out anyway except they are not filtered through / bypass Adguard Home & Unbound?

 

[PrivatePerson]

To check free memory you can use "free".
But I don't understand the relation between free memory and dns encryption?

 

[breathless]

To check free memory you can use "free".
But I don't understand the relation between free memory and dns encryption?

No relation, it was just a question I was asked in response to my original post.