AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[Khadanja]

You're right, but my FQDN is "ad.localdomain" (I wasn't very inspired, I put the first thing I thought of that would make people think "local")
I think it's respecting the rules

What have you got it Private reverse DNS servers?

 

[Wishmaster1965]

I am seeing something strange with Adguard. I uninstalled it and re-installed again but its been running for around 3 hours but when I go to query log, the latest logs on show from around 2.5 hours ago.

Its setup as the only DNS provider in my LAN but not as a caching server.

Tried restarting but still no updated logs. Its bizarre.

I get 100% on https://d3ward.github.io/toolz/adblock.html so I know its working.

 

[saison2023]

What have you got it Private reverse DNS servers?

Thanks for your help and sorry for replying late, things are a little bit complicated here.

Here is what I have in "Private reverse DNS servers" in "DNS settings" configuration page:

• [::]:553
• [/10.in-addr.arpa/][::]:553
• [/16.172.in-addr.arpa/][::]:553
• [/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

 

[saison2023]

I am seeing something strange with Adguard. I uninstalled it and re-installed again but its been running for around 3 hours but when I go to query log, the latest logs on show from around 2.5 hours ago.

Its setup as the only DNS provider in my LAN but not as a caching server.

Tried restarting but still no updated logs. Its bizarre.

I get 100% on https://d3ward.github.io/toolz/adblock.html so I know its working.

How are you able to get 100%?
I only get 93%, which is still very good.
I failed on:

• Cosmetic Filter
• Ad Scripts Loading
• Error Trackers - Sentry - browser.sentry-cdn.com

I would love to know how you achieve this perfect score.

 

[SomeWhereOverTheRainBow]

How are you able to get 100%?
I only get 93%, which is still very good.
I failed on:

• Cosmetic Filter
• Ad Scripts Loading
• Error Trackers - Sentry - browser.sentry-cdn.com

I would love to know how you achieve this perfect score.

he probably has an additional web browser filter.

 

[saison2023]

he probably has an additional web browser filter.

I agree and maybe the test wasn't done in a Private/Incognito tab, without any extensions (those related to Ads blocking in particular).

But I am still curious because even with a "normal" browser tab, with extensions, I only get 97%.
Was never been able to reach 100%.

i would like to learn something new (if this is the case)

 

[Wishmaster1965]

Giving Up with ADGaurd thats 5 times is has not been updating the query page.

Initially it works great but then it does this. So switching back to Diversion

 

[Wishmaster1965]

I get 99% on that site with Diversion and DNS Director set to https://dandelionsprout.asuscomm.com:2501/dns-query for my PC

 

[PrivatePerson]

Please lay out a list of filters with which you get 99-100%

 

[Kyjiep]

Please lay out a list of filters with which you get 99-100%

I checked on three browsers on my PC - Edge, Chrome and Firefox with extensions disabled. https://d3ward.github.io/toolz/adblock.html showed 99% for everyone. In the AGH only the built-in AdGuard DNS filter and AdAway Default Blocklist is on. And i have https://dns.quad9.net/dns-query written as an upstream DNS server in my AGH. Also, I don't know if this matters, but I have AiProtection enabled on my router.

 

[Khadanja]

Thanks for your help and sorry for replying late, things are a little bit complicated here.

Here is what I have in "Private reverse DNS servers" in "DNS settings" configuration page:

• [::]:553
• [/10.in-addr.arpa/][::]:553
• [/16.172.in-addr.arpa/][::]:553
• [/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

Can you share screenshot of your DNS Settings page, preferably full page? Also try running nslookup -debug IP, replace IP with one of the device IP's.

 

[saison2023]

Can you share screenshot of your DNS Settings page, preferably full page? Also try running nslookup -debug IP, replace IP with one of the device IP's.

Thanks again to help me, please see attached files (screenshot, and result of "NSLOOKUP -debug" on IP and FQDN)

Note: Screenshot can be saved locally and zoomed. I copied/pasted config and separated it using "Spoilers" to shrink message lenght.

Spoiler: DNS settings - Upstream DNS servers

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[/ad.localdomain/]172.16.1.1
[//][::]:553
#DNS-over-TLS
tls://dns.adguard-dns.com
tls://dot.libredns.gr
tls://dns.google.com
#DNS-over-HTTPS

https://dns.adguard-dns.com/dns-query

https://doh.libredns.gr/ads

https://dns.google/dns-query

#DNS-over-QUIC
quic://dns.adguard-dns.com
quic://ibksturm.synology.me
#IP
94.140.14.14
94.140.15.15
tcp://94.140.14.14
tcp://94.140.15.15
88.198.92.222
tcp://88.198.92.222
8.8.8.8
8.8.4.4
tcp://8.8.8.8
tcp://8.8.4.4

Parallel Requests - ON

Fallback DNS servers - None/Empty

Bootstrap DNS servers
1.1.1.1
8.8.8.8

Private reverse DNS servers
[::]:553
[/10.in-addr.arpa/][::]:553
[/16.172.in-addr.arpa/][::]:553
[/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

Use private reverse DNS resolvers - On

Enable reverse resolving of clients'ip addresses - On

Spoiler: DNS settings - DNS server configuration

Rate limit - 20

Enable EDNS client subnet - No

Enable DNSSEC - Yes

Blocking mode - Default

Blocked response TTL - 10

Spoiler: DNS settings - DNS cache configuration

Cache size - 2097152

Override minimum TTL - 1200

Override maximum TTL - 14400

Optimistic caching - Yes

Spoiler: DNS settings - Access settings

Allowed clients - None/Empty

Disallowed clients - None/Empty

Disallowed domains - version.bind, id.server, hostname.bind

 

[L&LD]

That screenshot is not legible.

Try a copy/paste into a 'code' box like the example below.

This is a 'code' example.

 

[saison2023]

That screenshot is not legible.

Try a copy/paste into a 'code' box like the example below.

This is a 'code' example.

Thanks for letting me know.
I am going to update my previous post.

 

[Khadanja]

Thanks again to help me, please see attached files (screenshot, and result of "NSLOOKUP -debug" on IP and FQDN)

Note: Screenshot can be saved locally and zoomed. I copied/pasted config and separated it using "Spoilers" to shrink message lenght.

Spoiler: DNS settings - Upstream DNS servers

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[/ad.localdomain/]172.16.1.1
[//][::]:553
#DNS-over-TLS
tls://dns.adguard-dns.com
tls://dot.libredns.gr
tls://dns.google.com
#DNS-over-HTTPS

https://dns.adguard-dns.com/dns-query

https://doh.libredns.gr/ads

https://dns.google/dns-query

#DNS-over-QUIC
quic://dns.adguard-dns.com
quic://ibksturm.synology.me
#IP
94.140.14.14
94.140.15.15
tcp://94.140.14.14
tcp://94.140.15.15
88.198.92.222
tcp://88.198.92.222
8.8.8.8
8.8.4.4
tcp://8.8.8.8
tcp://8.8.4.4

Parallel Requests - ON

Fallback DNS servers - None/Empty

Bootstrap DNS servers
1.1.1.1
8.8.8.8

Private reverse DNS servers
[::]:553
[/10.in-addr.arpa/][::]:553
[/16.172.in-addr.arpa/][::]:553
[/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

Use private reverse DNS resolvers - On

Enable reverse resolving of clients'ip addresses - On

Spoiler: DNS settings - DNS server configuration

Rate limit - 20

Enable EDNS client subnet - No

Enable DNSSEC - Yes

Blocking mode - Default

Blocked response TTL - 10

Spoiler: DNS settings - DNS cache configuration

Cache size - 2097152

Override minimum TTL - 1200

Override maximum TTL - 14400

Optimistic caching - Yes

Spoiler: DNS settings - Access settings

Allowed clients - None/Empty

Disallowed clients - None/Empty

Disallowed domains - version.bind, id.server, hostname.bind

Can you compare your/etc/dnsmasq.conf with & without AgH disabled? Maybe paste both here if possible.

 

[TheLyppardMan]

It has been suggested on another recent thread of mine that if I wanted to use AdGuard on my router, the best way would be to install the script on amtm. If I decide to give it a go, I need to make sure I don't mess things up, so my question from the other thread is, "Is there a simple beginners' guide about how to set it up and also, how to return things to how they were before installation (in the event of a change of mind about using it)? Also, if I understand correctly, the 128GB Samsung flash drive that I currently have connected to my router would not be suitable for running AdGuard - is that correct?" Currently, I am using Cloudflare as my DNS resolver. I have all my network devices on static IPs to enable me to backup them and any custom icons using YazDHCP. I also have one guest network set up on the 2.4 GHz band for my Honeywell Evohome radiator themostats controller and I have WireGuard VPN server with one client active and another to be added soon. DNS Director is switched on and the global setting is set to "router". I'm not sure how much of this is relevant, but I thought I ought to mention it, just in case.

 

[SomeWhereOverTheRainBow]

It has been suggested on another recent thread of mine that if I wanted to use AdGuard on my router, the best way would be to install the script on amtm. If I decide to give it a go, I need to make sure I don't mess things up, so my question from the other thread is, "Is there a simple beginners' guide about how to set it up and also, how to return things to how they were before installation (in the event of a change of mind about using it)? Also, if I understand correctly, the 128GB Samsung flash drive that I currently have connected to my router would not be suitable for running AdGuard - is that correct?" Currently, I am using Cloudflare as my DNS resolver. I have all my network devices on static IPs to enable me to backup them and any custom icons using YazDHCP. I also have one guest network set up on the 2.4 GHz band for my Honeywell Evohome radiator themostats controller and I have WireGuard VPN server with one client active and another to be added soon. DNS Director is switched on and the global setting is set to "router". I'm not sure how much of this is relevant, but I thought I ought to mention it, just in case.

If you are happy with the way things are, and are not ready to get your feet wet, then I would tell you to leave things the way you have it. There are no special consideration scenarios that have been accounted for when it comes to using WireGuard. You would be adventuring in untested waters in this regard. You have to know how to configure it for adjacency to your setup. Some people have "played" with adapting it to their wireguard setups, but I am not one of those people unfortunately. As for "setting it up", all considerations have been made for the "typical" router dns service scenario. Once you install AdGuardHome, you would only need to configure your DNS settings from the AdGuardHome WebUI (no longer configure settings from the routers DNS Gui). Your YazDHCP will remain the same with all its ICONS and static leases. The only thing you should need to do after First install is selecting which block lists you desire and choosing what DNS upstream providers you would like to use in AdGuardHome webui. You may see some default entries inside the AdGuardHome Upstream section that look like this.

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553

You would want to leave those alone because they are configured to your Routers local network request for identifying your network clients.

You would add what dns servers you want to use below this.

example,

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DNS-over-TLS
tls://dns.adguard-dns.com
tls://dot.libredns.gr
tls://dns.google.com
#DNS-over-HTTPS
https://dns.adguard-dns.com/dns-query
https://doh.libredns.gr/ads
https://dns.google/dns-query
#DNS-over-QUIC
quic://dns.adguard-dns.com

Obviously since you have been using cloudflare, you may want to change those encrypted addresses to cloudflare ones.

 

[L&LD]

Before you do anything, follow the steps in the link below. If things go south, then simply do a full reset, then restore the backup you made (today). This will get you back to where you are now, in the shortest possible time frame.

Is it a good idea to keep up with Firmware updates?

I have had issues in the past when updating firmware and Internet speed, But it may have just been a fluke, Should I keep up with the updates? If so On all routers or the nodes as well? What about ones acting as access points? Thanks

www.snbforums.com

 

[saison2023]

Can you compare your/etc/dnsmasq.conf with & without AgH disabled? Maybe paste both here if possible.

I really hope "AgH disabled" means protection disabled and not to remove AgH.
Here is the content of /etc/dnsmasq.conf

Spoiler: AgH Enabled

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=ad.localdomain
expand-hosts
bogus-priv
domain-needed
local=/ad.localdomain/
dhcp-range=lan,172.16.1.100,172.16.1.250,255.255.255.0,86400s
dhcp-option=lan,3,172.16.1.1
dhcp-option=lan,15,ad.localdomain
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-host=00:1B:21:46:0C:1E,set:00:1B:21:46:0C:1E,N4200ECO,172.16.1.4
quiet-dhcp
quiet-dhcp6
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
stop-dns-rebind
rebind-domain-ok=dns.msftncsi.com
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
ipset=/iplists.firehol.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/raw.githubusercontent.com/astrill.com/strongpath.net/snbforums.com/bin.entware.net/nwsrv-ns1.asus.com/time.chu.nrc.ca/ca.pool.ntp.org/Skynet-WhitelistDomains # Skynet
port=553
local=/16.172.in-addr.arpa/
local=/10.in-addr.arpa/
local=//
dhcp-option=lan,6,0.0.0.0
dhcp-option=br1,6,192.168.101.1
dhcp-option=br2,6,192.168.102.1

Spoiler: AgH disabled

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=ad.localdomain
expand-hosts
bogus-priv
domain-needed
local=/ad.localdomain/
dhcp-range=lan,172.16.1.100,172.16.1.250,255.255.255.0,86400s
dhcp-option=lan,3,172.16.1.1
dhcp-option=lan,15,ad.localdomain
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-host=00:1B:21:46:0C:1E,set:00:1B:21:46:0C:1E,N4200ECO,172.16.1.4
quiet-dhcp
quiet-dhcp6
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
stop-dns-rebind
rebind-domain-ok=dns.msftncsi.com
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
ipset=/iplists.firehol.org/ipdeny.com/ipapi.co/api.db-ip.com/api.bgpview.io/asn.ipinfo.app/speedguide.net/otx.alienvault.com/github.com/raw.githubusercontent.com/astrill.com/strongpath.net/snbforums.com/bin.entware.net/nwsrv-ns1.asus.com/time.chu.nrc.ca/ca.pool.ntp.org/Skynet-WhitelistDomains # Skynet
port=553
local=/16.172.in-addr.arpa/
local=/10.in-addr.arpa/
local=//
dhcp-option=lan,6,0.0.0.0
dhcp-option=br1,6,192.168.101.1
dhcp-option=br2,6,192.168.102.1

I can't see any difference, but maybe you have better eyes (and a better brain) than mine

 

[SomeWhereOverTheRainBow]

Thanks again to help me, please see attached files (screenshot, and result of "NSLOOKUP -debug" on IP and FQDN)

Note: Screenshot can be saved locally and zoomed. I copied/pasted config and separated it using "Spoilers" to shrink message lenght.

Spoiler: DNS settings - Upstream DNS servers

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[/ad.localdomain/]172.16.1.1
[//][::]:553
#DNS-over-TLS
tls://dns.adguard-dns.com
tls://dot.libredns.gr
tls://dns.google.com
#DNS-over-HTTPS

https://dns.adguard-dns.com/dns-query

https://doh.libredns.gr/ads

https://dns.google/dns-query

#DNS-over-QUIC
quic://dns.adguard-dns.com
quic://ibksturm.synology.me
#IP
94.140.14.14
94.140.15.15
tcp://94.140.14.14
tcp://94.140.15.15
88.198.92.222
tcp://88.198.92.222
8.8.8.8
8.8.4.4
tcp://8.8.8.8
tcp://8.8.4.4

Parallel Requests - ON

Fallback DNS servers - None/Empty

Bootstrap DNS servers
1.1.1.1
8.8.8.8

Private reverse DNS servers
[::]:553
[/10.in-addr.arpa/][::]:553
[/16.172.in-addr.arpa/][::]:553
[/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

Use private reverse DNS resolvers - On

Enable reverse resolving of clients'ip addresses - On

Spoiler: DNS settings - DNS server configuration

Rate limit - 20

Enable EDNS client subnet - No

Enable DNSSEC - Yes

Blocking mode - Default

Blocked response TTL - 10

Spoiler: DNS settings - DNS cache configuration

Cache size - 2097152

Override minimum TTL - 1200

Override maximum TTL - 14400

Optimistic caching - Yes

Spoiler: DNS settings - Access settings

Allowed clients - None/Empty

Disallowed clients - None/Empty

Disallowed domains - version.bind, id.server, hostname.bind

You should try changing

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[/ad.localdomain/]172.16.1.1
[//][::]:553

of your upstream to.

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[/ad.localdomain/][::]:553
[//][::]:553

should solve your issue.

And your Private reverse DNS servers section should be :

[::]:553
[/10.in-addr.arpa/][::]:553
[/16.172.in-addr.arpa/][::]:553

not

Private reverse DNS servers
[::]:553
[/10.in-addr.arpa/][::]:553
[/16.172.in-addr.arpa/][::]:553
[/1.16.172.in-addr.arpa/][::]:553 => This was a test, without success

[/16.172.in-addr.arpa/][::]:553 already covers [/1.16.172.in-addr.arpa/][::]:553 that is why your test for it failed. It is like having a duplicate entry.