I am running AdGuard Home on one of my machines and I want to make sure that all DNS requests go thru AdGuard. These are the settings I did. It seems to be working properly but I want to double check. Router WAN points to the local machine running AdGuard for IPv4 and IPv6. DNS Director set to Router. I did not turn on local caching in the router since there is a similar setting in AdGuard, or would turning that on also be a good idea?
Correct DNS settings to use AdGuard Home
- Thread starter tnpapa
- Start date
drinkingbird
Part of the Furniture
Because you're attempting to point your wan DNS to the LAN. Leave your WAN DNS as automatic, it will only be used by the router for a few admin things. Set the LAN DHCP to hand out your Adguard IP to clients and make sure "advertise router" is unchecked. DNS director I don't think will work in this case (redirect to a LAN server), you can try it, but most likely you'll just have to set it to block all DNS requests not coming from your Adguard box so if someone does change their DNS manually it won't work.
drinkingbird
Part of the Furniture
DNS director is of limited value since any browser or client that supports secure DNS can override it easily. There are blacklists available for common DNS servers to block their IPs completely, and can be installed into Merlin, so that is an option which will kill 2 birds with 1 stone.
If you don't want to go that far just set DNS director to a dummy IP like 254.254.254.254 so clients not using secure DNS that attempt to lookup to the WAN will blackhole. Obviously you'll need to set a rule for your Adguard box to be able to get out though, if it isn't using DOT or DOH.
Tech9
Part of the Furniture
- LAN DNS to your AdGuard
- WAN DNS to your AdGuard
- DNS Director to Router
- AdGuard running device with No Filtering
- DNS Rewrites in AdGuard for local domains
- Private reverse DNS in AdGuard so it sees the client names
Don't change anything else. Disable IPv6 if you don't need it.
- WAN DNS to your AdGuard
- DNS Director to Router
- AdGuard running device with No Filtering
- DNS Rewrites in AdGuard for local domains
- Private reverse DNS in AdGuard so it sees the client names
Don't change anything else. Disable IPv6 if you don't need it.
Tech9
Part of the Furniture
If you filter something they need - they will stop working. You brought them home. They didn't come uninvited.
www.snbforums.com
ASUS RT-AX92U - Very Slow 2.4 ghz WIFI
I have had ASUS RT-AX92U for a little over a year. Back around Christmas, I started noting issues. Was busy with multiple projects and just lived with it. Recently discovered the problem was restricted to 2.4 ghz. The 5.0 ghz is as fast as I can expect. Have gone multiple rounds with ASUS...
www.snbforums.com
drinkingbird
Part of the Furniture
If it is just IOT devices then handing them your adguard IP via DHCP settings is sufficient. If they are doing something malicious, all they need to do is use secure DNS to bypass dns director/filter anyway. Honestly if you're concerned with them - many malware creators use hardcoded IPs in addition to hostnames (in case DNS doesn't work) so you should be looking at more robust protection like isolating them and letting them communicate to only stuff you want them to in order to work using firewall rules. DNS filtering is more for reducing ads or one (of several) layers of protection for kids. It is not really a security feature.
If I was running it on a Synology, would the setup be the same/similar?
- LAN DNS to your Synology??
- WAN DNS Automatic?
- DNS Director to Router (Do you put Synology IP in?)
drinkingbird
Part of the Furniture
DNS director to Synology IP. If you put router then any client ignoring your DHCP DNS would use the router DNS instead of the synology.
You need to make an exception for the Synology in DNS director to allow it to get out or you'll just end up in a black hole loop.
As always, bear in mind any client configured to use secure DNS to an outside server will be able to bypass all your DNS stuff unless you install and regularly update a blacklist for known DNS servers.
@Tech9 suggests pointing the WAN DNS to your internal DNS - apparently this works (have never tried it) but as the other poster mentioned you probably need to disable DNS rebind protection in this case. However in reality leaving the WAN at automatic and setting DNS director to the IP of your synology is cleaner and will accomplish the same thing.
Thanks, so you would select the user-defined DNs and enter the Synology IP in the corresponding box?
fanasus
Regular Contributor
Hello,
one thing is not clear to me, with Adguard Home. in "asuswrt merlin", that should indicate as "Wan DNS setting" , I should indicate in "manual config", the address of my router!? (because not knowing, I chose a preconfigured DNS server instead..)
* and for the LAN > "DNS and WINS server configuration", the address of my router!?
thank you!
one thing is not clear to me, with Adguard Home. in "asuswrt merlin", that should indicate as "Wan DNS setting" , I should indicate in "manual config", the address of my router!? (because not knowing, I chose a preconfigured DNS server instead..)
* and for the LAN > "DNS and WINS server configuration", the address of my router!?
thank you!
Last edited:
drinkingbird
Part of the Furniture
Wan should be set to the DNS you want to use, Adguard in this case. You can choose the preconfigured one or put in different ones under custom.
LAN should be left blank.
fanasus
Regular Contributor
hello, so I have to copy the DNS that appear of AdGuardhome in the "installation guide", to the WAn DNS configuration, exactly like that!? 127.0.0.1 and 127.0.1.1 or 192.168.1.200 (my router) or 190.xx.xxx.xx (IP public (DDNS recorded on the router)
thanks
Last edited:
Don't put anything in the WAN section. Leave that completely alone and at its defaults.
You put the IP address of the device with Adguard Home on it in the LAN section where it says DNS Server 1. If you have an IPv6 address for the device put that in the line that says IPv6 DNS Server. Turn off Advertise router's IP in addition to user-specified DNS. Now all devices on your network will get the IP of your Adguard server.
Do not turn on DNS Director or Adgauard will fail.
This is the only proper way to configure this. Works perfectly.
You put the IP address of the device with Adguard Home on it in the LAN section where it says DNS Server 1. If you have an IPv6 address for the device put that in the line that says IPv6 DNS Server. Turn off Advertise router's IP in addition to user-specified DNS. Now all devices on your network will get the IP of your Adguard server.
Do not turn on DNS Director or Adgauard will fail.
This is the only proper way to configure this. Works perfectly.
This is wrong, it tries to make the router's WAN interface point to a device on the LAN side. Will cause all kinds of problems. You are creating a loop.
The WAN DNS settings are just for the small amount of DNS needs for the router itself, not for the devices on the LAN side. Devices on the LAN side will take the DNS IP address of the info entered into the LAN settings.
drinkingbird
Part of the Furniture
If you have a dedicated Adguard server on your LAN then yes the setup is totally different.
Similar threads
Similar threads
Similar threads
-
-
Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf
- Started by stilltravelling
- Replies: 1
-
-
-
DNS-rebind attack detected: farm.plista.com. etc...??
- Started by Howard_inGA
- Replies: 3
-
-
-
-
-