Correct DNS settings to use AdGuard Home

[Morris]

Wow, so complicated everyone. Under WAN chose the assign button and select AddGuard

 

[tnpapa]

Adguard is not the same as Adguard Home.

 

[drinkingbird]

Adguard is not the same as Adguard Home.

yes, missed the "home" part - the poster should have a look at @Tech9 's post above in the thread as it gives exactly what they need.

Mostly the LAN DHCP hands out the IPs for the devices to use, but having the WAN point to it also along with DNS director/DNS Filter, ensures that if one of those devices tries to bypass, it still gets redirected back internal.

Of course if one of those devices uses DOT/DOH or VPN it can bypass everything.

 

[fatcatsurfer]

Hello, sorry for noob question, can u give me a tip about correct settings for AdGuard Home, I have one router from provider in (bridge mode) and one more Asus (merlin) with AdGuard Home (192.168.50.1)what should i write on LAN DNS 1/2 ? 192.168.50.1 or DNS server like (9.9.9.9 or 8.8.8.8 or similar)

 

[drinkingbird]

Hello, sorry for noob question, can u give me a tip about correct settings for ADHI have one router from provider in (bridge mode) and one more Asus (merlin) with ADH (192.168.50.1)what should i write on LAN DNS 1/2 ? 192.168.50.1 or DNS server like (9.9.9.9 or 8.8.8.8 or similar)

What is ADHI/ADH? If you want clients to use your router, leave LAN DNS blank.

WAN DNS should be whatever DNS server you want the router (and thus clients) to use.

If you have a DNS hosted on your LAN it can be different but I don't think you do based on above?

 

[pjd50]

I am having such a hard time figuring out what to do since there seems be conflicting information from @drinkingbird, @tnpapa, and @Tech9.

Are these the right steps?:

1. Assume AdGuard Home (not to be confused with AdGuard or Public AdGuard DNS Servers) is set-up on a Synology NAS with IP address 192.168.75.1

2. LAN > DHCP Server > "DNS and WINS Server Setting" > "DNS Server 1": 192.168.75.1

3. LAN > DNS Director (formerly known as DNSFilter) > Enable DNS Director > Global Redirection: should I set this as "Router" or "User Defined 1" > User Defined DNS1: 192.168.75.1 ?

4. LAN > Client List > Add Synology NAS by Mac Address > "No Redirection" > Add > Apply Settings

5. WAN > Internet Connection Tab > WAN DNS Setting > Assign > Manual Setting > 192.168.75.1

 

[pjd50]

- LAN DNS to your AdGuard
- WAN DNS to your AdGuard
- DNS Director to Router
- AdGuard running device with No Filtering
- DNS Rewrites in AdGuard for local domains
- Private reverse DNS in AdGuard so it sees the client names

Don't change anything else. Disable IPv6 if you don't need it.

View attachment 51042

How come DNS Director goes to Router and not to AdGuard Home running on the NAS?
I also don't know what these mean:
- DNS Rewrites in AdGuard for local domains
- Private reverse DNS in AdGuard so it sees the client names

 

[pjd50]

DNS director to Synology IP. If you put router then any client ignoring your DHCP DNS would use the router DNS instead of the synology.

You need to make an exception for the Synology in DNS director to allow it to get out or you'll just end up in a black hole loop.

As always, bear in mind any client configured to use secure DNS to an outside server will be able to bypass all your DNS stuff unless you install and regularly update a blacklist for known DNS servers.

@Tech9 suggests pointing the WAN DNS to your internal DNS - apparently this works (have never tried it) but as the other poster mentioned you probably need to disable DNS rebind protection in this case. However in reality leaving the WAN at automatic and setting DNS director to the IP of your synology is cleaner and will accomplish the same thing.

Tech9 had DNS Director pointing to "Router" rather than the Synology...

 

[Tech9]

since there seems be conflicting information from @drinkingbird, @tnpapa, and @Tech9

Perhaps because different people asked different things and there is a difference in settings when AdGuard Home is run on the router and on a separate device. My last example was for AGH run on the router, the previous was for separate device, etc. Currently I don't have it running.

Tech9 had DNS Director pointing to "Router" rather than the Synology...

If you don't advertise router's LAN IP as DNS the first custom DNS server is in fact your Router in DNS Director. This is what the devices get from DHCP and it's obviously the external AGH. Whatever is set in WAN will be used by the router only. It can be the same AGH device IP, your choice. I know it's probably a bit confusing, but you have few optional settings on top of each other and have to catch the logic how they work together. Try to understand what is happening and don't just copy someone else's example. I don't even remember who I replied to 6 months ago. Had to go back and see what it was.

 

[pjd50]

Perhaps because different people asked different things and there is a difference in settings when AdGuard Home is run on the router and on a separate device. My last example was for AGH run on the router, the previous was for separate device, etc. Currently I don't have it running.



If you don't advertise router's LAN IP as DNS the first custom DNS server is in fact your Router in DNS Director. This is what the devices get from DHCP and it's obviously the external AGH. Whatever is set in WAN will be used by the router only. It can be the same AGH device IP, your choice. I know it's probably a bit confusing, but you have few optional settings on top of each other and have to catch the logic how they work together.

Thanks. I think I'm most confused about what to do for the WAN (which I guess will be used by the router only, so it's a bit immaterial)? Do you feel strongly about whether I should point the WAN to the AdGuard Home on the Synology NAS, or to leave it blank?

Yes, I turned off "advertise router's LAN IP" - so I guess it doesn't matter whether I select "Router" or "Custom: Synology NAS IP Address" in DNS Director?

 

[Tech9]

WAN DNS setting doesn't matter much. You'll see there queries to Microsoft server from WAN detection. Thousands of them daily. If you set it to your AGH IP you'll see them in query logs coming from your router's LAN IP. It's up to you, but you'll have few thousand extra logs for no reason.

Sorry if I missed something, but I don't have it running and just recall some things I've seen before. I know AGH was updated recently and I don't know what the changes are. My Asus router + Asuswrt-Merlin + scripts is experimental setup only sometimes re-flashed multiple times a day.

 

[Tech9]

In post #11 you can see the settings for external AGH device. I just discovered I posted some screenshots back un June. I also remember running Unbound as resolver on this same external device, but the settings for this are in Unbound config file and in AGH DNS settings pages. Nothing on the router.

 

[pjd50]

Don't put anything in the WAN section. Leave that completely alone and at its defaults.

You put the IP address of the device with Adguard Home on it in the LAN section where it says DNS Server 1. If you have an IPv6 address for the device put that in the line that says IPv6 DNS Server. Turn off Advertise router's IP in addition to user-specified DNS. Now all devices on your network will get the IP of your Adguard server.

Do not turn on DNS Director or Adgauard will fail.

This is the only proper way to configure this. Works perfectly.

Why must DNS Director be off?

 

[Tech9]

Why must DNS Director be off?

For AdGuard Home device. It has to be excluded with no redirection. See post #11 example. Ubuntu Server was my AdGuard Home device.

 

[pjd50]

For AdGuard Home device. It has to be excluded with no redirection. See post #11 example. Ubuntu Server was my AdGuard Home device.

Got it, I thought he meant entirely off. Yes, I will exclude my NAS running AdGuard ("No Redirection"!).

 

[Kyjiep]

Well something is not right about this. DNS is working but the system logs are showing most lookups result in a possible DNS rebind attack.

I could be wrong, but I follow the following advice myself. In the DNS settings AdGuard Home, in the DNS server configuration section, in Blocking mode, select REFUSED. This is enough to get rid of these log messages. In general, you can disable DNS Rebind protection in the router settings, because it only protects the area from the router to your AdGuard Home, which is located on your local network, so there is no point in it.