DNS Director and AdGuard logs

[CalB]

Hi all.

I'm running an Adguard container as my local DNS. It's a proxmox container, not the one you can install on the router. That one no longer works on whatever the latest version is for AX86U).
The WAN DNS section is set to Adguard (their public DNS, not my container). This is or should be used only by the router itself.
Everything else uses my local DNS via DHCP and/or is enforced by the director. The only "no redirection" is for the adguard container. Everything works well.
If a client doesn't use the DHCP assigned DNS, or is just a static client, the redirect still works. The problem is it will show up with the router's IP in the logs, and not the client that made the request.

Is there any way to see the IP of the client that made the redirected request, and ideally if it was a redirect?

Scenario: Have 10 "smart things" on an isolated YazFi guest network all using "hard coded" IP for some imaginary DNS, or just 5 computers with a preferred DNS option set.
Goal: To be able to tell which of them are behind a request, and ideally, if it was a redirect (be able to tell if the device is not using the DHCP DNS)

Did I misconfigure something or this is not possible?


PS: Sorry if this was asked before. I think I've gone through 20-30 posts here and on Reddit >.<

 

[Tech9]

Don't advertise router's LAN IP as DNS server.

 

[CalB]

I'm not, 13.100 is the router and 13.250 is Adguard. I've attached screenshots of the relevant config, maybe I've set something wrong or missed something.
This request should have been shown to be from a different ip, not the router

 

[Tech9]

Something is using it. I would look closely at YazFi setup. I've run for some time AdGuard Home on a separate hardware and the only requests coming from the router were TrendMicro servers, WAN monitoring and firmware update. Nothing else. You can keep Router redirection instead of User Defined.

 

[CalB]

In this particular case is one of my laptops using a static ip and it is not on the isolated network.
This is what actually made that komoot request.

It's placed in my regular lan, with a static IP. The behaviour is the same if DHCP IP but "static" DNS, but this is my problem.
This one I'll switch back to DHCP, once done testing, but I want to be able to identify when something uses manually assigned DNS (not be masked by the router's IP).

Basically, I want to see the originator's IP and not the redirector's (the router) in the Adguard logs.

 

[Tech9]

Sorry, I can't help you further since I don't have the setup running. It was experimental only and some time ago.

Perhaps @SomeWhereOverTheRainBow can give you some clues what is happening.

 

[CalB]

Thank you for the input anyway.
I wonder if the DNS director keeps any logs on the router itself.

 

[SomeWhereOverTheRainBow]

Hi all.

I'm running an Adguard container as my local DNS. It's a proxmox container, not the one you can install on the router. That one no longer works on whatever the latest version is for AX86U).
The WAN DNS section is set to Adguard (their public DNS, not my container). This is or should be used only by the router itself.
Everything else uses my local DNS via DHCP and/or is enforced by the director. The only "no redirection" is for the adguard container. Everything works well.
If a client doesn't use the DHCP assigned DNS, or is just a static client, the redirect still works. The problem is it will show up with the router's IP in the logs, and not the client that made the request.

Is there any way to see the IP of the client that made the redirected request, and ideally if it was a redirect?

Scenario: Have 10 "smart things" on an isolated YazFi guest network all using "hard coded" IP for some imaginary DNS, or just 5 computers with a preferred DNS option set.
Goal: To be able to tell which of them are behind a request, and ideally, if it was a redirect (be able to tell if the device is not using the DHCP DNS)

Did I misconfigure something or this is not possible?


PS: Sorry if this was asked before. I think I've gone through 20-30 posts here and on Reddit >.<

As of right now, no there is no way around this. AdGuardHome developers are still working to adding detection of EDNS0/ECS info from requesting clients. Currently, they do not offer adding the information to the statistics yet. So all those requests appear as if they are coming from the router, due to the firewall rules. If AdGuardHome supported reading the EDNS0/ECS to statistics, then they could quickly use that information as the requesting client, instead of the router himself. If you want to follow along on this journey, here is the feature request.

Use EDNS as client IP in statistics and forward it to the upstream · Issue #1727 · AdguardTeam/AdGuardHome

When AdGuard Home runs behind proxy ( ex: dnsdist ) , the statistics will show the proxy’s IP as the source IP instead of client’s IP It would be great if the statistics source IP is based on EDNS ...

github.com

Currently, AdGuardHome is able to detect requestors EDNS0/ECS information when the client directly makes requests to AdGuardHome, it can then pass it to the upstream when the option is turned on. It can also manipulate the information, if the user enables an option to use customized information in the WEBUI. However, one thing AdGuardHome does not do, is read EDNS0/ECS information when it is offered by the requestor (e.g. virtual machine, dnsmasq, unbound, or a proxy server) hence why it does not leverage this information to identify clients in statistics..
The AdGuardHome developement team has only began to touch adding support for this, and they still have some ways to go. The problem is, the "full" support for this is broken up into small feature requests so you probably won't see this 100% working for awhile.

FYI, Pihole is already able to do this 100%.

 

[CalB]

Thanks for the reply. At least now I know it wasn't me misconfiguring something, as I expected. Might as well play a bit with pihole or maybe blocky to see what's what

 

[SomeWhereOverTheRainBow]

Thanks for the reply. At least now I know it wasn't me misconfiguring something, as I expected. Might as well play a bit with pihole or maybe blocky to see what's what

It is going to be awhile before they get this aspect of AdGuardHome into 100% check. Its feature request for it are broken into little parts, and I haven't taken my gloves off to actually personally test whether the developers are 100% completing these features as they close them out (personally don't have enough free time for that). It is not the end of the world, or a game changer not having these features 100 percent yet. AdGuardHome will still perform its job for you. You just wont be able to fully leverage Client based options 100% like you can with pihole, especially if the requests are coming as redirects from the firewall which will go around any client based rules since the client would not be properly identified. AdGuardHome has many other great features that you can fully take advantage of.

here is another one:

Use ECS (EDNS Client subnet) to identify Clients, instead of IP address · Issue #4383 · AdguardTeam/AdGuardHome

The edge build now displays the ECS data in the response section in Query Log. Would there be a feature added where this (ECS subnet data) IP address is used to identify the client, instead of (or ...

github.com

 

[CalB]

Pi-hole's behaviour seems to be the same. The bottom 2 queries are from an extension on my laptop's browser and the top one I've done a manual nslookup. The laptop has a manually assigned 8.8.8.8 DNS but the request is intercepted by the redirector. Hey, at least now I have a Pi setup almost identical to the Adguard one

Honestly, I prefer Adguard, and it is not the end of the world if it doesn't do that bit, as you said it does other things really well. On day to day basis it doesn't really matter. I Have a bunch of "smart things" like power sockets and light bulbs, which pretty much have no security at all and also playing with a lot of firewalls and other VMs in a lab environment I thought would have been useful to know the originator of the request.

 

[SomeWhereOverTheRainBow]

Pi-hole's behaviour seems to be the same. The bottom 2 queries are from an extension on my laptop's browser and the top one I've done a manual nslookup. The laptop has a manually assigned 8.8.8.8 DNS but the request is intercepted by the redirector. Hey, at least now I have a Pi setup almost identical to the Adguard one

View attachment 54323

Honestly, I prefer Adguard, and it is not the end of the world if it doesn't do that bit, as you said it does other things really well. On day to day basis it doesn't really matter. I Have a bunch of "smart things" like power sockets and light bulbs, which pretty much have no security at all and also playing with a lot of firewalls and other VMs in a lab environment I thought would have been useful to know the originator of the request.

To get the desired results with PiHole, You have to set Pihole as the WAN DNS server (not the LAN). My LAN dns only advertises the router as address. It passes requests to the routers DNSMASQ instance. Heres where you have to be careful though.

You have to add:

add-subnet=32,128
add-mac

to /jffs/configs/dnsmasq.conf.add.

which forwards the clients information from the Routers DNSMASQ instance to PIHole. Pihole is able to use this client information to identify the requests as the client and not the router.

You still setup the reverse lookups and conditional forwarding on PI-hole like you normally do, but you have to add.

local=/168.192.in-addr.arpa/ to /jffs/configs/dnsmasq.conf.add, which will mean dnsmasq on the router will not attempt to create a loop on the conditional forwarding requests from pi-hole. obviously you would have to adapt this to match what ever your network IP is. If you are using IPv6, you also have to make one to include part of your ipv6 prefix as well
local=/Some-ip6-prefix.ip6.arpa/ obviously it will look different.

You would then set your DNS Filter like this:

It should be noted, this method is different from the typical way other forum users here approach DNS with PiHole. The typical method is to use LAN DNS, to advertise PiHole as the DNS Server to clients, then Pihole identifies clients strictly using conditional forwarding back to the router. As a matter of fact, I use to suggest the very same method; however, I changed my method when I realized Pihole was able to do all of this. In the method I have introduced above, the routers DNSMASQ instance acts more like a proxy of the clients requests. It forwards the clients request to the pihole while also providing the IP and Mac information of the client to pihole. Pihole is then able to interpret these requests as the client (and not the router). This method gets around the firewall manipulation because the router forwards the clients information to pihole still.

 

[CalB]

Since the original post, I switched the WAN DNS as well. So, for Pi, this would be what I tried.
Wan setup 13.254 is my Pi
(I don't think DoT works, on Adguard my phone shows as using DoT, but not on the Pi. Still playing with that option, but that's beside the point) :

This is the redirector setup to avoid loops (Shove everything into Pi except the Pi itself, which is directed towards Cloudflare DNS).
Usually, I keep my laptop's MAC with "No redirection" in here. It usually has a DHCP assigned DNS, but I want the ability to query other DNS if needed. For testing purposes, I've removed it from here.

This is my Pi DNS settings, though I am wondering a bit about the subnet, I'd like it to encompass the isolated guest network as well, and that's a different subnet.
Does it work if I use a mask that would include both subnets, like a /21 or /22?

This is what's currently in /jffs/configs/dnsmasq.conf.add

I did a full reboot of the router after editing the file. I was not sure if "service restart_dnsmasq" would work properly.


I still get the router as the originator of the query. I also have this laptop added as a client on the PI based on its MAC address

What am I doing wrong? lol

 

[SomeWhereOverTheRainBow]

Since the original post, I switched the WAN DNS as well. So, for Pi, this would be what I tried.
Wan setup 13.254 is my Pi
(I don't think DoT works, on Adguard my phone shows as using DoT, but not on the Pi. Still playing with that option, but that's beside the point) :
View attachment 54339

This is the redirector setup to avoid loops (Shove everything into Pi except the Pi itself, which is directed towards Cloudflare DNS).
Usually, I keep my laptop's MAC with "No redirection" in here. It usually has a DHCP assigned DNS, but I want the ability to query other DNS if needed. For testing purposes, I've removed it from here.
View attachment 54335

This is my Pi DNS settings, though I am wondering a bit about the subnet, I'd like it to encompass the isolated guest network as well, and that's a different subnet.
Does it work if I use a mask that would include both subnets, like a /21 or /22?
View attachment 54336

This is what's currently in /jffs/configs/dnsmasq.conf.add
View attachment 54337
I did a full reboot of the router after editing the file. I was not sure if "service restart_dnsmasq" would work properly.


I still get the router as the originator of the query. I also have this laptop added as a client on the PI based on its MAC address
View attachment 54338

What am I doing wrong? lol

This part is all wrong:

should be: (click assign)

add the IP at the bottom make sure to fill in the selection as well:

Then click "OK".

Then make sure these are selected:

And your Pihole info: I have no clue what you are doing wrong there.

 

[SomeWhereOverTheRainBow]

This is not your typical setup so you may have some work to do figuring this out.

Here is what Mine looks like, my router IP is your typical 192.168.1.1, the network it hosts is 192.168.1.0/24

Obviously Some-Network is just generic.

But it should match whatevers on your routers DHCP page for the "Routers Domain Name" option.
e.g.

LAN dns should be set like this:

You may also want to add a static address reservation for your Pihole if you haven't already.

 

[CalB]

That's exactly what I did, that's how I ended up with the IP there, by clicking assing and manually adding the Pi's IP all the way at the bottom then pressing apply. My thought would have been I might have edited the conf file wrong since I'm not that familiar with what a correct config should look like on that one.

I've also tried the simpler redirector config. It works to the same effect. At least this would be better than my original convoluted way. It wouldn't force Adguard/Pihole into using only one upstream DNS.

Oh well, anyway, I really appreciate your help even if I'm failing lol. At least now I know what to look for. Before this post I wasn't even aware EDNS0/ECS is a thing, at least now I know what to google for

 

[SomeWhereOverTheRainBow]

View attachment 54349
That's exactly what I did, that's how I ended up with the IP there, by clicking assing and manually adding the Pi's IP all the way at the bottom then pressing apply. My thought would have been I might have edited the conf file wrong since I'm not that familiar with what a correct config should look like on that one.

I've also tried the simpler redirector config. It works to the same effect. At least this would be better than my original convoluted way. It wouldn't force Adguard/Pihole into using only one upstream DNS.
View attachment 54353


Oh well, anyway, I really appreciate your help even if I'm failing lol. At least now I know what to look for. Before this post I wasn't even aware EDNS0/ECS is a thing, at least now I know what to google for

While we are putting things in red boxes
this:

Should look like this:

 

[SomeWhereOverTheRainBow]

Oh well, anyway, I really appreciate your help even if I'm failing lol. At least now I know what to look for. Before this post I wasn't even aware EDNS0/ECS is a thing, at least now I know what to google for

Best of luck to you and the ol'google.

 

[CalB]

YES, that was the issue! (on Pi at least), the rebind protection.

Once again, thank you very much. Now I have a working baseline that I know works, and can test it against adguard setups

 

[Gary_Dexter]

View attachment 54355

If I'm running AGH on a Rpi, what should I set here for WAN DNS? And does it make a difference?

Currently it's as follows: