Hi,
I'm trying to setup AdGuardHome on my RT-AC68U (merlin firmware 386.4) using the installation script (v1.2.0) provided by amtm (v. 3.2.3 FW).
As default DNS (set in the WAN configuration page of the router) I use 8.8.8.8 and 4.4.4.4. The DNS settings in the LAN configuration page are left blank.
AdGuardHome is working as intended for all the client that uses the DNS address provided by the router (IP 192.168.100.1).
The problem is when a client has manual configured DNS (like cloudflare 1.1.1.1). In fact the router (or AdGuardHome) doesn't seem to enforce the use of the router as DNS server (192.168.100.1) and let the client use his DNS (1.1.1.1)
I tried to solve using iptables with the following rules:
to make some trials I added to host file this line 0.0.0.0 www.google.com:
now in the client with the manual configurated DNS (1.1.1.1) if I use nslookup www.google.com the machine correctly redirect the query to the router DNS (192.168.100.1) and give me 0.0.0.0 as answer:
If I open Safari to browse www.google.com corectly I receive "error no connection" and if I browse some site known to be full of ADs , AdGuardHome does his job and there are no ads. Site like ipleak dot net says my DNS are google ones.
If I open Chrome instead I can browse www.google.com and AdGuardHome filtering isn't working (sites full of ADs). ipleak dot net says my DNS are cloudflare ones, followed by google DNS.
This is my Asus DNS filter configuration on the router. (I disabled the Asus DNS filter implementation to use instead only iptables rules)
Am I missing somenting in my iptables configuration?
Or this problem could be related to Chrome bypassing my DNS Enforcement configuration using DNSoverTLS or DNSoverHTTPS. In this case how can I enforce clients using Chrome to use AdGuardHome?
I really don't understand where is the problem and need some help. Thanks for your time
Here is my AdGuardHome configuration:
upstream DNS server (where home.arpa is my RT-AC68U's Domain Name):
private reverse DNS server:
edit: added AdGuardHome configuration
I'm trying to setup AdGuardHome on my RT-AC68U (merlin firmware 386.4) using the installation script (v1.2.0) provided by amtm (v. 3.2.3 FW).
As default DNS (set in the WAN configuration page of the router) I use 8.8.8.8 and 4.4.4.4. The DNS settings in the LAN configuration page are left blank.
AdGuardHome is working as intended for all the client that uses the DNS address provided by the router (IP 192.168.100.1).
The problem is when a client has manual configured DNS (like cloudflare 1.1.1.1). In fact the router (or AdGuardHome) doesn't seem to enforce the use of the router as DNS server (192.168.100.1) and let the client use his DNS (1.1.1.1)
I tried to solve using iptables with the following rules:
Code:
### DNS ###
# Block FORWARD for DNS #
iptables -I FORWARD -p tcp --dport 53 -j DROP
iptables -I FORWARD -p udp --dport 53 -j DROP
# Allow DNS only if destination is the router #
iptables -I INPUT -p tcp --dport 53 -d 192.168.100.1 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -d 192.168.100.1 -j ACCEPT
# Redirect all DNS query to the router #
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -i br0 -j REDIRECT
iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -i br0 -j REDIRECT
### DNSoverTLS (DoT) ###
# Block FORWARD for DoT
iptables -I FORWARD -p tcp --dport 853 -j DROP
iptables -I FORWARD -p udp --dport 853 -j DROP
to make some trials I added to host file this line 0.0.0.0 www.google.com:
now in the client with the manual configurated DNS (1.1.1.1) if I use nslookup www.google.com the machine correctly redirect the query to the router DNS (192.168.100.1) and give me 0.0.0.0 as answer:
Code:
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: www.google.com
Address: 0.0.0.0
If I open Safari to browse www.google.com corectly I receive "error no connection" and if I browse some site known to be full of ADs , AdGuardHome does his job and there are no ads. Site like ipleak dot net says my DNS are google ones.
If I open Chrome instead I can browse www.google.com and AdGuardHome filtering isn't working (sites full of ADs). ipleak dot net says my DNS are cloudflare ones, followed by google DNS.
This is my Asus DNS filter configuration on the router. (I disabled the Asus DNS filter implementation to use instead only iptables rules)
Code:
dnsfilter_custom1=
dnsfilter_custom2=
dnsfilter_custom3=
dnsfilter_rulelist1=
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=
dnsfilter_mode=11
dnsfilter_enable_x=0
Am I missing somenting in my iptables configuration?
Or this problem could be related to Chrome bypassing my DNS Enforcement configuration using DNSoverTLS or DNSoverHTTPS. In this case how can I enforce clients using Chrome to use AdGuardHome?
I really don't understand where is the problem and need some help. Thanks for your time
Here is my AdGuardHome configuration:
upstream DNS server (where home.arpa is my RT-AC68U's Domain Name):
Code:
[/router.asus.com/]192.168.150.1:553
[/www.asusnetwork.net/]192.168.150.1:553
[/www.asusrouter.com/]192.168.150.1:553
[/use-application-dns.net/]192.168.150.1:553
[/dns.resolver.arpa/]192.168.150.1:553
[/home.arpa/]192.168.150.1:553
[//]192.168.150.1:553
8.8.8.8
8.8.4.4
tcp://8.8.8.8
tcp://8.8.4.4
Code:
[/10.in-addr.arpa/]192.168.150.1:553
[/168.192.in-addr.arpa/]192.168.150.1:553
[/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/][]:553
edit: added AdGuardHome configuration
Last edited: