AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

[sQumm]

HeyGuys first of all thank u so much for this addon, but i have a problem with all my internet clients. when adguardhome is enabled on my gt-ax11000 the dhcp is really slow so my wifi clients will get an ip at around 3 to 4 minutes and when i type at command prompt on our windows pc's ipconfig/renew it says "An error occurred while renewing interface Ethernet : unable to contact your DHCP server. Request has timed out" i use the dhcp server from the router btw

could anybody help me with this problem?

 

[SomeWhereOverTheRainBow]

HeyGuys first of all thank u so much for this addon, but i have a problem with all my internet clients. when adguardhome is enabled on my gt-ax11000 the dhcp is really slow so my wifi clients will get an ip at around 3 to 4 minutes and when i type at command prompt on our windows pc's ipconfig/renew it says "An error occurred while renewing interface Ethernet : unable to contact your DHCP server. Request has timed out" i use the dhcp server from the router btw

could anybody help me with this problem?

Before I respond, I want to start out by saying do not attempt to use adguardhomes built in dhcp because clients are still using the routers, it will break your dhcp if you attempt to use adguardhomes built in dhcp while the routers dhcp is still turned on.

Now that the comment is out of the way. If you are talking about the dhcp provided by DNSMASQ, then you could try appending dhcp-rapid-commit with /jffs/configs/dnsmasq.conf.add.

--dhcp-rapid-commit
Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enabled, dnsmasq will respond to a DHCPDISCOVER message including a Rapid Commit option with a DHCPACK including a Rapid Commit option and fully committed address and configuration information. Should only be enabled if either the server is the only server for the subnet, or multiple servers are present and they each commit a binding for all clients.

This would allow for dnsmasq to send its advertisements much quicker to clients that may be having a hard time picking up the requests. I will probably test this option before the next release, if it is beneficial, I will add it. From the DNSMASQ manpages

Man page of DNSMASQ

it appears to be the only option that is beneficial to the clients receiving advertisements.

 

[SomeWhereOverTheRainBow]

HeyGuys first of all thank u so much for this addon, but i have a problem with all my internet clients. when adguardhome is enabled on my gt-ax11000 the dhcp is really slow so my wifi clients will get an ip at around 3 to 4 minutes and when i type at command prompt on our windows pc's ipconfig/renew it says "An error occurred while renewing interface Ethernet : unable to contact your DHCP server. Request has timed out" i use the dhcp server from the router btw

could anybody help me with this problem?

I am curious though because I tested several of my wifi clients and I have not had this connection issue yet. I am wondering if it has something to do with your network and the way it is configured, or the clients that you are connecting with. I connect with my devices over wifi and they get addresses right away when I use adguardhome. Even my guestnetworks that use yazfi.

It might help if you share what your lan dhcp page settings looks like and your wan settings page. You can post screenshots if possible. Redact anything you consider personal. Also consider sharing what other scripts you may have installed by amtm and any personal scripts you use that may interact with the settings of dnsmasq. Maybe any relevant dnsmasq logs you may have observed as well. All these "asks" are to help me try to reproduce your scenario.

 

[keef]

Hello. Is there a log file for AdGuard? I cannot get it to block any ads and I figure that might be a good place to start.

thanks

 

[SomeWhereOverTheRainBow]

Hello. Is there a log file for AdGuard? I cannot get it to block any ads and I figure that might be a good place to start.

thanks

Yea, login to your adguardhome and look at the client queries. If you don't see queries coming from the client you are wondering about, then the client is some how accessing a different dns from the one advertised by your router for AdGuardHome. This could be due to several reasons such as your client is using a VPN that bypasses the router for dns, or your client is using a browser dns which bypasses the routers dns. Another possible reason is your router is some advertising a different dns to clients either by missconfigured lan dhcp, missconfigured guestnetworks, or missconfigured dnsfilter. All of which you would need to share your settings for us to determine.

But for starters, I would tell us how did you determine ads were not being blocked; what kind of evidence do you have to support your assertions; what kind of ads are you referring to?

 

[sQumm]

I am curious though because I tested several of my wifi clients and I have not had this connection issue yet. I am wondering if it has something to do with your network and the way it is configured, or the clients that you are connecting with. I connect with my devices over wifi and they get addresses right away when I use adguardhome. Even my guestnetworks that use yazfi.

It might help if you share what your lan dhcp page settings looks like and your wan settings page. You can post screenshots if possible. Redact anything you consider personal. Also consider sharing what other scripts you may have installed by amtm and any personal scripts you use that may interact with the settings of dnsmasq. Maybe any relevant dnsmasq logs you may have observed as well. All these "asks" are to help me try to reproduce your scenario.

I think the problem is worse then i thought, i just came home from a party and none of my clients wifi and cable got a ip from the DHCP server from the router, i needed to reboot the router to get a connection.

the only scripts i run on the router is amtm and adguardhome and a script for my IPTV u can find that script at https://drive.google.com/drive/folders/1kZaiOPGF0wuUG8fhfw2lSbvJmRdWGGjH?usp=sharing

also ipv6 doesnt work when adguardhome is active, when i adguardhome service stopped everything works fine

 

[SomeWhereOverTheRainBow]

I think the problem is worse then i thought, i just came home from a party and none of my clients wifi and cable got a ip from the DHCP server from the router, i needed to reboot the router to get a connection.

the only scripts i run on the router is amtm and adguardhome and a script for my IPTV u can find that script at https://drive.google.com/drive/folders/1kZaiOPGF0wuUG8fhfw2lSbvJmRdWGGjH?usp=sharing

also ipv6 doesnt work when adguardhome is active, when i adguardhome service stopped everything works fine

It appears adguardhome installer/script is not tailored to your specific network case. what happens if you restart adguardhome later on in the boot process. does it work correctly then? I see you have your own Vlan configuration and everything. These special types of environment are not the "usual" case of a typical adguardhome/asuswrt-merlin router user. I am thinking adguardhome is starting way earlier than all of your configurations take to finish. Most likely causing some sort of conflict. I notice you also reference the Dual WAN page and that you use the 2.5G port for your wan access. What happens when you use the regular "non 2.5G" WAN port? Are you running a Dual Wan setup? What do your AdGuardHome settings look like?

In reality, I don't have a way to replicate your specific network setup. My ISP is cable internet provider, at best I can give you troubleshooting recommendations. It may require someone with better understanding of ppp0 configurations to provide the appropriate recommendations. Especially someone with knowlegde of what you are doing with your wan scripts and vlan setups. The only thing the adguardhome script does is move the dnsmasq dhcp from using DNS on port 53 to 553. It advertises adguardhome as dns on port 53. DNSMASQ still hands out client advertisements over dhcp though.

The only thing i see you are doing in dnsmasq.conf.add is

dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255

After doing some research, it appears dnsmasq dhcp option 28 is used to advertise a custom broadcast address. I don't know if this could be creating a conflict.

Controls whether a request for the Broadcast Address is sent by the DHCPv4 Client to the DHCP Server in the DHCP Request. When requested, the DHCP Server returns the Broadcast Address for the network to the device in the DHCP Acknowledgment. The Broadcast Address for a network is the IP Address for which all devices on that network are enabled to receive messages. A message sent to the Broadcast Address for a network can therefore be received by all devices on that network, rather than by a specific device.

Who knows, maybe you would benefit by adding dhcp-rapid-commit here as well.

Perhaps share the content of /etc/dnsmasq.conf when you have adguardhome running.

You can do this by running the command cat /etc/dnsmasq.conf in an SSH terminal session. Share the output here.

 

[keef]

Yea, login to your adguardhome and look at the client queries. If you don't see queries coming from the client you are wondering about, then the client is some how accessing a different dns from the one advertised by your router for AdGuardHome. This could be due to several reasons such as your client is using a VPN that bypasses the router for dns, or your client is using a browser dns which bypasses the routers dns. Another possible reason is your router is some advertising a different dns to clients either by missconfigured lan dhcp, missconfigured guestnetworks, or missconfigured dnsfilter. All of which you would need to share your settings for us to determine.

But for starters, I would tell us how did you determine ads were not being blocked; what kind of evidence do you have to support your assertions; what kind of ads are you referring to?

I apologize for any misunderstanding. I am by no means saying AdGuard does not work. Just for me, I cannot get it working. That is not unusual for me and router stuff. I do not have a good handle on this stuff. I cannot get the ads on Speedtest.net blocked. I deleted the browser cache and tried it quite a few times. I missed some setting along the way. I removed the VPN to make things a little easier.

I have an Asus AC3100 with Merlin (v386.5.2). My DNS is my router address (192.168.1.1). DNS filtering is enabled and set to Router.

Connect to DNS Server automatically - Y
Forward local domain queries to upstream DNS - N
DNS Server Fields 1,2 are blank

thanks

 

[SomeWhereOverTheRainBow]

I apologize for any misunderstanding. I am by no means saying AdGuard does not work. Just for me, I cannot get it working. That is not unusual for me and router stuff. I do not have a good handle on this stuff. I cannot get the ads on Speedtest.net blocked. I deleted the browser cache and tried it quite a few times. I missed some setting along the way. I removed the VPN to make things a little easier.

I have an Asus AC3100 with Merlin (v386.5.2). My DNS is my router address (192.168.1.1). DNS filtering is enabled and set to Router.

Connect to DNS Server automatically - Y
Forward local domain queries to upstream DNS - N
DNS Server Fields 1,2 are blank

thanks

Okay maybe share screen shots of your lan dhcp page, and your WAN connections page. Also make sure all VPNS are turned off and all "web browser" dns servers are disabled.

I also saw you had issues using diversion as well. While I can try to give you suggestions on what to try, this would only be supplemental to what you already know. However, I will not be able to supplant a fix for something on your end.

Diversion - Diversion configuration

Hi all I have an Asus AC3100 (v386.5.2) router with Diversion (v4.2.2). I had to re-configure the router and I cannot get Diversion to work. My DNS is my router address (192.168.1.1). DNS filtering is enabled and set to Router. Connect to DNS Server automatically - Y Forward local domain...

www.snbforums.com

 

[sQumm]

It appears adguardhome installer/script is not tailored to your specific network case. what happens if you restart adguardhome later on in the boot process. does it work correctly then? I see you have your own Vlan configuration and everything. These special types of environment are not the "usual" case of a typical adguardhome/asuswrt-merlin router user. I am thinking adguardhome is starting way earlier than all of your configurations take to finish. Most likely causing some sort of conflict. I notice you also reference the Dual WAN page and that you use the 2.5G port for your wan access. What happens when you use the regular "non 2.5G" WAN port? Are you running a Dual Wan setup? What do your AdGuardHome settings look like?

In reality, I don't have a way to replicate your specific network setup. My ISP is cable internet provider, at best I can give you troubleshooting recommendations. It may require someone with better understanding of ppp0 configurations to provide the appropriate recommendations. Especially someone with knowlegde of what you are doing with your wan scripts and vlan setups. The only thing the adguardhome script does is move the dnsmasq dhcp from using DNS on port 53 to 553. It advertises adguardhome as dns on port 53. DNSMASQ still hands out client advertisements over dhcp though.

The only thing i see you are doing in dnsmasq.conf.add is

dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255

After doing some research, it appears dnsmasq dhcp option 28 is used to advertise a custom broadcast address. I don't know if this could be creating a conflict.


Who knows, maybe you would benefit by adding dhcp-rapid-commit here as well.

Perhaps share the content of /etc/dnsmasq.conf when you have adguardhome running.

You can do this by running the command cat /etc/dnsmasq.conf in an SSH terminal session. Share the output here.

The things that is in dnsmasq.conf.add written by someone who knows how my ISP works with their IPTV. im not sure what every command line does tbh. he just shared the script with others.

as you asked me to do i added dhcp-rapid-commit en rebooted my router just to be sure.

the output of dnsmasq.conf is in the attachment

 

[SomeWhereOverTheRainBow]

The things that is in dnsmasq.conf.add written by someone who knows how my ISP works with their IPTV. im not sure what every command line does tbh. he just shared the script with others.

as you asked me to do i added dhcp-rapid-commit en rebooted my router just to be sure.

the output of dnsmasq.conf is in the attachment

So I see all the required options are there, however I don't see why your adguardhome would not be working. Maybe we are looking in the wrong place. Maybe your adguardhome settings are the problem. What do they look like?

For example, the contents of /opt/etc/AdGuardHome/AdGuardHome.yaml

Also, another thing to consider is Maybe the person who wrote these iptv scripts for you needs to look at the adguardhome script to see if there is something that needs to be taken into consideration for your setup.

 

[sQumm]

Thanku so much for your time btw,

So I see all the required options are there, however I don't see why your adguardhome would not be working. Maybe we are looking in the wrong place. Maybe your adguardhome settings are the problem. What do they look like?

For example, the contents of /opt/etc/AdGuardHome/AdGuardHome.yaml

Also, another thing to consider is Maybe the person who wrote these iptv scripts for you needs to look at the adguardhome script to see if there is something that needs to be taken into consideration for your setup.

out of security reasons i didn include my username and password hash if thats ok

I also completely removed the addon and fresh installed just to be sure

auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 0.0.0.0
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 2160h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: ""
safebrowsing_block_host: ""
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- '[/0.0.0.0.5.9.1.0.a.6.4.a.2.0.a.2.ip6.arpa/][::]:553'
- '[/router.asus.com/][::]:553'
- '[/www.asusnetwork.net/][::]:553'
- '[/www.asusrouter.com/][::]:553'
- '[/use-application-dns.net/][::]:553'
- '[/dns.resolver.arpa/][::]:553'
- '[/lan/][::]:553'
- '[//][::]:553'
- 1.1.1.1
- 1.0.0.1
- tcp://1.1.1.1
- tcp://1.0.0.1
upstream_dns_file: ""
bootstrap_dns:
- 1.1.1.1
- 1.0.0.1
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts: []
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- '[::]:553'
- '[/10.in-addr.arpa/][::]:553'
- '[/168.192.in-addr.arpa/][::]:553'
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 14

 

[SomeWhereOverTheRainBow]

Thanku so much for your time btw,


out of security reasons i didn include my username and password hash if thats ok

I also completely removed the addon and fresh installed just to be sure

auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 0.0.0.0
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 2160h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: ""
safebrowsing_block_host: ""
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- '[/0.0.0.0.5.9.1.0.a.6.4.a.2.0.a.2.ip6.arpa/][::]:553'
- '[/router.asus.com/][::]:553'
- '[/www.asusnetwork.net/][::]:553'
- '[/www.asusrouter.com/][::]:553'
- '[/use-application-dns.net/][::]:553'
- '[/dns.resolver.arpa/][::]:553'
- '[/lan/][::]:553'
- '[//][::]:553'
- 1.1.1.1
- 1.0.0.1
- tcp://1.1.1.1
- tcp://1.0.0.1
upstream_dns_file: ""
bootstrap_dns:
- 1.1.1.1
- 1.0.0.1
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts: []
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- '[::]:553'
- '[/10.in-addr.arpa/][::]:553'
- '[/168.192.in-addr.arpa/][::]:553'
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 14

According to what you have, everything should be working. The only thing I could think that could be causing the issue is if the iptv scripts are changing how your interfaces behave. Even then I wouldn't be able to come up with a fix or test a solution for you because my setup is completely different.

 

[SomeWhereOverTheRainBow]

The things that is in dnsmasq.conf.add written by someone who knows how my ISP works with their IPTV. im not sure what every command line does tbh. he just shared the script with others.

as you asked me to do i added dhcp-rapid-commit en rebooted my router just to be sure.

the output of dnsmasq.conf is in the attachment

Your dhcp-rapid-commit and port=553 options look suspicious here though because they are on the same line. This could cause dnsmasq to crash.

 

[Stephen Harrington]

Feel free to come back here to ask questions and share experiences.

@SomeWhereOverTheRainBow let me start by thanking you very much for your excellent work on AGH and making it available for my Router!
You DID invite my dumb newbie questions so ...
I uninstalled Diversion/PixelServ and installed AMAGHI from AMTM, which seemed to go pretty well - I have it up and running and ad-blocking is definitely working, and no one else in the house is yelling at me yet after the change. However at this stage its all on your Installer defaults and is running in "Plain DNS" mode as all the Query Log entries say that.
I've been attempting to skim-read the 50+ pages of this thread to figure out how to get it back into DoT mode but not getting that far - I think because your add-on rapidly evolved and improved and the earlier discussions are confusing for those starting from scratch perhaps?

I noticed that my DoT on the Router has been turned off, presumably by your Installer, would that be correct? Not relevant anymore since DNS resolver is now AGH?
I did already have Merlin's DNS Filter activated and Global Filter Mode set to "Router", as I have 3 existing devices that are then set manually to a different external DNS, so I can successfully use some streaming services in different geographic regions.

Do I need to change anything else here?

LAN DHCP settings are as follows:-
Anything need changing here? My Router address is 192.168.1.254 by the way ...

So far I've managed to get my existing router Lets Encrypt certificates installed and recognised by AGH I think?

AdGuard Upstream DNS Servers are currently:-

[/0.0.4.0.2.0.e.0.2.0.0.d.1.0.4.2.ip6.arpa/][::]:553
[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/16HenryStreet.dyndns.org/][::]:553
[//][::]:553
1.1.1.1
1.0.0.1
tcp://1.1.1.1
tcp://1.0.0.1

If I want DoT I have to add in a line such as

https://dns-unfiltered.adguard.com/dns-query

using the sdns format such as:-

sdns://AgcAAAAAAAAAAAAaZG5zLXVuZmlsdGVyZWQuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ

Where does this get added? At the top? At the Bottom? Do I need to take out any or all of the "Plain DNS" entries to make this work only on DoT? So many questions!

Looks like the Reverse DNS entries are now taken care of by your installer, is that correct?

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

As always, thanks for any help in getting me going on this.

Maybe some kind of "For Dummies" guide can evolve out of this?

 

[gspannu]

@SomeWhereOverTheRainBow let me start by thanking you very much for your excellent work on AGH and making it available for my Router!
You DID invite my dumb newbie questions so ...
I uninstalled Diversion/PixelServ and installed AMAGHI from AMTM, which seemed to go pretty well - I have it up and running and ad-blocking is definitely working, and no one else in the house is yelling at me yet after the change. However at this stage its all on your Installer defaults and is running in "Plain DNS" mode as all the Query Log entries say that.
I've been attempting to skim-read the 50+ pages of this thread to figure out how to get it back into DoT mode but not getting that far - I think because your add-on rapidly evolved and improved and the earlier discussions are confusing for those starting from scratch perhaps?

I noticed that my DoT on the Router has been turned off, presumably by your Installer, would that be correct? Not relevant anymore since DNS resolver is now AGH?
I did already have Merlin's DNS Filter activated and Global Filter Mode set to "Router", as I have 3 existing devices that are then set manually to a different external DNS, so I can successfully use some streaming services in different geographic regions.

Do I need to change anything else here?

View attachment 41817

LAN DHCP settings are as follows:-
Anything need changing here? My Router address is 192.168.1.254 by the way ...

View attachment 41819

So far I've managed to get my existing router Lets Encrypt certificates installed and recognised by AGH I think?

View attachment 41818
AdGuard Upstream DNS Servers are currently:-

[/0.0.4.0.2.0.e.0.2.0.0.d.1.0.4.2.ip6.arpa/][::]:553
[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/16HenryStreet.dyndns.org/][::]:553
[//][::]:553
1.1.1.1
1.0.0.1
tcp://1.1.1.1
tcp://1.0.0.1

If I want DoT I have to add in a line such as

https://dns-unfiltered.adguard.com/dns-query

using the sdns format such as:-

sdns://AgcAAAAAAAAAAAAaZG5zLXVuZmlsdGVyZWQuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ

Where does this get added? At the top? At the Bottom? Do I need to take out any or all of the "Plain DNS" entries to make this work only on DoT? So many questions!

Looks like the Reverse DNS entries are now taken care of by your installer, is that correct?

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

As always, thanks for any help in getting me going on this.

Maybe some kind of "For Dummies" guide can evolve out of this?

Quick questions:
Why is your router's name 16HenryStreet.dyndns.org? What is your use case?

What is your intent on using Lets Encrypt certificate under AGH Encryption settings?
There is no point in encrypting your internal (internal clients to router) DNS queries; as you are not getting any additional security for the accompanying overhead.

Or are you also using your router as a public DNS server (whereby external clients can access your router (i.e. 16HenryStreet.dyndns.org) and resolve DNS queries (and you wish to encrypt these queries)?

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow let me start by thanking you very much for your excellent work on AGH and making it available for my Router!
You DID invite my dumb newbie questions so ...
I uninstalled Diversion/PixelServ and installed AMAGHI from AMTM, which seemed to go pretty well - I have it up and running and ad-blocking is definitely working, and no one else in the house is yelling at me yet after the change. However at this stage its all on your Installer defaults and is running in "Plain DNS" mode as all the Query Log entries say that.
I've been attempting to skim-read the 50+ pages of this thread to figure out how to get it back into DoT mode but not getting that far - I think because your add-on rapidly evolved and improved and the earlier discussions are confusing for those starting from scratch perhaps?

I noticed that my DoT on the Router has been turned off, presumably by your Installer, would that be correct? Not relevant anymore since DNS resolver is now AGH?
I did already have Merlin's DNS Filter activated and Global Filter Mode set to "Router", as I have 3 existing devices that are then set manually to a different external DNS, so I can successfully use some streaming services in different geographic regions.

Do I need to change anything else here?

View attachment 41817

LAN DHCP settings are as follows:-
Anything need changing here? My Router address is 192.168.1.254 by the way ...

View attachment 41819

So far I've managed to get my existing router Lets Encrypt certificates installed and recognised by AGH I think?

View attachment 41818
AdGuard Upstream DNS Servers are currently:-

[/0.0.4.0.2.0.e.0.2.0.0.d.1.0.4.2.ip6.arpa/][::]:553
[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/16HenryStreet.dyndns.org/][::]:553
[//][::]:553
1.1.1.1
1.0.0.1
tcp://1.1.1.1
tcp://1.0.0.1

If I want DoT I have to add in a line such as

https://dns-unfiltered.adguard.com/dns-query

using the sdns format such as:-

sdns://AgcAAAAAAAAAAAAaZG5zLXVuZmlsdGVyZWQuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ

Where does this get added? At the top? At the Bottom? Do I need to take out any or all of the "Plain DNS" entries to make this work only on DoT? So many questions!

Looks like the Reverse DNS entries are now taken care of by your installer, is that correct?

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

As always, thanks for any help in getting me going on this.

Maybe some kind of "For Dummies" guide can evolve out of this?

Okay so for starters the router DoT does get turned off because it is no longer need and is a resource hog in the sense of running adguardhome. Adguardhome supports all dns types for use in the upstream. It also looks like you are messing with the certificate section of adguardhome, is your aim to also run adguardhome as a remote DoT,DoH, or Dnscrypt server? If not, then you don't have to do that extra setup. Any of the default entrees you have look fine, I would leave those alone. Your server entrees get added to the upstream server section right below the installer added one. You can delete the

1.1.1.1
1.0.0.1
tcp://1.1.1.1
tcp://1.0.0.1

And replace it with your servers.. here you can do either sdns stamps for DoT or use the default method listed in the webui. You can do the same with doh servers as well.

Default method:

94.140.14.140: plain DNS (over UDP).
tls://dns-unfiltered.adguard.com: encrypted DNS-over-TLS.
https://cloudflare-dns.com/dns-query: encrypted DNS-over-HTTPS.
quic://dns-unfiltered.adguard.com:784: experimental DNS-over-QUIC support.
tcp://1.1.1.1: plain DNS (over TCP).
sdns://...: DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers.
[/example.local/]1.1.1.1: DNS upstream for specific domains, see below.

BTW: adguardhome already for the most part has a guide, it is the Adguardhome wiki:

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

The rest that would need to be included in a guide would be the asuswrt-merlin caveats of adguardhome.

 

[Stephen Harrington]

Why is your router's name 16HenryStreet.dyndns.org? What is your use case?

Probably originally “misunderstanding the question” so I just made it the same as my dynamic DNS “domain”, but that is 3 Asus routers and many years ago. It’s never been an issue … at least not that I’m aware of.

What is your intent on using Lets Encrypt certificate under AGH Encryption settings?
There is no point in encrypting your internal (internal clients to router) DNS queries; as you are not getting any additional security for the accompanying overhead.

Misunderstanding on my part, as I do more reading your explanation makes sense.

Or are you also using your router as a public DNS server (whereby external clients can access your router (i.e. 16HenryStreet.dyndns.org) and resolve DNS queries (and you wish to encrypt these queries)?

Nope, nothing like that …

 

[Stephen Harrington]

It also looks like you are messing with the certificate section of adguardhome, is your aim to also run adguardhome as a remote DoT,DoH, or Dnscrypt server? If not, then you don't have to do that extra setup.

@SomeWhereOverTheRainBow Thanks for chiming in and setting me straight. No, not intending to run a remote DNS server, so now I can just delete those settings I guess?

Your server entrees get added to the upstream server section right below the installer added one. You can delete the

1.1.1.1
1.0.0.1
tcp://1.1.1.1
tcp://1.0.0.1

And replace it with your servers.

Still slightly confused. So if I want to run DoT only for everything I delete the ones you have listed above and just add the one line for the DoT? Or would you advise having multiple options?

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Thanks for chiming in and setting me straight. No, not intending to run a remote DNS server, so now I can just delete those settings I guess?



Still slightly confused. So if I want to run DoT only for everything I delete the ones you have listed above and just add the one line for the DoT? Or would you advise having multiple options?

You have the correct assumption, delete the ones I have listed and then put your own ones there. I have listed the correct formats or you can choose to use sdns stamps. Either should work. You can list as many as you like and you can even mix and match encryption if you want. For example, if you use quad 9, then you can use all the different types of encryption they support simply by listing all the server formats. You can the choose to either load balance then request or choose parallel.

I commend you for taking on as much as you have so far on your own!