AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

[Ellenswamy]

when we enable DNS filter, should we set it to no filtering or router?

 

[SomeWhereOverTheRainBow]

when we enable DNS filter, should we set it to no filtering or router?

router

 

[Stephen Harrington]

I commend you for taking on as much as you have so far on your own!

Probably just my usual approach of, after consideration and research, concluding "I will only learn by giving it a go and making mistakes", plus my penchant for looking like a fool in public. It's a heady cocktail!

 

[Ellenswamy]

Can someone share the default settings for dns cache for AdGuard home? I want to change mine back to default’

 

[Stephen Harrington]

Can someone share the default settings for dns cache for AdGuard home?

I'm PRETTY sure I've never touched that bit of the config ...

 

[dd900]

Private reverse DNS servers are not working

"AdGuard Home could not determine suitable private reverse DNS resolvers for this system."

Spoiler: Upstream DNS servers

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/baserouter/][::]:553
[//][::]:553

Spoiler: Private reverse DNS servers

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

Spoiler: dnsmasq.conf

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=baserouter
expand-hosts
bogus-priv
domain-needed
local=/baserouter/
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,15,baserouter
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-host=80:CC:9C:30:E3:46,set:80:CC:9C:30:E3:46,192.168.1.22
dhcp-host=94:C6:91:A7:71:C2,set:94:C6:91:A7:71:C2,192.168.1.253
dhcp-host=80:CC:9C:33:2F:B4,set:80:CC:9C:33:2F:B4,192.168.1.204
dhcp-host=80:CC:9C:30:E3:61,set:80:CC:9C:30:E3:61,192.168.1.49
dhcp-host=B0:05:94:63:AE:71,set:B0:05:94:63:AE:71,192.168.1.40
dhcp-host=80:60:B7:FE:95:EF,set:80:60:B7:FE:95:EF,192.168.1.41
dhcp-host=50:1A:C5:22:69:C4,set:50:1A:C5:22:69:C4,192.168.1.16
dhcp-host=80:F3:EF:A4:EA:A8,set:80:F3:EF:A4:EA:A8,192.168.1.174
dhcp-host=DC:A6:32:BD:4E:17,set:DC:A6:32:BD:4E:17,192.168.1.31
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1280
port=553
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
local=//
dhcp-option=lan,6,0.0.0.0

 

[fearz]

Hi

Whenever I install i get this:


Info: JFFS custom scripts and configs are already enabled.
*** Error: Potential stubby installation detected.
*** Error: Please remove before attempting to continue.
*** Error: Exiting...



Stubby isn't installed (i guess) how to check or remove it?

 

[dave14305]

Stubby isn't installed (i guess) how to check or remove it?

It’s finding one of these files:
/opt/etc/init.d/S61stubby
/opt/sbin/stubby
/opt/bin/install_stubby
/jffs/scripts/install_stubby.sh

 

[SomeWhereOverTheRainBow]

Private reverse DNS servers are not working

"AdGuard Home could not determine suitable private reverse DNS resolvers for this system."

Spoiler: Upstream DNS servers

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/baserouter/][::]:553
[//][::]:553

Spoiler: Private reverse DNS servers

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

Spoiler: dnsmasq.conf

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=baserouter
expand-hosts
bogus-priv
domain-needed
local=/baserouter/
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,15,baserouter
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-host=80:CC:9C:30:E3:46,set:80:CC:9C:30:E3:46,192.168.1.22
dhcp-host=94:C6:91:A7:71:C2,set:94:C6:91:A7:71:C2,192.168.1.253
dhcp-host=80:CC:9C:33:2F:B4,set:80:CC:9C:33:2F:B4,192.168.1.204
dhcp-host=80:CC:9C:30:E3:61,set:80:CC:9C:30:E3:61,192.168.1.49
dhcp-host=B0:05:94:63:AE:71,set:B0:05:94:63:AE:71,192.168.1.40
dhcp-host=80:60:B7:FE:95:EF,set:80:60:B7:FE:95:EF,192.168.1.41
dhcp-host=50:1A:C5:22:69:C4,set:50:1A:C5:22:69:C4,192.168.1.16
dhcp-host=80:F3:EF:A4:EA:A8,set:80:F3:EF:A4:EA:A8,192.168.1.174
dhcp-host=DC:A6:32:BD:4E:17,set:DC:A6:32:BD:4E:17,192.168.1.31
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1280
port=553
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
local=//
dhcp-option=lan,6,0.0.0.0

You are fine, this is false alarm because you must have selected you wanted local servers. AdGuardHome prints this error when it cannot determine anything but 127.0.0.1 inside /etc/resolv.conf. As long as some of your clients are identified, then is working. The ARP cache clients don't get identified by hostname (yet) because they skip hostnames since the routers arp cache does not hand off hostnames with the address's. I have put in a feature request for adguardhome to try reverse lookup for clients whos hostnames are not found in arpa cache.

Simply asuswrt routers does not support hostname lookups from the arp cache.

and the error you reference comes from adguardhome not being able to find your isp servers (or any other, other than local such as 127.0.0.1) listed inside /etc/resolv.conf. AdGuardHome has a bad privacy practice that they do not "perceive" as a bad privacy practice where your local request get leaked to upstream if anything other than local is listed inside /etc/resolv.conf.

 

[dd900]

You are fine, this is false alarm because you must have selected you wanted local servers. AdGuardHome prints this error when it cannot determine anything but 127.0.0.1 inside /etc/resolv.conf. As long as some of your clients are identified, then is working. The ARP cache clients don't get identified by hostname (yet) because they skip hostnames since the routers arp cache does not hand off hostnames with the address's. I have put in a feature request for adguardhome to try reverse lookup for clients whos hostnames are not found in arpa cache.

Simply asuswrt routers does not support hostname lookups from the arp cache.

and the error you reference comes from adguardhome not being able to find your isp servers (or any other, other than local such as 127.0.0.1) listed inside /etc/resolv.conf. AdGuardHome has a bad privacy practice that they do not "perceive" as a bad privacy practice where your local request get leaked to upstream if anything other than local is listed inside /etc/resolv.conf.

Thank you for clarifying.

 

[SomeWhereOverTheRainBow]

Thank you for clarifying.

You are very much welcome. While I understand alarming concerns by when AdGuardHome might annouce, please still continue to let me know feedback. I also consider the privacy of those who use this script. While I am still what some would consider as a "young" for developing, I share all the main concerns the rest of the Addon Developers share. There are many devs who's opinion I hold the highest regard, so please take their advice into consideration as well. @dave14305 @ColinTaylor @Viktor Jaep @Jack Yaz @thelonelycoder @Martineau @L&LD and @RMerlin (are some of the few) ... and many more. I consider your opinions with the highest regard. Please feel free to share your thoughts any time as well.

 

[dd900]

Is it normal to have reverse lookups to google IPs coming from localhost? I'm not using their DNS servers anywhere.

Happens every 5 minutes

 

[SomeWhereOverTheRainBow]

Is it normal to have reverse lookups to google IPs coming from localhost? I'm not using their DNS servers anywhere.
View attachment 41882
Happens every 5 minutes

yes, that is the check to see if the DNS is still active. Okay so the manager script has a watch dog to ensure the DNS is active, (just incase adguardhome dies abruptly). Here is the script if you like to examine it.

Asuswrt-Merlin-AdGuardHome-Installer/AdGuardHome.sh at master · jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer

The Official Installer of AdGuardHome for Asuswrt-Merlin - jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer

github.com

and here is the very mild network check

Asuswrt-Merlin-AdGuardHome-Installer/AdGuardHome.sh at master · jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer

The Official Installer of AdGuardHome for Asuswrt-Merlin - jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer

github.com

These modifications became necessary when users reported AdGuardHome either stopped working, or killed itself because of its own bad signal interpretations within the terminal environment which it was spawned. TBH it serves as a good fail safe for internet that may only disable for seconds versus minutes before you realize your DNS is inactive.

 

[dd900]

Thank you again. Now that I know where it's coming from it won't bother me anymore.

 

[unrealliving]

Hello everybody, it is about a week when I silently google a lot and was making some experiments with AdguardH and Unbound to see how some of my sites are loaded and some ad sites testers, how ads are handled. I still thinking that I want to use both, but as I read there in forums there is no point of doing that. It would be nice if someone could say about security of using ADH or Unbound. I think about this because of simple knowledge on the internet, that it's okay to encrypt data which you are sending (I mean queries for accessing the web sites and so on). There is DNS-over-TLS, DNSSEC which is some kind of encrypting and checking "thing", but if I install ADH all theses things doesn't mater any more? Because ADH could work as a resolver and everything is filtrated threw it and relays on that company. So is this the logic that because ADH sits on the router it do not need to encrypt data which I am sending and this is why I should not bother my self about DNS-over-TLS, DNSSEC?

As of Unbound perspective, also the same - DNS-over-TLS, DNSSEC should be disabled. Again is it because of that my resolver sits on my router and data is not going out, which in other case scenario (default router behavior with default stuff) is sending some where the data and this is why it is better to encrypt it and check it?

What I liked about ADH is that DNS server is changed and is not exposed as your exact IP address, which happens with Unbound, so on that scenario I thought that ADH it might be better choice with simple default settings than Unbound?

I know that my questions are not straight forward, but it is because when I need to choose, but can't really understand what is better? To have all handled by AGH OR try to configure correctly Unbound, which needs more programmer skills to configure it safe. So experienced opinion with some simple explanations and suggestions are very welcome, because as I was searching information on the internet I founded always the same questions why I need it or why I don't (I mean DNS-over-TLS, DNSSE and other), but can't find correct answer that it is SAFE and if you try to use it - it won't be safer.

I own GT-AX11000 and want to use WireGuard on it (still don't know how, but I will ask about it in other thread). On my plans is simple things - simple safe and clean browsing, safe internet for my smart devices at home, Transmission for Torrents with VPNdirector rules, and some privacy as I can get from the stuff which could be easily handled by my router (maybe some one already founded all needed combinations of scripts and simplicity)

P.S. Want ADH because of simplicity using it, but Unbound was less noticeable in internet browsing so I liked it, but not sure that I am really safe, becauce DNS is exposed as my IP, no other options to choose, just relay on added Unbound scripts which might could be hacked some how on my router or some one could implement something in Unbound adblock script and so on. So again, it would be nice to get some opinions about that or concentrated information (not saying to google it ) to get more knowledge to start to less worry. And sorry if it's not correct thread, but I thought that it's correct because there is already other which worries about ADH and Unbound and want to use them both.

Thanks.

 

[SomeWhereOverTheRainBow]

Hello everybody, it is about a week when I silently google a lot and was making some experiments with AdguardH and Unbound to see how some of my sites are loaded and some ad sites testers, how ads are handled. I still thinking that I want to use both, but as I read there in forums there is no point of doing that. It would be nice if someone could say about security of using ADH or Unbound. I think about this because of simple knowledge on the internet, that it's okay to encrypt data which you are sending (I mean queries for accessing the web sites and so on). There is DNS-over-TLS, DNSSEC which is some kind of encrypting and checking "thing", but if I install ADH all theses things doesn't mater any more? Because ADH could work as a resolver and everything is filtrated threw it and relays on that company. So is this the logic that because ADH sits on the router it do not need to encrypt data which I am sending and this is why I should not bother my self about DNS-over-TLS, DNSSEC?

As of Unbound perspective, also the same - DNS-over-TLS, DNSSEC should be disabled. Again is it because of that my resolver sits on my router and data is not going out, which in other case scenario (default router behavior with default stuff) is sending some where the data and this is why it is better to encrypt it and check it?

What I liked about ADH is that DNS server is changed and is not exposed as your exact IP address, which happens with Unbound, so on that scenario I thought that ADH it might be better choice with simple default settings than Unbound?

I know that my questions are not straight forward, but it is because when I need to choose, but can't really understand what is better? To have all handled by AGH OR try to configure correctly Unbound, which needs more programmer skills to configure it safe. So experienced opinion with some simple explanations and suggestions are very welcome, because as I was searching information on the internet I founded always the same questions why I need it or why I don't (I mean DNS-over-TLS, DNSSE and other), but can't find correct answer that it is SAFE and if you try to use it - it won't be safer.

I own GT-AX11000 and want to use WireGuard on it (still don't know how, but I will ask about it in other thread). On my plans is simple things - simple safe and clean browsing, safe internet for my smart devices at home, Transmission for Torrents with VPNdirector rules, and some privacy as I can get from the stuff which could be easily handled by my router (maybe some one already founded all needed combinations of scripts and simplicity)

P.S. Want ADH because of simplicity using it, but Unbound was less noticeable in internet browsing so I liked it, but not sure that I am really safe, becauce DNS is exposed as my IP, no other options to choose, just relay on added Unbound scripts which might could be hacked some how on my router or some one could implement something in Unbound adblock script and so on. So again, it would be nice to get some opinions about that or concentrated information (not saying to google it ) to get more knowledge to start to less worry. And sorry if it's not correct thread, but I thought that it's correct because there is already other which worries about ADH and Unbound and want to use them both.

Thanks.

Okay, here is my experience .Whenever I run adguardhome with my list, cpu is at about 89 to 91 percent use. If I put Unbound in my upstream without any Unbound block features and minimized cache and not DoT on Unbound, that usage goes to about 97 to 98 percent. This is me using unbound recursively (i.e. no forwarding). I have also not enabled any of the unbound webui statistic features either.

 

[unrealliving]

Okay, here is my experience .Whenever I run adguardhome with my list, cpu is at about 89 to 91 percent use. If I put Unbound in my upstream without any Unbound block features and minimized cache and not DoT on Unbound, that usage goes to about 97 to 98 percent. This is me using unbound recursively (i.e. no forwarding). I have also not enabled any of the unbound webui statistic features either.

So if understand correct, your opinion is ADH anlone is better choice? And what about that all safety protocols DoT. Is it safer to try to enable it?

 

[SomeWhereOverTheRainBow]

So if understand correct, your opinion is ADH anlone is better choice? And what about that all safety protocols DoT. Is it safer to try to enable it?

So adguardhome has a resolver capable of DoT, DoH,DoQ,dnscrypt. All you have to do is place the correct server format for the upstream, which adguardhome provides you with a link to a site that provides the correct formats for any upstream encryption they support. The link is literally provided right above where you input the upstream servers.


If you are talking about accessing your adguardhome "remotely" or on the go, then it is better for you to do so over the routers built in openvpn server, that way you are not having to open too many ports on the router, and are less likely to break something since the router webui selection takes care of all the openvpn optimizations you as a home user would ever need to worry about.

 

[unrealliving]

Other simple question - is there any benefit of having ADH pro or ADH family subscription when using Merlin installed ADH?

 

[SomeWhereOverTheRainBow]

Other simple question - is there any benefit of having ADH pro or ADH family subscription when using Merlin installed ADH?

That you would need to ask someone who pays for those services. Either of which you don't need in order to receive the same level of benefit from adguardhome as someone without those subscriptions.