What's new

AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Now, I'm using v1.0.3. Do I need to update to latest version or just use that version?
 
Thank you for the great work on this, @SomeWhereOverTheRainBow! I got this installed last night on my AC86U, upgraded to the latest version this morning, wanted to ask a few questions, and pass along a few observations of before/after?

First off... I previously had my router setup to utilize Quad9's DoT service... and that seemed to be working quite well. After getting AGH installed, I noticed it made a few changes to my setup, and wanted to make sure that this is by design, and is configured this way so that AGH works properly?

First off, it seems it changed my DNS Privacy Protocol to "None"... Before it had "DoT" selected. But now there's a new message underneath stating that the DNSFilter is now enabled.
View attachment 39021

So, under LAN->DNS Filter, it switched the DNSFilter to "ON", as it was previously off... and the only selection present is "Router"
View attachment 39022

Not being familiar with how these settings behave in conjunction with AGH, is this all correct to allow AGH to continue using DoT? This is what I currently have in my upstream settings, utilizing the "Parallel Requests" option:

Code:
[/router.asus.com/]192.168.1.1:553
[/www.asusnetwork.net/]192.168.1.1:553
[/www.asusrouter.com/]192.168.1.1:553
[/use-application-dns.net/]192.168.1.1:553
[/dns.resolver.arpa/]192.168.1.1:553
[/lan/]192.168.1.1:553
[//]192.168.1.1:553
tls://dns-family.adguard.com
tls://dns.quad9.net
tls://security.cloudflare-dns.com
https://doh.opendns.com/dns-query

The thing that worries me is that the [//]192.168.1.1:553 would seem to be able to bypass the requirement to use TLS and hit the plain DNS servers setup under the WAN DNS section? Isn't that a catch-all?

When looking at the log, all my entries say "Type A, Plain DNS"... which concerns me as well. Would it still say "Plain DNS" if TLS is working, or would it say "TLS DNS"? Just not sure what this means.

View attachment 39026

Also, is there any way to test or validate that outgoing DNS requests from AGH are going over TLS?

From a performance aspect, I noticed some strange entries under %VSZ... is 200.7% of virtual memory an expected figure?

View attachment 39023

From a load aspect, it runs pretty lean... but did notice a loss of available RAM... probably between 50-75MB. I'll keep my eye on this to see if it settles more over time.

View attachment 39024

Appreciate your hard work, your lightning-fast support, fixes and updates for everyone using your AGH implementation! Thanks in advance for your feedback on this above! ;)
Some basics:
  1. Make sure you are using a swap of atleast 2gb.
  2. Stubby is turned off by design because using adguardhome allows both DoT servers in the upstream, or may act as a Remote DoT server for users enables it. (truely to prevent any conflicts or miss configurations).
  3. If you enable DNSfilter in the DNSfilter one question of the installer it enforces AdGuardHome as DNS on your network by setting DNSfilter global to router. The second DNSFilter question on the installer allows users to leave custom configurations. If you say don't leave custom configurations, you will lose any of your own defined rules, everything will be forced to Router.
  4. The private reverse looks used will only talk to dnsmasq, because local= rules are defined in dnsmasq.conf to define local traffic preventing upstream leakage. in regards to the [//] look at this post http://www.snbforums.com/threads/re...dguardhome-installer-amaghi.76506/post-735717 . it covers unqualified names.
  5. To tell if your using DoT or DoH, just plug in cloudflare as your server for either, and run the cloudflare help test. https://1.1.1.1/help
  6. The only other way to test you are using such is to use a TCP dump with wireshark.
If the [//] bothers you too much, you can simply remove it. It is only setup as an initial value. any time you upgrade after, the installer does not mess with your .yaml formatting other than just to check it to make sure it is working.
 
Last edited:
Some basics:
  1. Make sure you are using a swap of atleast 2gb.
Got that covered
  1. Stubby is turned off by design because using adguardhome allows both DoT servers in the upstream, or may act as a Remote DoT server for users enables it. (truely to prevent any conflicts or miss configurations).
In my case, I just want to use DoT servers for upstream purposes. Not running anything locally.
  1. If you enable DNSfilter in the DNSfilter one question of the installer it enforces AdGuardHome as DNS on your network by setting DNSfilter global to router. The second DNSFilter question on the installer allows users to leave custom configurations. If you say don't leave custom configurations, you will lose any of your own defined rules, everything will be forced to Router.
I guess that was a little confusing... the question asked "do you want SOME DNS traffic to only go through AGH"... I selected "no" in this case, wanting all traffic to go through AGH.

In doing so, was that normal behavior, that the installer turned off my DoT setting on my WAN DNS page, and enabled the DNS Filter setting, selecting Router?

What happens if I change my WAN DNS back to DoT enabled for Quad9? Would that bork AGH? When I install an update, would it just disable it again?

  1. The private reverse looks used will only talk to dnsmasq, because local= rules are defined in dnsmasq.conf to define local traffic preventing upstream leakage. in regards to the [//] look at this post http://www.snbforums.com/threads/re...dguardhome-installer-amaghi.76506/post-735717 . it covers unqualified names.
Thanks for the link... I read through this whole thread, and didn't pick up on that. I will just comment it out for now and see if has any adverse behaviors. I am not using any unqualified names locally.
  1. To tell if your using DoT or DoH, just plug in cloudflare as your server for either, and run the cloudflare help test. https://1.1.1.1/help
So I did have a DoT cloudfare upstream server in my list... I gave it try, and it did come back as DoT being enabled. Thanks!
  1. The only other way to test you are using such is to use a TCP dump with wireshark.
That's a lot of effort. LOL

So I take it that the "Plain DNS" mentioned in the log is just a normal message then, even if DoT is working?

1643483022492.png


Thanks for your help!
 
Last edited:
View attachment 38356

This part here, I got it setup reusing the certificate cert and private key from the Asus DDNS "Let's Encrypt". I don't want to have generate separate certificate just for Adguard Home.

I found a detail instruction how Adguard, Unbound, and DOT/DOH/DOQ configuare but it's alittle over my head.

Which one is the private key and cert used from DDNS letsencrypt? domain.asuscomm.com ?

EDIT:
It seems to be:
cert: /jffs/.le/domain.asuscomm.com/fullchain.cer
private key: /jffs/.le/domain.asuscomm.com/domain.asuscomm.com.key
 
Got that covered

In my case, I just want to use DoT servers for upstream purposes. Not running anything locally.

I guess that was a little confusing... the question asked "do you want SOME DNS traffic to only go through AGH"... I selected "no" in this case, wanting all traffic to go through AGH.

In doing so, was that normal behavior, that the installer turned off my DoT setting on my WAN DNS page, and enabled the DNS Filter setting, selecting Router?

What happens if I change my WAN DNS back to DoT enabled for Quad9? Would that bork AGH? When I install an update, would it just disable it again?


Thanks for the link... I read through this whole thread, and didn't pick up on that. I will just comment it out for now and see if has any adverse behaviors. I am not using any unqualified names locally.

So I did have a DoT cloudfare upstream server in my list... I gave it try, and it did come back as DoT being enabled. Thanks!

That's a lot of effort. LOL

So I take it that the "Plain DNS" mentioned in the log is just a normal message then, even if DoT is working?

View attachment 39032

Thanks for your help!
Yes, all of what you experienced is normal behavior, and you will only experience it running the installer. Stubby is initially turned off when you launch into the main menu. This is by design, to prevent any listening address issues that might arise in the future. For example, try running DoT on AdGuardHome and Stubby at the same time. Let me know if it works. While, you may have the intentions of using your setup your own way. I have to factor in the what-if during install time less everyone reports issues to me because they didn't realize they left stubby on, or they didn't realize they forgot to clear DHCP 1 thus their DNS request are going around adguardhome instead of using adguardhome.
If you tell it No that you do no not want to redirect DNS ( in the first question), the normal behavior is to turn off DNSFilter.
If you tell it Yes that you do want to redirect DNS ( in the first question), the normal behavior is to turn on DNSFilter.
If you answer No (in the second question) you are effectively telling it to clear all your custom DNS filter rules while setting DNSFilter global to router.
If you answer Yes (to the second question), you are effectively telling it to leave your custom settings alone, while only changing DNSFilter global to router.

I feel as though I am being as clear as I can be without reinventing the wheel on these matters.
 
how have you guys solved the local NTP updating after a reboot when using AdGuard home and unbound with DoT enabled in AdGuard home?
after a reboot it takess ~6 minutes for AdGuard home starts and unbound does not follow, thanks to this NTP issue. Unbound wants NTP to start and NTP cant sync because unbound does not start. It's a stupid loop.

config
 
Yes, all of what you experienced is normal behavior, and you will only experience it running the installer. Stubby is initially turned off when you launch into the main menu. This is by design, to prevent any listening address issues that might arise in the future. For example, try running DoT on AdGuardHome and Stubby at the same time. Let me know if it works. While, you may have the intentions of using your setup your own way. I have to factor in the what-if during install time less everyone reports issues to me because they didn't realize they left stubby on, or they didn't realize they forgot to clear DHCP 1 thus their DNS request are going around adguardhome instead of using adguardhome.
If you tell it No that you do no not want to redirect DNS ( in the first question), the normal behavior is to turn off DNSFilter.
If you tell it Yes that you do want to redirect DNS ( in the first question), the normal behavior is to turn on DNSFilter.
If you answer No (in the second question) you are effectively telling it to clear all your custom DNS filter rules while setting DNSFilter global to router.
If you answer Yes (to the second question), you are effectively telling it to leave your custom settings alone, while only changing DNSFilter global to router.

I feel as though I am being as clear as I can be without reinventing the wheel on these matters.
Thanks so much for the further detail on this! I appreciate it very much, and helps further my understanding of its behavior in relation to the DNSfilter and DoT. :)
 
how have you guys solved the local NTP updating after a reboot when using AdGuard home and unbound with DoT enabled in AdGuard home?
after a reboot it takess ~6 minutes for AdGuard home starts and unbound does not follow, thanks to this NTP issue. Unbound wants NTP to start and NTP cant sync because unbound does not start. It's a stupid loop.

config
what version of the installer are you using? Also, make sure you have your NTP servers in unbound listed as insecure so it is not trying to run DNSSEC on them. Here is an example. Unbound could be waiting for NTP for dnssec, but unable to resolve because it needs accurate time to perform DNSSEC, it could be failing to resolve the domains associated with NTP servers because it is waiting for accurate time.Thus we have to tell it the time servers are insecure so it is not attempting to perform looks ups with dnssec on them.

Code:
   # Fix NTP
    domain-insecure: "time1.google.com"
    domain-insecure: "time2.google.com"
    domain-insecure: "time3.google.com"
    domain-insecure: "time4.google.com"

However, I find it interesting that you say you cannot resolve NTP for six minutes. AdGuardHome runs as S99 which is after unbound even starts. DNSMASQ isn't requested to step out of the way until AdGuardHome starts. Since the router relies on DNSMASQ in general for initial NTP lookups, something is wrong with your configuration in general.
 
Last edited:
I wonder if anyone has had a chance to try and get Adguard to work with YazFi Guest?

No matter what I point the DNS entry to, I get 'no internet'. Work fine when Adguard is uninstalled.

I've tried using the router guest IP as the DNS, tried the router LAN IP, tried outside DNS servers. Nothing seems to work

Edit: using adguard installer 1.1.1 and Latest version of YazFi


Edit#2: Problem was with VPN redirection :)
 
Last edited:
I wonder if anyone has had a chance to try and get Adguard to work with YazFi Guest?

No matter what I point the DNS entry to, I get 'no internet'. Work fine when Adguard is uninstalled.

I've tried using the router guest IP as the DNS, tried the router LAN IP, tried outside DNS servers. Nothing seems to work
so say for example your using 192.168.7.0/24 as your address subnet for guest clients. You need to put 192.168.7.1 in the DNS server slot and tell yazfi to enforce the dns. for example

1643506733456.png
 
Last edited:
You're too quick.

It's a problem with my VPN setup (I was redirecting to VPN which doesn't work).

Once I disable the redirect to VPN I got connected.
:)
You probably need to establish a rule that says address specifically from 192.168.7.1 (if that is the address for DNS), travels via the wan. Allow all other traffic after from that subnet to travel the VPN. Or you will have to specifically define the DNS server of your VPN inside AdguardHome, or you need to specify a route that establishes 192.168.7.1 must go via the VPN if you want it tunneled.
 
a
You probably need to establish a rule that says address specifically from 192.168.7.1 (if that is the address for DNS), travels via the wan. Allow all other traffic after from that subnet to travel the VPN.
I had that, my VPN director rules seem to have broken. I'm testing right now to see if I can get the VPN rules back and the turn the redirection back on to see what happens.
 
refresh your browser and re read the post because I added more possibilities to try.
Routing through VPN works, YazFi directing to VPN and using the router as DNS works, BUT, I'm getting ads.
I.E. I pick an app, open it, there are ads. I close the app, I switch to the LAN network, no ads.

I'll do a reboot and do some more testing.
 

Attachments

  • Screenshot from 2022-01-29 18-18-28.png
    Screenshot from 2022-01-29 18-18-28.png
    14.7 KB · Views: 84
  • Screenshot from 2022-01-29 18-20-12.png
    Screenshot from 2022-01-29 18-20-12.png
    25.6 KB · Views: 88
Routing through VPN works, YazFi directing to VPN and using the router as DNS works, BUT, I'm getting ads.
I.E. I pick an app, open it, there are ads. I close the app, I switch to the LAN network, no ads.

I'll do a reboot and do some more testing.
can you screen shot the settings that allow you to use AdGuardHome, but no ads. , also you probably have to tell the VPN server to Advertise No DNS, otherwise you could be use both the DNS of AdguardHome, and the vpn server.
 
Last edited:
The LAN network works consistently (it's the default rule in VPN Director)
The settings I screenshot above are unchanged.

What I'm wondering is if I need to change any interface settings in AdGuard itself for the 192.168.6.0/24 network.

View attachment 39044
I am pretty sure what is happening is your VPN is using its DNS along side AdGuardHome. So you are not seeing the blocks of AdGuardHome, because the looks of clients are going to both AdGuardHome and the VPN. Tell the VPN to not advertise itself as DNS. Set Accept DNS configuration to disabled.
 
That was it! :)
The VPN DNS server rule i am pretty sure were maybe even adding iptable rules which made your clients circumvent using AdGuardHome for DNS, especially if they came before the ones for the YazFi guestnetworks, But I am not too sure about this aspect. But at least I was correct that clients were using the VPN servers DNS instead of AdGuardHome.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top