What's new

AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

For anyone else setting this up, this is the setting on the VPN Client page: "Accept DNS Configuration" needs to be Disabled
1643511555944.png
 
what version of the installer are you using? Also, make sure you have your NTP servers in unbound listed as insecure so it is not trying to run DNSSEC on them. Here is an example. Unbound could be waiting for NTP for dnssec, but unable to resolve because it needs accurate time to perform DNSSEC, it could be failing to resolve the domains associated with NTP servers because it is waiting for accurate time.Thus we have to tell it the time servers are insecure so it is not attempting to perform looks ups with dnssec on them.

Code:
   # Fix NTP
    domain-insecure: "time1.google.com"
    domain-insecure: "time2.google.com"
    domain-insecure: "time3.google.com"
    domain-insecure: "time4.google.com"

However, I find it interesting that you say you cannot resolve NTP for six minutes. AdGuardHome runs as S99 which is after unbound even starts. DNSMASQ isn't requested to step out of the way until AdGuardHome starts. Since the router relies on DNSMASQ in general for initial NTP lookups, something is wrong with your configuration in general.
Shame there is no pastebinit tool for the router. Would make the copy of configs much easier :)

It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4

unbound config
adguard.config

adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"

gives this error when opening amtm and then opening unbound

+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file



/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

or 'e' exit; then issue debug command

unbound -dv

EDIT:
syslog - Pastebin.com

Unbound still does not come up and the system has been running for 33 minutes.

I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

and that worked without complaints from unbound. But it does not solve my issues.

EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings

I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
 
Last edited:
I have pushed a minor update for amtm, no version change.

What's new
CHANGED: Checks which AdGuardHome binary branch is installed.
Only the release branch will be checked for updates with u.
 
Shame there is no pastebinit tool for the router. Would make the copy of configs much easier :)

It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4

unbound config
adguard.config

adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"

gives this error when opening amtm and then opening unbound

+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file



/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

or 'e' exit; then issue debug command

unbound -dv

EDIT:
syslog - Pastebin.com

Unbound still does not come up and the system has been running for 33 minutes.

I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

and that worked without complaints from unbound. But it does not solve my issues.

EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings

I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
Yea will have to bring that error check up with unbound-manager script dev. Those lines have worked in any unbound.conf I have ever used.
 
Yea will have to bring that error check up with unbound-manager script dev. Those lines have worked in any unbound.conf I have ever used.
adding these lines to the bottom of the unbound config
# Fix NTP

domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"

gives this error when opening amtm and then opening unbound
When using unbound_manager, it is recommended to place unbound customserver: directives in

'/opt/share/unbound/configs/unbound.conf.add'

Alternatively insert the directives into 'unbound.conf' as per the official unbound documentation.... https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#server-options
 
Last edited:
Shame there is no pastebinit tool for the router. Would make the copy of configs much easier :)

It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4

unbound config
adguard.config

adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"

gives this error when opening amtm and then opening unbound

+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file



/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

or 'e' exit; then issue debug command

unbound -dv

EDIT:
syslog - Pastebin.com

Unbound still does not come up and the system has been running for 33 minutes.

I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

and that worked without complaints from unbound. But it does not solve my issues.

EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings

I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
So there are two conditions I could think of where Asuswrt-Merlin has a hard time getting NTP.
Condition #1
No DNS server defined for Wan dns 1 or Wan dns 2

(this is where the user has turned off use automatically and cleared out the wan dns1 and wan dns 2 slots)
1643555154701.png


Condition #2
You are in some kind of strange Double Nat Situation or Your ISP configuration is creating some type of connection interference or issue.


Solutions I have seen in the past to circumvent this:

#1

Put IP address inside the NTP server slot. While this solves the need for dnsmasq to resolve the IP, it creates an issue if someday the IP address were to out of the blue change.

#2

Try to force DNSMASQ to know what address to use to resolve the ntp domain
example: dnsmasq.conf.add

server=/time1.google.com/8.8.8.8

This tells dnsmasq to only use google to resolve its ntp domain.

#3

Attempt to tell unbound to allow resolving of the domain as insecure thus avoiding the need to check it as a secure dnssec domain first.
 
You should comment out or disable unbound from using its adblock feature because this could be cumbersome on the router potentially limiting the necessary memory you need to use unbound efficiently along side adguardhome. There is no reason to overlap blockers like such. It adds no real value and create extra strain that would other wise not exist on your router.
What settings are these? I dont have unbound to block ads, not via amtm atleast, and I have not enabled that earlier either.
 
So there are two conditions I could think of where Asuswrt-Merlin has a hard time getting NTP.
Condition #1
No DNS server defined for Wan dns 1 or Wan dns 2

(this is where the user has turned off use automatically and cleared out the wan dns1 and wan dns 2 slots)
View attachment 39071

Condition #2
You are in some kind of strange Double Nat Situation or Your ISP configuration is creating some type of connection interference or issue.


Solutions I have seen in the past to circumvent this:

#1

Put IP address inside the NTP server slot. While this solves the need for dnsmasq to resolve the IP, it creates an issue if someday the IP address were to out of the blue change.

#2

Try to force DNSMASQ to know what address to use to resolve the ntp domain
example: dnsmasq.conf.add

server=/time1.google.com/8.8.8.8

This tells dnsmasq to only use google to resolve its ntp domain.

#3

Attempt to tell unbound to allow resolving of the domain as insecure thus avoiding the need to check it as a secure dnssec domain first.
I dont think it has anything to do with the insecure option since unbound needs a working clock in order to start and ntp needs a working revolver to start so neither can start du to eachother.

And I did try the insecure option and there was no difference.

The solution was to set a ip adress to a external NTP server in the NTP field in the system settings.
 
Yea will have to bring that error check up with unbound-manager script dev. Those lines have worked in any unbound.conf I have ever used.
They did work, just they could not be placed at the bottom of the conf. They needed to be added directly under the #DNSSEC tag.

But it would not hurt with more options in the script menu in amtm for unbound to enable, disable dnssec, DoH, domain-insecure for NTP and whatever good stuff there could be there.

And also something that checks for NTP to be able to work if DNSSEC is enabled in adguard.
I have not turned that off and use only DoH in adguard. Sinne some reddit post claimed that it was unneccessery if DNSSEC was enabled in unbound.

Either way, some failsafe ip only adress for NTP would not hurt.
 
The problem with the ip method is that ips are not always constant. If the maintainers decide to change addresses, then that can be problematic for you during normal use. At best, it is a bandaid solution. It makes sense that the insecure option doesn't work, if unbound manager requires ntp to be active before allowing unbound to run. This option would only be valid if unbound was allowed to start without wait.

Yes, is there no safe bet ip's to use? Like google dns will probably never change? Something similar for NTP. Like a brunch of ip's.
 
They did work, just they could not be placed at the bottom of the conf. They needed to be added directly under the #DNSSEC tag.

But it would not hurt with more options in the script menu in amtm for unbound to enable, disable dnssec, DoH, domain-insecure for NTP and whatever good stuff there could be there.

And also something that checks for NTP to be able to work if DNSSEC is enabled in adguard.
I have not turned that off and use only DoH in adguard. Sinne some reddit post claimed that it was unneccessery if DNSSEC was enabled in unbound.

Either way, some failsafe ip only adress for NTP would not hurt.
Yes but adguardhome waiting has nothing to do with the ntp sync itself. That is a miss configuration on some how on your end preventing it. Adguard needs valid ntp for encryption and dnssec to work properly
 
...snipped...

And also something that checks for NTP to be able to work if DNSSEC is enabled in adguard.
I have not turned that off and use only DoH in adguard. Sinne some reddit post claimed that it was unneccessery if DNSSEC was enabled in unbound.
I think I read the same post too. When I use 127.0.0.1:53535 (unbound) as upstream DNS server in AGH, http://dnssec-or-not.com/ shows I am protected by DNSSEC. I did not use AGH encryption.
 
Yes but adguardhome waiting has nothing to do with the ntp sync itself. That is a miss configuration on some how on your end preventing it. Adguard needs valid ntp for encryption and dnssec to work properly
I have not changed when or how adguard should start. All installation is done via amtm. And configuration through web interface or amtm. Except the few extra lines for unbound.
 
That is not what is being said. Something is going on locally on your router where the clock is not getting set right whether it is because a misconfiguration with dnsmasq or your isp is blocking use of that ntp server. Some situation is happening behind the scenes preventing your router from getting time set. It has nothing to do with either adguardhome or unbound.( unless unbound circumvents the router initial dns needed for time sync some how which I don't think it does, I know adguardhome wouldnt.)
When installing adguard i choose the option to force all trafficking through adguard. If I dont choose this option the router settings in DNSfilter -> router, would get disabled. This is shown after a reboot.

And when i turn on the dnssec in adguard without extra upstream servers i get the same result. An loop where i cant access host lookup.

I am not an expert in any means, and I do wish there were more automation for these options, dnssec, doh, your own dns resolver etc. Autogenerating sdns strings and such.
 
Hey adguard home installer only turns on dnsfilter or turns it off depending on what you specify, which only points at the router for enforcing clients to use the router. If you are having issues with this you are doing something wrong on your end.
Ok, like what?
 
Got that covered

In my case, I just want to use DoT servers for upstream purposes. Not running anything locally.

I guess that was a little confusing... the question asked "do you want SOME DNS traffic to only go through AGH"... I selected "no" in this case, wanting all traffic to go through AGH.

In doing so, was that normal behavior, that the installer turned off my DoT setting on my WAN DNS page, and enabled the DNS Filter setting, selecting Router?

What happens if I change my WAN DNS back to DoT enabled for Quad9? Would that bork AGH? When I install an update, would it just disable it again?


Thanks for the link... I read through this whole thread, and didn't pick up on that. I will just comment it out for now and see if has any adverse behaviors. I am not using any unqualified names locally.

So I did have a DoT cloudfare upstream server in my list... I gave it try, and it did come back as DoT being enabled. Thanks!

That's a lot of effort. LOL

So I take it that the "Plain DNS" mentioned in the log is just a normal message then, even if DoT is working?

View attachment 39032

Thanks for your help!
Here is how you tell if your traffic is going by way of encryption, Hover your mose over the ? mark next to the processed query. (not the question mark by the IP address).

1643610717203.png
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top