AGH DNS Director problem

[FourthandShort]

Curious if someone might be able to point me in the right direction in using DNS Director.

I have AGH setup on a PC running on a PC.

I have the WAN DNS Server setup to pull from Quad9

I have the DNS Director setup with Global Redirection setup as No Redirection.

I have User Defined DNS 1 as the AGH server
I have User Defined DNS 2 as Cloudflare (1.1.1.1) for my wife's devices.

I am testing this on my laptop and using NSLookup.

My laptop has a custom entry which is using Custom DNS Server 1 (should be AGH).

To test, I create a re-write in AGH to point www.facebook.com to 8.8.8.8.

When I open a CMD and run NSLookup www.facebook.com, i get the standard answer of the actual IP address showing it was pulled from the Router.Lan. If i run nslookup www.facebook.com <ip of agh server>, i get the answer from the re-write of 8.8.8.8. So specifying the DNS server it works, however running a normal nslookup without specifying, it get the regular answer.

My assumption was that using DNS Director would force the device in the the entry to use whatever IP address was in the custom entry, but it appears that is not happening.

I am apparently missing something or have something setup incorrectly, any input would be appreciated.

 

[dave14305]

It would help if you posted actual screenshots and LAN IP addresses in addition to the narrative. LAN IPs aren't uniquely identifying, so there's no harm in posting them.

Do you have any DNS servers entered on the LAN DHCP page? Share a screenshot.
Is IPv6 enabled? It sounds like you're only redirecting IPv4 DNS queries.
What is the LAN IP of the PC running AGH?
What DNS server does nslookup on the laptop think it is talking to?

 

[FourthandShort]

It would help if you posted actual screenshots and LAN IP addresses in addition to the narrative. LAN IPs aren't uniquely identifying, so there's no harm in posting them.

Do you have any DNS servers entered on the LAN DHCP page? Share a screenshot.
Is IPv6 enabled? It sounds like you're only redirecting IPv4 DNS queries.
What is the LAN IP of the PC running AGH?
What DNS server does nslookup on the laptop think it is talking to?

Great questions. I started having issues and it got late so I just reverted everything back to normal.

I can try and recreate everything and share screenshots.

To try and answer some questions in advance, I had Quad9 setup on the WAN, nothing loaded into the LAN DHCP DNS setting.

I had enabled DNS Director and had setup No Redirection for the Global Redirection.

I entered 192.168.50.184 as the User Defined DNS 1
I entered 1.1.1.1 as User Defined DNS 2

Both were entered in IPv4 with IPv6 blank for both entries.


I had my wife’s iPhone and laptop set to use redirection for User Defined 2.

I had my Surface set to redirection to User Defined 1.

My assumption was that all devices connected to the router would use Quad9 while my wife’s would use Cloudflare and my Surface would hit the AdGuardHome server.

The testing was when I added a DNS rewrite to the AGH and ran the NSLookup via cmd by itself and it showed the true ip. When I specified the AGH using ‘NSLookup www.facebook.com 192.168.50.184’, It would give me the address in the rewrite.

 

[dave14305]

Was there any evidence of your tests in the AGH query log? Seems simpler than testing a rewrite. Does the Surface keep the same MAC address always (no randomization)?

Any crap security software running on the Surface intercepting DNS?

 

[Rajjco]

Setting Global Redirection to "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself (In your case Quad9) if it's not defined).
This way all clients will use Quad9 except your wife's iphone which will use Cloudflare and your surface device will use AGH based on the rules specified in DNS Director.

Also make sure mac randomization is disabled on the iphone or it will keep changing mac addresses and the rules won't apply.

 

[octopus]

Curious if someone might be able to point me in the right direction in using DNS Director.

I have AGH setup on a PC running on a PC.

I have the WAN DNS Server setup to pull from Quad9

I have the DNS Director setup with Global Redirection setup as No Redirection.

I have User Defined DNS 1 as the AGH server
I have User Defined DNS 2 as Cloudflare (1.1.1.1) for my wife's devices.

I am testing this on my laptop and using NSLookup.

My laptop has a custom entry which is using Custom DNS Server 1 (should be AGH).

To test, I create a re-write in AGH to point www.facebook.com to 8.8.8.8.

When I open a CMD and run NSLookup www.facebook.com, i get the standard answer of the actual IP address showing it was pulled from the Router.Lan. If i run nslookup www.facebook.com <ip of agh server>, i get the answer from the re-write of 8.8.8.8. So specifying the DNS server it works, however running a normal nslookup without specifying, it get the regular answer.

My assumption was that using DNS Director would force the device in the the entry to use whatever IP address was in the custom entry, but it appears that is not happening.

I am apparently missing something or have something setup incorrectly, any input would be appreciated.

Can you remove release tag as you don't release anything.

 

[FourthandShort]

Was there any evidence of your tests in the AGH query log? Seems simpler than testing a rewrite. Does the Surface keep the same MAC address always (no randomization)?

Any crap security software running on the Surface intercepting DNS?

I think I may have resolved it by following the instructions of a few others on her, rather than trying to recreate a different setup. It was showing activity in the AGH query logs when i specified that server in the nslookup, but when not specifying anything, it was pulling from the GTAX6000.Lan server (which I assume was the Quad9 DNS.

Once I followed the instructions of others (loaded the AGH server in the LAN, Set Global to Router, set AGH to no redirection, set wife's to Cloudflare), i think the setup is now stable.

 

[FourthandShort]

Can you remove release tag as you don't release anything.

Sure thing, apologies, i posted this initially in the Merlin thread, and someone moved to its own thread as to not derail his thread (i would assume). I think the tag simply stayed with it. I went ahead and removed it and updated it to Solved to hopefully clarify things.

 

[octopus]

Sure thing, apologies, i posted this initially in the Merlin thread, and someone moved to its own thread as to not derail his thread (i would assume). I think the tag simply stayed with it. I went ahead and removed it and updated it to Solved to hopefully clarify things.

That is not biggy, but when you want to search and click on "Release" then all of them show up sorted.

 

[FourthandShort]

It would help if you posted actual screenshots and LAN IP addresses in addition to the narrative. LAN IPs aren't uniquely identifying, so there's no harm in posting them.

Do you have any DNS servers entered on the LAN DHCP page? Share a screenshot.
Is IPv6 enabled? It sounds like you're only redirecting IPv4 DNS queries.
What is the LAN IP of the PC running AGH?
What DNS server does nslookup on the laptop think it is talking to?

So I thought I had this solved, but apparently not lol.

Curious your take as you seem incredibly knowledgeable on the subject. We had a storm over the weekend and the server running AGH lost power, so in the interim, i updated the LAN DNS settings, and now have spent a day and a half trying to get it back running. My gut is telling me the DNS Director is not fully working as I have it setup so I may be doing something incorrectly.

I setup Get DNS from ISP as the Router DNS in WAN

I then loaded two random global DNS Servers (as a test) to my LAN DNS Settings (They are Quad9 and Adguard) so the entire network should be getting DNS through DHCP.

I have AGH running on a machine and I loaded that machine in to DNS Director and set it as No Redirection.

My thought is that would mean it would get the DNS from the ISP as to avoid a loop back or pulling either of the DHCP DNS Servers.

However when I go to that machine and run an ipconfig /all, I am seeing the two servers listed in the Router LAN settings:

If I run an nslookup, its pulling the first DNS entered into the LAN setting. I assumed DNS Director would trigger the No Redirection and would push those DNS queries to the ISP. Am i misunderstanding this by chance?

Any assistance would be great.

 

[dave14305]

Your LAN DHCP DNS servers are going to be overridden by your Global redirection to Router. No one except the AGH machine will ever actually send a query to Control D (not Quad9) or Adguard.

Clients will never see any evidence of DNS Director. Their local DNS IPs won’t look any different. The router’s firewall will just be silently redirecting the queries to the chosen destination.

 

[FourthandShort]

Your LAN DHCP DNS servers are going to be overridden by your Global redirection to Router. No one except the AGH machine will ever actually send a query to Control D (not Quad9) or Adguard.

Clients will never see any evidence of DNS Director. Their local DNS IPs won’t look any different. The router’s firewall will just be silently redirecting the queries to the chosen destination.

Previously I had the AGH server set in the LAN DNS as I wanted to route all internal DNS queries to the AGH instance. Then in DNS Director, I had the AGH server set to No Redirection as I thought that would get its DNS from what is in the WAN setting. Am i mistaken?

This post from @bennor talked about adding the AGH dns to the LAN and then adding an entry in DNS Director for the AGH to No Redirection. My assumption was this was to allow the AGH to use DNS external servers and to handle resolution without getting steered back to the router.

This post by bennor talks about with the new firmware, having to handle Pihole setups a bit differently (i am running 3006.102.4) would this be a better approach?

With this all being considered. When trying to do this today, I am not having success. Any guidance? How should I steer the AGH server to external DNS servers, but internal requests back to the AGH instance?

 

[FourthandShort]

To follow up, I went ahead and tried testing of the DNS Director where the AGH server address was entered as Custom Entry 1 so everything should be routed through the AGH dns server:

The AGH server is set to no redirection to try and expose it to external DNS servers to avoid a loopback.

I then added a dns rewrite to my AGH server for www.fone.com to redirect to 1.1.1.1 (to test DNS director is working)

I opened a CMD, flushed my DNS, and renewed my DHCP reservation with ipconfig /renew (hope that was how I should do it).

I then ran nslookup (on a different machine), and unfortunately it is still pulling the ControlD dns server instead of triggering routing to the AGH server by DNS Director. However if I specify to use the AGH server for nslookup, the rewrite shows up. Any ideas would be incredibly helpful.

 

[dave14305]

What router and firmware? Do you have guest networks? Can you login via SSH and run:

iptables -t nat -S DNSFILTER

 

[FourthandShort]

What router and firmware? Do you have guest networks? Can you login via SSH and run:

iptables -t nat -S DNSFILTER

GTAX6000
Firmware 3006.102.4

I just updated two things just FYI, I updated the LAN DNS to my AGH - 192.168.50.184
I also updated my three guest networks (only one is really used) to redirect to the user 1 custom (AGH)

Now it appears the DNS director was working as it would show the ip address of the ControlD dns but would show the rewrite.

The results of the iptables is:

-N DNSFILTER
-A DNSFILTER -m mac --mac-source E8:FB:1C:3E:B1:B9 -j RETURN
-A DNSFILTER -i br52 -j DNAT --to-destination 192.168.50.184
-A DNSFILTER -i br53 -j DNAT --to-destination 192.168.50.184
-A DNSFILTER -i br0 -j DNAT --to-destination 192.168.50.184
-A DNSFILTER -j DNAT --to-destination 192.168.50.184

Thank you again for your help.

 

[dave14305]

That IoT network that uses the same subnet as the main network is causing problems. I just tested that earlier today and posted here:

GT-BE98 pro DNS Director issue with my pihole?

Hi everybody... First post. I'm running the Asuswrt-merlin firmware. It's pretty great! There's a larger story but I think my DNS director hates me. I pointed it at the User defnied 1 at my pihole and it seemed to put the iptable entry last, which mean it'll basically never get hit. #iptables...

www.snbforums.com

DNS Director is still adapting to SDN…Merlin made one fix today, but another is still needed, in my opinion.

 

[FourthandShort]

That IoT network that uses the same subnet as the main network is causing problems. I just tested that earlier today and posted here:

GT-BE98 pro DNS Director issue with my pihole?

Hi everybody... First post. I'm running the Asuswrt-merlin firmware. It's pretty great! There's a larger story but I think my DNS director hates me. I pointed it at the User defnied 1 at my pihole and it seemed to put the iptable entry last, which mean it'll basically never get hit. #iptables...

www.snbforums.com

DNS Director is still adapting to SDN…Merlin made one fix today, but another is still needed, in my opinion.

Thank you very much, this is exactly what i needed. Sincerely, thank you very much.

 

[FourthandShort]

That IoT network that uses the same subnet as the main network is causing problems. I just tested that earlier today and posted here:

GT-BE98 pro DNS Director issue with my pihole?

Hi everybody... First post. I'm running the Asuswrt-merlin firmware. It's pretty great! There's a larger story but I think my DNS director hates me. I pointed it at the User defnied 1 at my pihole and it seemed to put the iptable entry last, which mean it'll basically never get hit. #iptables...

www.snbforums.com

DNS Director is still adapting to SDN…Merlin made one fix today, but another is still needed, in my opinion.

One last question if you don’t mind. I migrated all the devices on the Guest Network to the one on a different subnet.

Back to settling up AGH, I have the global redirection set to the user 1 (AGH server). Previous I saw most advised to set the redirection to the Router. In the Router LAN DNS settings I have updated those to now be my AGH server.

Is that the preferred route now, or should I set the redirection back for global to “Router”? I wasn’t sure if I was setting that correctly.

 

[dave14305]

Previous I saw most advised to set the redirection to the Router.

The behavior of Router mode changed in 3006.102.4, so old advice is outdated.

I have the global redirection set to the user 1 (AGH server). In the Router LAN DNS settings I have updated those to now be my AGH server.

This is the best scenario. Most clients will talk directly to AGH and appear properly in the logs.

 

[FourthandShort]

The behavior of Router mode changed in 3006.102.4, so old advice is outdated.

This is the best scenario. Most clients will talk directly to AGH and appear properly in the logs.

Again thank you very much.