AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

SomeWhereOverTheRainBow

Part of the Furniture
Sorry I think I am not being clear. I am not talking about local logging of queries. I am talking about at the DNS provider level.
Here is another way to look at it, if the only cloudflare server near your geolocation goes down; and, you are using that cloudflare server you may notice a service interruption. Probably even suspect your internet went down. However, when using unbound recursive, you would not normally be succeptible to this since you are your own dns provider who gets answers from multiple root servers.
 

Khadanja

Senior Member
Thanks, just wondering what these entries mean, there's lots of them, hope I haven't configured it incorrectly & adding extra stress.
1660023541496.png
 

SomeWhereOverTheRainBow

Part of the Furniture
Thanks, just wondering what these entries mean, there's lots of them, hope I haven't configured it incorrectly & adding extra stress.
View attachment 43401
it is built in design of the script, it periodically does an NSlookup of google.com to see if your DNS is active. if the test fails, then it will restart adguardhome for you. The whole test came about since some users reported that AdGuardHome was occasionally failing, but some how was still "active". So, I added a check that runs approximately every 5 minutes. (give or take a few seconds). The NSlookup wouldn't cause "extra stress" and would be of negligible impact to your overall performance other than the fact it "may" make sure your DNS stays active if adguardhome somehow snafus through normal operations.
 
Last edited:

askhe8

New Around Here
Hey there, recently setup a new AX-68U with Merlin 386.72. I have setup Adguard and Skynet with mostly default settings and everything is functioning very well. I checked my syslog and have been seeing occasional errors from adguard:

Code:
Aug  3 09:52:36 AdGuardHome[20795]: 2022/08/03 09:52:36.506790 [error] unpacking udp packet: dns: buffer size too small
Aug  3 09:52:39 AdGuardHome[20795]: 2022/08/03 09:52:39.547838 [error] unpacking udp packet: dns: buffer size too small

/proc/sys/net/core/rmem_max is already set to 2500000 by default as someone in another thread suggested. I'm wondering what else I can do to address this issue. Github and other forum posts/threads here have not revealed anything else I can do. I've used Merlin on all previous ASUS routers, but this is my first time setting up Adguard/Skynet. I've been lurking on the forum for a long time, but this is my first time posting. Any help is greatly appreciated. Thanks!
 

SomeWhereOverTheRainBow

Part of the Furniture
Hey there, recently setup a new AX-68U with Merlin 386.72. I have setup Adguard and Skynet with mostly default settings and everything is functioning very well. I checked my syslog and have been seeing occasional errors from adguard:

Code:
Aug  3 09:52:36 AdGuardHome[20795]: 2022/08/03 09:52:36.506790 [error] unpacking udp packet: dns: buffer size too small
Aug  3 09:52:39 AdGuardHome[20795]: 2022/08/03 09:52:39.547838 [error] unpacking udp packet: dns: buffer size too small

/proc/sys/net/core/rmem_max is already set to 2500000 by default as someone in another thread suggested. I'm wondering what else I can do to address this issue. Github and other forum posts/threads here have not revealed anything else I can do. I've used Merlin on all previous ASUS routers, but this is my first time setting up Adguard/Skynet. I've been lurking on the forum for a long time, but this is my first time posting. Any help is greatly appreciated. Thanks!
If you are using plain dns make sure you are using a tcp variety as well.

Eg.
Code:
1.1.1.1
tcp://1.1.1.1

To be honest though, if you are not having issues with the operation of adguardhome, then I would label this as a insignificant error/or otherwise something ment for troubleshooting.
 

Amwjujo

Regular Contributor
Hi,
What will be the Adguard-OpenVpn correct setup so I can access 2 sites from each other, both having AdGuard installed.
I think I am doing something wrong: when i connect with my other site, the OpenVpn app says i am connected, but I cannot access the network or reach on the internet - DNS error(I have no other DNS rule setup). I f i do connect with my mobile phone I can see the local network or access the internet, but I cannot access the Adguard setup page.
Thank you.
 

SomeWhereOverTheRainBow

Part of the Furniture
You need to be more specific. If you are talking about openvpn client please set accept dns configuration to disabled per client you want to access adguardhome.
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi,
What will be the Adguard-OpenVpn correct setup so I can access 2 sites from each other, both having AdGuard installed.
I think I am doing something wrong: when i connect with my other site, the OpenVpn app says i am connected, but I cannot access the network or reach on the internet - DNS error(I have no other DNS rule setup). I f i do connect with my mobile phone I can see the local network or access the internet, but I cannot access the Adguard setup page.
Thank you.
If you are talking about site tunnel, you may need to configure a push dns directive for your router's dns, but it really boils down to what your configuration is. That is why it is important to share your setup details as much as possible with regard to your problem.
 

dandle

Regular Contributor
Hi!

I just came across this brilliant script yesterday and have been checking it out but I do have some questions if perhaps @SomeWhereOverTheRainBow or anyone else can kindly help me out with. I would really appreciate it. Basically I don't have deep knowledge in best practices when it comes to using this and how to get the most out of it while still maintaining strong security, blocking etc.

During the installation process, ideally what is the correct option I should be selecting for the following?

  • Do you want to redirect all DNS resolutions on your network through to AdGuardHome?
    (If I select no, will it instead direct to whatever the DNS servers have been set in WebGUI?)

  • Do you want to redirect only NON-CUSTOM DNS resolutions on your network through to AdGuardHome?
    (What does this mean exactly and if I select Yes or No, how does this affect/change things?)

  • Do you want to run AdGuardHome as a local caching DNS service which includes router traffic?
    (Same here, ideally what would I want to select and how would it change things?)

Am I right in thinking that I should not edit these entries already listed here and leave them as they are and that the only entries I would edit would be the 9.9.9.9/8.8.8.8 entries? So for example, let's say I wanted to use OpenDNS, I would simply just remove the 9.9.9.9/8.8.8.8 and add the addresses for the OpenDNS equivalent? Also is it enough to just add a plain DNS entry or would I also need to add the TCP version too?

Upstream DNS Servers.PNG


Same for the Private Reverse DNS Servers section. Do I just leave this as default and not touch it?

Within the same page, I came across this message :

"AdGuard Home could not determine suitable private reverse DNS resolvers for this system."

I did some reading in the previous thread and @SomeWhereOverTheRainBow you mentioned the following:

and the error you reference comes from adguardhome not being able to find your isp servers (or any other, other than local such as 127.0.0.1) listed inside /etc/resolv.conf. AdGuardHome has a bad privacy practice that they do not "perceive" as a bad privacy practice where your local request get leaked to upstream if anything other than local is listed inside /etc/resolv.conf.
The part that was a little concerning was when you mentioned local requests getting leaked upstream. So I inspected /etc/resolv.conf and found the address there to be 127.0.0.1. Is this how it should be? I take it with this then there won't be any leaks or privacy concerns?

Let's say I've added a DNS server to the upstream DNS server section, should I then remove any DNS entries in the WebGUI of Asus-Merlin found in Wan > Wan DNS setting? Or should I change it to the IP address of my Asus Router? Also just curious but do I need to add anything to the DNS entries in the LAN section? LAN > DHCP Server. I have this blank and never really added anything here

There's a Setup section on the AdGuardHome Web URL. Is this necessary to setup and follow the instructions here? I thought everything was already ready and setup to use after installing?

And lastly, do you have any recommendations for Ad blocking filters to use aside from the 2 default ones?

Thanks so much for reading to this point and apologies for the number of questions. :)
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
1) This question pertains to use DNSFilter to force hardcoded clients to use AdGuardHome.
1661889991012.png


It will make sure to turn off your DNSFilter if you select "NO" and it is turned "ON". This would mean Clients with their own hardcoded DNS servers could bypass AdGuardHome.

2) Lets assume you select "YES" , but you already have DNSFilter turned on with some custom defined rules for specific clients on your rule list.
1661890284660.png

If you want to leave these rules intact you select "YES" here. This will mean your custom defined rules will be left alone while the other clients are forced to use DNSFilter with the globally defined rule set to "ROUTER".
If you select "NO" all custom rules get cleared and every client is forced to use "ROUTER" as the globally defined DNS rule.


3) This question wants to know if you want your router traffic to also pass through adguardhome. Normally your router would use your ISP (or WAN dns 1 and 2) defined DNS.
1661890502352.png


which leads to this question:
1661890637414.png

This would be completely unnecessary and potentially will break your routers DNS resolution at bootup. May even hinder your router from obtaining DHCP lease renewals from your ISP and failure of initial bootup NTP sync. Leave this aspect as "DEFAULT".

4) These rules are configured for the users local router and client name resolution in mind (they work along with the private reverse DNS section):

1661891434725.png


5) Here are the rules that should be considered change-able without breaking local name resolution:

Code:
9.9.9.9
8.8.8.8

Keep in mind these only use plain text UDP. For plain text TCP you would need

Code:
tcp://9.9.9.9
tcp://8.8.8.8

By all means, please review this thread:


there is a wealth of chatter about usage of adguardhome here.


Here is a good thread where you can see various list discussed:

 
Last edited:

dandle

Regular Contributor
1) This question pertains to use DNSFilter to force hardcoded clients to use AdGuardHome.
View attachment 43972

It will make sure to turn off your DNSFilter if you select "NO" and it is turned "ON". This would mean Clients with their own hardcoded DNS servers could bypass AdGuardHome.

2) Lets assume you select "YES" , but you already have DNSFilter turned on with some custom defined rules for specific clients on your rule list.
View attachment 43973
If you want to leave these rules intact you select "YES" here. This will mean your custom defined rules will be left alone while the other clients are forced to use DNSFilter with the globally defined rule set to "ROUTER".
If you select "NO" all custom rules get cleared and every client is forced to use "ROUTER" as the globally defined DNS rule.


3) This question wants to know if you want your router traffic to also pass through adguardhome. Normally your router would use your ISP (or WAN dns 1 and 2) defined DNS.
View attachment 43974

which leads to this question:
View attachment 43975
This would be completely unnecessary and potentially will break your routers DNS resolution at bootup. May even hinder your router from obtaining DHCP lease renewals from your ISP and failure of initial bootup NTP sync. Leave this aspect as "DEFAULT".

4) These rules are configured for the users local router and client name resolution in mind (they work along with the private reverse DNS section):

View attachment 43976

5) Here are the rules that should be considered change-able without breaking local name resolution:

Code:
9.9.9.9
8.8.8.8

Keep in mind these only use plain text UDP. For plain text TCP you would need

Code:
tcp://9.9.9.9
tcp://8.8.8.8

By all means, please review this thread:


there is a wealth of chatter about usage of adguardhome here.


Here is a good thread where you can see various list discussed:


Thanks so much for taking the time to respond to my questions. This is very helpful! Yep, I've spent some time skimming through the majority of the thread but just wanted to be sure I understood some of the discussions over there hence the questions :)

Would you be able to kindly clarify this query please, I think it may have been missed from my earlier post in regards to "AdGuard Home could not determine suitable private reverse DNS resolvers for this system."

You mentioned this in the previous thread to another poster about the same issue but just wanted additional clarification on this please.
and the error you reference comes from adguardhome not being able to find your isp servers (or any other, other than local such as 127.0.0.1) listed inside /etc/resolv.conf. AdGuardHome has a bad privacy practice that they do not "perceive" as a bad privacy practice where your local request get leaked to upstream if anything other than local is listed inside /etc/resolv.conf.

The part that was a little concerning was when you mentioned local requests getting leaked upstream. So I take it that if the /etc/resolv.conf has the address 127.0.0.1 inside this file, this how it should be? I take it with this then there won't be any leaks or privacy concerns?

Oh and Private Reverse DNS Servers section should be left untouched too?
 

SomeWhereOverTheRainBow

Part of the Furniture
Thanks so much for taking the time to respond to my questions. This is very helpful! Yep, I've spent some time skimming through the majority of the thread but just wanted to be sure I understood some of the discussions over there hence the questions :)

Would you be able to kindly clarify this query please, I think it may have been missed from my earlier post in regards to "AdGuard Home could not determine suitable private reverse DNS resolvers for this system."

You mentioned this in the previous thread to another poster about the same issue but just wanted additional clarification on this please.


The part that was a little concerning was when you mentioned local requests getting leaked upstream. So I take it that if the /etc/resolv.conf has the address 127.0.0.1 inside this file, this how it should be? I take it with this then there won't be any leaks or privacy concerns?

Oh and Private Reverse DNS Servers section should be left untouched too?


Looks like you have some understanding.


"AdGuard Home could not determine suitable private reverse DNS resolvers for this system." message appears because AdGuardHome tries to determine what DNS servers the "router" himself is using. Typically this is your ISP or WAN DNS servers. When you set the router to use local dns caching

From this question:

1661898846570.png


The installer script will ensure that 127.0.0.1 will always be inside /etc/resolv.conf, thus the router will always use AdGuardHome. Hence why this erraneous warning appears: AdGuard Home could not determine suitable private reverse DNS resolvers for this system.

This has no consequence to the function of adguardhome except that it cannot send private request to for example your ISP, or WAN DNS (1 and 2).


And yes private reverse section should be left alone which I alluded to here:

1661899227302.png
 
Last edited:

dandle

Regular Contributor
Looks like you have some understanding.


"AdGuard Home could not determine suitable private reverse DNS resolvers for this system." message appears because AdGuardHome tries to determine what DNS servers the "router" himself is using. Typically this is your ISP or WAN DNS servers. When you set the router to use local dns caching

From this question:

View attachment 43980

The installer script will ensure that 127.0.0.1 will always be inside /etc/resolv.conf, thus the router will always use AdGuardHome. Hence why this erraneous warning appears: AdGuard Home could not determine suitable private reverse DNS resolvers for this system.

This has no consequence to the function of adguardhome except that it cannot send private request to for example your ISP, or WAN DNS (1 and 2).

Makes sense! Thanks! So as long as 127.0.0.1 resides in etc/resolv.conf, there's no issues with privacy leaks or anything? I think that was mostly my main concern with it.
 

SomeWhereOverTheRainBow

Part of the Furniture
Makes sense! Thanks! So as long as 127.0.0.1 resides in etc/resolv.conf, there's no issues with privacy leaks or anything? I think that was mostly my main concern with it.
correct. For example: In regards to the ip6.arpa, one of AdGuardHomes methods for resolving client names of clients that use GUA prefix is to use WHOIS. It will literally send a request for the client name to the upstream. One option to strengthen privacy in this regard is to restrict AdGuardHome from using WHOIS by removing it from the runtime sources in the .yaml file. (unfortunately it is only configurable by manually editing the .yaml file with a SSH terminal editor such as vi or nano.)

1661903616894.png


It seems the original intentions of these client name lookups was intended to identify external clients from external sources as top priority, and local name resolution as lower priority. For example, those who use adguardhome as an open resolver or remote DOH/DOT/DOQ server will have client names with public addressing identified using WHOIS; however, this seems to have leaked over to local clients using GUA prefixing in the address space as well.
 
Last edited:

dandle

Regular Contributor
correct. For example: In regards to the ip6.arpa, one of AdGuardHomes methods for resolving client names of clients that use GUA prefix is to use WHOIS. It will literally send a request for the client name to the upstream. One option to strengthen privacy in this regard is to restrict AdGuardHome from using WHOIS by removing it from the runtime sources in the .yaml file. (unfortunately it is only configurable by manually editing the .yaml file with a SSH terminal editor such as vi or nano.)

It seems the original intentions of these client name lookups was intended to identify external clients from external sources as top priority, and local name resolution as lower priority. For example, those who use adguardhome as an open resolver or remote DOH/DOT/DOQ server will have client names with public addressing identified using WHOIS; however, this seems to have leaked over to local clients using GUA prefixing in the address space as well.
So in my case, I will not be using Adguardhome as a remote DOH/DOT/DOQ server. Basically I want to keep settings and configurations as close to default as possible. The only change I would be making is adding new ad filters, and also adding another DNS provider such as OpenDNS/Cloudfare etc to the 'Upstream DNS Servers' section rather than using the default Adguard DNS.

I may check out enabling DOH/DOT for my network (I don't really have much experience using this) but definitely not as a remote server or anything like that. It would just be a default setup. Similar to how one would set it up on the Asus WebGUI I guess.

With all of that in mind, would this GUA prefixing leak still be a problem? Would you still recommend removing WHOIS in the .yaml file? If so, where is the .yaml file located exactly and what line would I need to delete?

Sorry, if some of these questions sound noobish. :)
 

SomeWhereOverTheRainBow

Part of the Furniture
So in my case, I will not be using Adguardhome as a remote DOH/DOT/DOQ server. Basically I want to keep settings and configurations as close to default as possible. The only change I would be making is adding new ad filters, and also adding another DNS provider such as OpenDNS/Cloudfare etc to the 'Upstream DNS Servers' section rather than using the default Adguard DNS.

I may check out enabling DOH/DOT for my network (I don't really have much experience using this) but definitely not as a remote server or anything like that. It would just be a default setup. Similar to how one would set it up on the Asus WebGUI I guess.

With all of that in mind, would this GUA prefixing leak still be a problem? Would you still recommend removing WHOIS in the .yaml file? If so, where is the .yaml file located exactly and what line would I need to delete?

Sorry, if some of these questions sound noobish. :)
If you are not using ipv6 then you don't need to worry about the leak.
 

kapekohicafe

Occasional Visitor
Hey,

Sorry to ask this, does adguard support RTAX86U router?
 

SomeWhereOverTheRainBow

Part of the Furniture
Hey,

Sorry to ask this, does adguard support RTAX86U router?
Requirements:
ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware
JFFS support and enabled
REQUIRES ENTWARE(!) for package management, and a separate USB drive for storage -i.e. the same drive Entware is stored.
Recommended to have a 2gb swap file. (can be made with amtm).

In short, it should as long as you fit into all the requirements.

Be sure to review the first thread to be sure you understand all implications:


All of this covers using Adguardhome.
 
Last edited:

rayap

New Around Here
Need some help here.

First of all, I am noob to this while trying to get a hang of it.
Using ASUS AX11000 router, installed Merlin firmware and used amtm to install AGH (trying to move AGH from rPi to router)
Everything seems good during installation and was presented with login page, tried logging in using the pre-define username and password but keep getting this error "Error: control/login | invalid username or password | 400"

Seems like AGH is not registering my credentials hence head over to AdGuardHome.yaml to reconfigure credentials again. Same error occurs.
Been cracking my head over this issue, googled all over the net and couldn't find any solution to get pass
Also tried changing credentials using terminal and gotten this error instead "/opt/etc/AdGuardHome/installer: line 1108: python: not found"

FYI, EntWare is installed, python is installed but somehow I am not able to login at all.

Appreciate the help if anyone could be able to resolve this issue?
 

SomeWhereOverTheRainBow

Part of the Furniture
Need some help here.

First of all, I am noob to this while trying to get a hang of it.
Using ASUS AX11000 router, installed Merlin firmware and used amtm to install AGH (trying to move AGH from rPi to router)
Everything seems good during installation and was presented with login page, tried logging in using the pre-define username and password but keep getting this error "Error: control/login | invalid username or password | 400"

Seems like AGH is not registering my credentials hence head over to AdGuardHome.yaml to reconfigure credentials again. Same error occurs.
Been cracking my head over this issue, googled all over the net and couldn't find any solution to get pass
Also tried changing credentials using terminal and gotten this error instead "/opt/etc/AdGuardHome/installer: line 1108: python: not found"

FYI, EntWare is installed, python is installed but somehow I am not able to login at all.

Appreciate the help if anyone could be able to resolve this issue?
You may have to update and upgrade your entware repository using AMTM. Recent changes have rendered several entware binaries unusable on the older repository which may include python. It appears the installer is not finding your python binary which is required to generate the user credentials. What I recommend trying is upgrading the entware repository with amtm first. If that fails, then you may have to uninstall and reinstall the python binary.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top