DNS Director and AdGuard logs

[CalB]

It can be set in multiple ways, but basically:
1. Point the WAN DNS server towards your AGH IP (click assign, scroll all the way to the bottom, input AGH ip, hit apply)
2. Go to the DNS redirector, enable it (towards the router or AGH IP) and add an exception for AGH MAC (no redirection or redirect towards an actual public DNS, 8.8.8.8, etc). The last part is to prevent a DNS "loop". If I've understood correctly, the same can be achieved by manually editing /jffs/configs/dnsmasq.conf.add, as well, but I'm not exactly sure on this part.

The main benefit would be filtering the DNS requests coming from the router itself (not only from clients connected to the router). At the same time, it would make it slightly less reliable (if the vm/device running AGH/ pihole crashes your router won't be happy).

 

[Gary_Dexter]

It can be set in multiple ways, but basically:
1. Point the WAN DNS server towards your AGH IP (click assign, scroll all the way to the bottom, input AGH ip, hit apply)
2. Go to the DNS redirector, enable it (towards the router or AGH IP) and add an exception for AGH MAC (no redirection or redirect towards an actual public DNS, 8.8.8.8, etc). The last part is to prevent a DNS "loop". If I've understood correctly, the same can be achieved by manually editing /jffs/configs/dnsmasq.conf.add, as well, but I'm not exactly sure on this part.

The main benefit would be filtering the DNS requests coming from the router itself (not only from clients connected to the router). At the same time, it would make it slightly less reliable (if the vm/device running AGH/ pihole crashes your router won't be happy).

I don't want to push my WAN DNS to AGH.. that will also make requests appear in the query/event log as coming from the Router itself, rather than individual clients.

 

[CalB]

If the clients use AGH as dns and not the router itself, they won't. LAN DHCP set the dns to AGH IP and untick the option for the router to advertise itself as well.

 

[SomeWhereOverTheRainBow]

If I'm running AGH on a Rpi, what should I set here for WAN DNS? And does it make a difference?

Currently it's as follows:

View attachment 54356

There is no special steps for AGH yet. Not until they add all the ECS/EDNS0 support to their statistic data. Just keep using LAN DNS for AGH. They have not yet added support for using the method I described for pihole.

Use EDNS as client IP in statistics and forward it to the upstream · Issue #1727 · AdguardTeam/AdGuardHome

When AdGuard Home runs behind proxy ( ex: dnsdist ) , the statistics will show the proxy’s IP as the source IP instead of client’s IP It would be great if the statistics source IP is based on EDNS ...

github.com

 

[SomeWhereOverTheRainBow]

The main benefit would be filtering the DNS requests coming from the router itself (not only from clients connected to the router). At the same time, it would make it slightly less reliable (if the vm/device running AGH/ pihole crashes your router won't be happy).

Typically if this happens, No one will be happy because the whole family would be complaining until their internet was working again. So either way, I don't see how there is much difference. Both still require you to be present and fix something.

 

[Gary_Dexter]

There is no special steps for AGH yet. Not until they add all the ECS/EDNS0 support to their statistic data. Just keep using LAN DNS for AGH. They have not yet added support for using the method I described for pihole.

Use EDNS as client IP in statistics and forward it to the upstream · Issue #1727 · AdguardTeam/AdGuardHome

When AdGuard Home runs behind proxy ( ex: dnsdist ) , the statistics will show the proxy’s IP as the source IP instead of client’s IP It would be great if the statistics source IP is based on EDNS ...

github.com

View attachment 54361

View attachment 54360

OK thanks. I still have WAN DNS set to Quad9/ISP and LAN DNS set to the IP of my Rpi.

Will changing any of these settings interfere with the Rpi/AGH, and is there any benefit in setting them to on?

 

[SomeWhereOverTheRainBow]

OK thanks. I still have WAN DNS set to Quad9/ISP and LAN DNS set to the IP of my Rpi.

Will changing any of these settings interfere with the Rpi/AGH, and is there any benefit in setting them to on?

View attachment 54362

They are of no benefit to you unless you have clients who query the "router" himself for DNS, those options are for DNS-Hardening of the routers "built-in" dns services (a.k.a. Dnsmasq). If you are not using DNSMASQ directly for DNS services, those options are just eating up extra resources. DNS Rebind might even break any conditional forwarding statements you have in AGH used to determine client namespace from the routers DNSMASQ instance. Since your clients have the AGH address handed out over DHCP, they are querying AdGuardHome directly. So, you only need to make sure all your DNS-Hardening is done in the AGH Webui. Any "extra's" you do with the router and DNSMASQ at this moment in time would be a waste of resources, and possibly breaking to your clients local namespace resolution.

People should keep an eye on this feature request:

Use EDNS as client IP in statistics and forward it to the upstream · Issue #1727 · AdguardTeam/AdGuardHome

When AdGuard Home runs behind proxy ( ex: dnsdist ) , the statistics will show the proxy’s IP as the source IP instead of client’s IP It would be great if the statistics source IP is based on EDNS ...

github.com

Once it has been finalized and submitted, I would be happy to research other possibilities for DNS configuration with AGH with users here on this forum. Until that time, the only way that make sense is to hand out the AGH address with LAN DHCP options, and DNS hardening done only on the AGH Webui.