AdGuardHome DoT settings reset

[filisdiez]

Please tell me, does anyone have the DoT option enabled on asus-merlin after installing Adguard Home via amtm? Immediately after installation, DoT stops working, after its activation and application of settings, it is reset to absent. After removing Adguard, the option works as it should. When installing Adguard, set all options to yes. Merlin version 388.1 release, router ax-58u.

 

[SomeWhereOverTheRainBow]

Please tell me, does anyone have the DoT option enabled on asus-merlin after installing Adguard Home via amtm? Immediately after installation, DoT stops working, after its activation and application of settings, it is reset to absent. After removing Adguard, the option works as it should. When installing Adguard, set all options to yes. Merlin version 388.1 release, router ax-58u.

This is a normal feature. AdGuardHome can perform DoT once you define DoT servers in the upstream of the AdGuardHome DNS setting page. There is no reason for Stubby and AdGuardHome to both be providing dns encryption. It is a feature the adguardhome init script has that will disable stubby if you try to enable it while running adguardhome. AdGuardHome by default pushes DNSMASQ out of the way. So stubby wouldn't be getting used either way. AdGuardHome requires all port 53 to be available. Merlin firmware has Stubby on 127.0.1.1:53. If stubby is left turned on, AdGuardHome wont even start because it cannot bind to every port 53 slot. Therefore it is a conflict to run them both at the same time.

Now that I have cleared the air. Might I inquire as to why you would like to or think you need to run both stubby and adguardhome at the same time?

AdGuardHome can perform all flavors of dns encryption provided you input one of the approved formats inside the AdGuardHome DNS settings page upstream section.

Configuration

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

94.140.14.140, 2a10:50c0::1:ff: regular DNS (over UDP);

94.140.14.140:53, [2a10:50c0::1:ff]:53: regular DNS (over UDP, with port);

udp://dns-unfiltered.adguard.com: regular DNS (over UDP, hostname);

tcp://94.140.14.140, tcp://[2a10:50c0::1:ff]: regular DNS (over TCP);

tcp://94.140.14.140:53, tcp://[2a10:50c0::1:ff]:53: regular DNS (over TCP, with port).

tcp://dns-unfiltered.adguard.com: regular DNS (over TCP, hostname);

tls://dns-unfiltered.adguard.com: encrypted DNS-over-TLS;

https://dns-unfiltered.adguard.com/dns-query: encrypted DNS-over-HTTPS;

h3://dns-unfiltered.adguard.com/dns-query: encrypted DNS-over-HTTPS with forced HTTP/3 and no fallback to HTTP/2 and below;

quic://dns-unfiltered.adguard.com: encrypted DNS-over-QUIC;

sdns://...: DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers;

[/example.local/]94.140.14.140: DNS upstream for specific domains, see below;

[/*.example.local/]94.140.14.140: DNS upstream for specific subdomains, see below;

 

[filisdiez]

This is a normal feature. AdGuardHome can perform DoT once you define DoT servers in the upstream of the AdGuardHome DNS setting page. There is no reason for Stubby and AdGuardHome to both be providing dns encryption. It is a feature the adguardhome init script has that will disable stubby if you try to enable it while running adguardhome. AdGuardHome by default pushes DNSMASQ out of the way. So stubby wouldn't be getting used either way. AdGuardHome requires all port 53 to be available. Merlin firmware has Stubby on 127.0.1.1:53. If stubby is left turned on, AdGuardHome wont even start because it cannot bind to every port 53 slot. Therefore it is a conflict to run them both at the same time.

Now that I have cleared the air. Might I inquire as to why you would like to or think you need to run both stubby and adguardhome at the same time?

AdGuardHome can perform all flavors of dns encryption provided you input one of the approved formats inside the AdGuardHome DNS settings page upstream section.

Configuration

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

View attachment 47291

Do I understand correctly that DoT on the router is not needed when using Adguard Home and DNS encryption will be processed by Adguard Home itself when specifying a DoT, DoH or DoQ server?

No, no, I don't need to run stubby and ADGH at the same time, I just probably didn't understand correctly how ADGH would process requests, because in the statistics it is written - without encryption if DoT is not enabled.

 

[SomeWhereOverTheRainBow]

Do I understand correctly that DoT on the router is not needed when using Adguard Home and DNS encryption will be processed by Adguard Home itself when specifying a DoT, DoH or DoQ server?

No, no, I don't need to run stubby and ADGH at the same time, I just probably didn't understand correctly how ADGH would process requests, because in the statistics it is written - without encryption if DoT is not enabled.

Yea adguardhome encrypts the request as it gets sent upstream as long as you specify an upstream using one of the supported encrypted formats.

Configuration

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

To verify it is being sent to an encrypted upstream you have specified, you have to click on the actual query on the query log page. It will specifically tell you where the plaintext query is being encryptedly sent to.

What is confusing you is that the query log will show encrypted when it is another source doing the encrypting such as stubby. When you use encrypted upstream with adguardhome the query log sees the request as plaintext before it gets encrypted by adguardhome and sent upstream. That is where you are getting confused.

 

[filisdiez]

Yea adguardhome encrypts the request as it gets sent upstream as long as you specify an upstream using one of the supported encrypted formats.

Configuration

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

To verify it is being sent to an encrypted upstream you have specified, you have to click on the actual query on the query log page. It will specifically tell you where the plaintext query is being encryptedly sent to.

What is confusing you is that the query log will show encrypted when it is another source doing the encrypting such as stubby. When you use encrypted upstream with adguardhome the query log sees the request as plaintext before it gets encrypted by adguardhome and sent upstream. That is where you are getting confused.

Thank you, for clarification, now everything is clear.