Issue with Setting Backup DNS Server for Adguard Home on ASUSWRT Merlin Firmware

[mnozahy]

Hello ,

I'm currently facing an issue while trying to set up a backup DNS server for my Adguard Home on Merlin . Here's my setup:

1. AC68U as the main router.
2. Raspberry Pi with a static IP address (192.168.1.160).

My objective is to use ControlD DNS as a backup to my Raspberry Pi, in case the micro SD card fails. However, I'm encountering difficulties with the switching functionality between DNS server 1 and DNS server 2 when I power cycle my Raspberry Pi (or when the RPI is down).

To troubleshoot, I attempted to set ControlD DNS as "DNS server 1" and ran DNS leak tests, which confirmed that all queries are processed correctly using it.

Now, my question is: Is there a way to ensure seamless switching from DNS server 1 to DNS server 2 when there is no response from DNS server 1?

I greatly appreciate any insights or suggestions you can provide.

Thank you in advance for your assistance!

Best regards,

 

[ColinTaylor]

Now, my question is: Is there a way to ensure seamless switching from DNS server 1 to DNS server 2 when there is no response from DNS server 1?

When you push multiple DNS servers to the client through DHCP it's entirely down to the client as to how it uses them. This behaviour is not something that the router can influence.

 

[mnozahy]

When you push multiple DNS servers to the client through DHCP it's entirely down to the client as to how it uses them. This behaviour is not something that the router can influence.

The problem is that when the PI hole fails, clients do not automatically switch to the backup "external"dns. Is this "swtich-over" client dependent? how often does the client refresh the list of available dns?

 

[mnozahy]

I figured it out
In the DHCP server, I used the router IP (192.168.1.1)
Then I added the following commands in dnsmasq.conf.add

no-resolv
strict-order # NOTE: List servers in reverse order below (bottom is highest priority)
server=192.168.1.160 # PIHOLE
server=76.76.2.32 # ControlD

 

[Tech9]

If you have DNS Director enabled to Router it will redirect to DNS Server 1 in LAN always (in your configuration). You can have some redundancy if you disable DNS Director, use DNS Server 1 to your RPi, DNS Server 2 your router's IP and set in WAN the same RPi address as DNS Server 1 and ControlD as DNS Server 2. You may see some queries coming from the router's IP, but it will fail back to Control D after 2 steps - once in LAN and once in WAN. I've done some experiments in this configuration and 99% of the queries go through RPi (it was different hardware in my case, but you get the idea).

 

[jata]

I'm going to try this setup and report back. Currently I am using dhcp with dns1: adguard home and dns2: nextdns (free). But the split between dns1 and dns2 is around 80/20. I actually want more like 90/10 so hope this config helps...

 

[Tech9]

It will increase the hit rate to your AdGuard Home. Whatever uses DNS Server 2 in LAN will hit your DNS Server 1 in WAN - your AdGuard Home again, but you'll see it coming from your router's IP. If both DNS Server 1 in LAN and WAN fail it will use NextDNS. Strict order will increase the hit rate further. I was only experimenting with different Asuswrt setups and this one sort of works, but we are discussing eventual failure without addressing the issue. My addressing the issue experiments include GL.iNet GL-MT2500 device (OpenWRT, AdGuard Home), mini-ITX x86 board (Ubuntu Server, Unbound, AdGuard Home) and mini-PC (OPNSense, Unbound, AdGuard Home). Two direct gateway replacement and one as local DNS server/resolver.

 

[jata]

Thanks @Tech9. This config makes good sense to me as most dns queries will go through my rpi with adguard. If this is down then nextdns will be used. Of course you can create a more complex and redundant configuration but my setup (adguard/nextdns) has been working really well for a year or so without any issues.

 

[Tech9]

Just make sure whatever solution you come up with is easy to fix by someone else. It will break when you're away.

 

[mnozahy]

I also tested the configuration in post #4 successfully: All the queries go the RPI and as soon as I unplug it, everything is passed to the backup dns. Thanks everyone for your insights

 

[jata]

@Tech9 - I was bored so I have spun up a adguard home docker container on a different RPI. So now I have two RPIs both with adguard home. Primary is fully dedicated for DNS with adguard and unbound. Secondary is working fine as a docker container.

DHCP settings:

• dns1: primary adguard
• dns2: secondary adguard
• dns3: router (as advertise router's IP in addition to user-specified DNS is on)

WAN settings:

• dns1: nextdns
• dns2: 8.8.8.8

So the idea is that most dns requests go through the two adguard home servers. If these are down/slow then use nextdns and finally just use google dns as a last resort.

Is this OK or should I try something different on the WAN DNS?

Do I need to edit dnsmasq.conf using dnsmasq.conf.add to force strict order?

 

[yegor]

Older thread, but I'll chime in with a solution you can try, which is our DNS proxy server called ctrld:

You can run it directly on your Merlin router using a 1 liner install command. Then you can edit your config file and create multiple upstreams, and define your failover behavior between all the DNS upstreams you wanna use. You can spawn multiple listeners, have different upstreams for different subnets, create split DNS routing policies, and a whole lot more. See https://github.com/Control-D-Inc/ctrld/blob/main/docs/config.md#policy

You also avoid using Legacy DNS with Control D, which eliminates the whole need for us to keep track of your source IPs, and makes you use an encrypted DNS protocol. There are virtually no down-sides to doing this. Here is a sample config file to demonstrate what you can do with it.

[upstream.0]
    bootstrap_ip = "76.76.2.11"
    endpoint = "https://freedns.controld.com/p1"
    name = "Control D - Anti-Malware"
    timeout = 2000
    type = "doh"

[upstream.1]
    endpoint = "100.100.100.100"
    name = "Tailscale"
    timeout = 2000
    type = "legacy"
    

[network.0]
    cidrs = ["0.0.0.0/0"]
    name = "Network 0"
    
[network.1]
    cidrs = ["192.168.2.0/24"]
    name = "Network 1"
    
[listener.0]
    ip = "127.0.0.1"
    port = 53
    restricted = false
    
    networks = [
        {"network.0" = ["upstream.0", "upstream.1"]},
    ]

    [listener.0.policy]
    name = "My Policy"
    rules = [
        {"*.int.company.com" = ["upstream.1"]},
    ]

The above will setup 2 upstreams, and route everything from 0.0.0.0/0 to upstream.0 and then upstream.1 if it fails. It will also route *.int.company.com directly to upstream.1

You can expand on this to have more rules, more listeners, more upstreams, more networks/vlans, define timeouts for failover, and define specific RCODES (failover_rcodes) when failover should be triggered.

When used with Control D upstreams (paid accounts), the utility will also relay the network topology with your client metadata (MAC, IP, hostname) so you can do stuff like this: https://docs.controld.com/docs/device-clients

Lastly, you don't even have to use it with Control D, as you can define whatever upstreams you want, and it supports virtually all DNS protocols that exist.