AdGuardHome Run AdGuard Home in AP mode? (Bypass check?)

[CB7]

Hi,

Sorry if its been asked before, but the search term "router mode" understandably results in such a lengthy output that it's not quite possible to sift through it and Google... Well... Nvm.

Q: is there a way to run this on a router in AP mode rather than in router mode? I figured I want a 2nd DNS server to a.) reduce load on the modem edge router, b.) failover (including when the instance on modem the edge router is updating lists for example.), c.) improve/decrease response time.
So I figured I'd just put it on the 2nd access point (AX3000v2), but it refuses to install in AP mode. I suppose I can guess why that is (the AdGuard features beyond just DNS), but in this case all it has to do is respond to DNS queries on the AP's static IP; exactly like running it on a Raspberry Pi or a VM or something.

Is there a way to bypass this or am i SOL with the wish of running it on the 2nd AP?
I understand that features like DHCP wouldn't be available/wouldn't work even if activated, but all I'm trying to achieve is run it as a 2nd resolver.

Setup would be:
- AX3000v2 in router mode (modem edge router) runs standard DHCP server, tells all clients to use itself *and* the AP as DNS servers.
- AX3000v2 in router mode (modem edge router) will use DNS Director to force all queries to go to those two.
- AX3000v2 in AP mode only acts as a secondary/fallback DNS server, it doesn't touch routing nor DHCP; just responds with the actual IP or 0.0.0.0 if blocklist entry is encountered.

Any chance this can be done? (And understand that the other features will not function.)

-edit- fixed incorrect nomenclature for clarity

 

[ColinTaylor]

Just to be clear, you're talking about an AX3000 V2 which is a router not a modem.

FYI DNS Director forces queries to go to a single DNS server. It cannot send the queries to two servers.

 

[Tech9]

I figured I want a 2nd DNS server to a.) reduce load on the modem, b.) failover (including when the instance on modem is updating lists for example.), c.) improve/decrease response time.

a) router load is insignificant, built-in Dnsmasq is light weight forwarder
b) already available (and a modem doesn't update any lists, it's a bridge)
c) choose faster upstream DNS server, second local forwarder not needed

You have to figure first what a modem, router and access point are actually doing.

 

[dave14305]

Install Entware on the AP and then install the Entware adguardhome-go package and set it up manually using the AGH Wiki as a guide:

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

 

[SomeWhereOverTheRainBow]

Install Entware on the AP and then install the Entware adguardhome-go package and set it up manually using the AGH Wiki as a guide:

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

I concur with @dave14305 with this for anyone running a router in AP mode.
I will share a few tips. Run "netstat -nlp | grep dnsmasq". If you are lucky your dnsmasq instance will not be active. It is like this on "3006" routers in AP mode; I am not sure how it is on some of the older firmwares. I know on some of the older firmwares ran in AP mode, dnsmasq ran on port 53. If this is the case in your scenario, you will need to find away to keep dnsmasq dead. If you are lucky, your firmware will be old enough to still allow dnsmasq.postconf or dnsmasq.conf replacement inside AP mode. In that case, you can just set dnsmasq dns port to zero - viola AGH-go will be able to run as the DNS for the AP. That means all you have to worry about is configuring Adguardhome-go. Then you just tell your main LAN to distribute the IP address of your AP running AGH-go via DHCP. If you want more fine grained approach, just tell the clients which you want to run AGH-go to use the IP of the AP for DNS. You can also use DNS Director custom slots to define separate client rules to enforce AGH-go as the only DNS.

 

[SomeWhereOverTheRainBow]

You have to figure first what a modem, router and access point are actually doing.

That is fact. I once knew someone who thought they were getting HBO with two broken rabbit ears taped to a large rock sitting on top of their old box TV. They thought it was a wireless cable box reciever.

 

[CB7]

Just to be clear, you're talking about an AX3000 V2 which is a router not a modem.

FYI DNS Director forces queries to go to a single DNS server. I cannot send the queries to two servers.

Thanks! Yeah, fair enough! What I meant to convey was this particular router is the one in the home network that handles the connection to the ISP (PPPoE). But I should've known better than using technically wrong nomenclature here. I suppose I can call this one the edge router instead. But ultimately it matters little in the context of my AGH "problem".

It is good to know that DNS director only forces traffic to one DNS server, thanks! Overlooked that. But that's fine. Most of the devices and traffic on them adhere to what DHCP feeds them. It's just some apps that don't play nicely and try to force their own including DoH (mostly from vendors like Facebook, Netflix; but also utility apps like Speedtest for some reason). As long as those are redirected: that's OK and their traffic is unlikely to be very significant in the overall picture. Ideally it'd round-robin, but just redirecting to one: so be it. A secondary resolver available to 99% of the traffic is already much better than nothing.

a) router load is insignificant, built-in Dnsmasq is light weight forwarder
b) already available (and a modem doesn't update any lists, it's a bridge)
c) choose faster upstream DNS server, second local forwarder not needed

You have to figure first what a modem, router and access point are actually doing.

Thank you for your response! Well, as for a.) It unfortunately isn't insignificant. AdGuard Home occasionally causes high loads and memory usage, it also takes a very very long time to restart after updates (often doesn't restart at all and requires manually killing processes or reboot the router, the update script will just sit there waiting) and updating lists can take a very long time. This is probably not just AGH's fault as more services are running on the device, but it is the service showing most CPU and memory load and when its encountering such an issue: the resolver sometimes doesn't function or is extremely slow, and therefore I want a secondary resolver in the network. This also addresses point c; I respectfully disagree. I want redundant resolvers in the network for various reasons and I find it to be a necessity.

Install Entware on the AP and then install the Entware adguardhome-go package and set it up manually using the AGH Wiki as a guide:

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

Thank you so much! I'll go ahead and look at its featureset and if its a match I'll definitely go play with that Entware is already deployed, so hopefully I'll get it going. Thanks!

I concur with @dave14305 with this for anyone running a router in AP mode.
I will share a few tips. Run "netstat -nlp | grep dnsmasq". If you are lucky your dnsmasq instance will not be active. It is like this on "3006" routers in AP mode; I am not sure how it is on some of the older firmwares. I know on some of the older firmwares ran in AP mode, dnsmasq ran on port 53. If this is the case in your scenario, you will need to find away to keep dnsmasq dead. If you are lucky, your firmware will be old enough to still allow dnsmasq.postconf or dnsmasq.conf replacement inside AP mode. In that case, you can just set dnsmasq dns port to zero - viola AGH-go will be able to run as the DNS for the AP. That means all you have to worry about is configuring Adguardhome-go. Then you just tell your main LAN to distribute the IP address of your AP running AGH-go via DHCP. If you want more fine grained approach, just tell the clients which you want to run AGH-go to use the IP of the AP for DNS. You can also use DNS Director custom slots to define separate client rules to enforce AGH-go as the only DNS.

Thank you for your response and the tips! I will keep this in mind, do that and have a look to see how it goes.

 

[CB7]

Thanks all! It seems to be up and running. Splendid!

Just one more thing:

FYI DNS Director forces queries to go to a single DNS server. I cannot send the queries to two servers.

Just double-checking here as I just realized I may have misunderstood what you meant. If DNS Director is set to "router" and I have configured the AP that I wish to use as secondary DNS server in DHCP: then it redirects to either one of the two, no? It can send queries to two servers, when using "router".

It has this as its description:
"A few special System options are available in the presets. "No Redirection" will bypass a global redirection, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)."

I understood this as plural rather than singular. Should I interpret this as it choosing one of the DHCP-defined DNS servers and sticking to that, never using 2 servers if defined as such in DHCP settings?

 

[ColinTaylor]

Thanks all! It seems to be up and running. Splendid!

Just one more thing:

Just double-checking here as I just realized I may have misunderstood what you meant. If DNS Director is set to "router" and I have configured the AP that I wish to use as secondary DNS server in DHCP: then it redirects to either one of the two, no? It can send queries to two servers, when using "router".

It has this as its description:
"A few special System options are available in the presets. "No Redirection" will bypass a global redirection, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)."

I understood this as plural rather than singular. Should I interpret this as it choosing one of the DHCP-defined DNS servers and sticking to that, never using 2 servers if defined as such in DHCP settings?

DNS Director can only intercept and redirect queries to a single IPv4 and/or IPv6 address. So if it's set to "Router" the queries will typically be sent to your router's IP address (e.g. 192.168.50.1). If your have set two DNS addresses in the DHCP settings it will use the first address only.

 

[CB7]

DNS Director can only intercept and redirect queries to a single IPv4 and/or IPv6 address. So if it's set to "Router" the queries will typically be sent to your router's IP address (e.g. 192.168.50.1). If your have set two DNS addresses in the DHCP settings it will use the first address only.

-edit- Hmmmm... Scratch what I said. I think I overlooked something important in my test. If DNS Director only intervenes when DNS queries are made to a DNS server other than the ones configured in DHCP, then the tests I showed are wholly inconclusive. But if that is the case, then I misunderstood this particular part of its operation and this means that only the queries made by apps that attempt to use their own DNS servers are redirected to the router; but it allows the traffic to the two servers set in DHCP? That'd be fine, their traffic is negligible. (And this is likely the case, as both AGH's instances are reporting processing DNS queries and I can manually query them - without intervention by DNS Director. But when attempting to query 8.8.8.8 directly: I do see the blockages working, if just the apps not playing nicely will encouter a performance hit or have no available resolvers for a bit once in a while: so be it.)

 

[ColinTaylor]

I don't see how you could have got the results you posted before you deleted them. But then I don't know how AGH inserts itself in the DNS flow and how it interacts with dnsmasq. I also don't know how you have configured your WAN DNS settings.

DNS Director can only intercept traffic that is being routed to the internet, e.g. 8.8.8.8 in your previous test. So that would typically be apps attempting to use their own DNS and ignoring DHCP.

I've just setup DNS Director on my router with Global Redirection = Router. DHCP's DNS server 1 = 1.1.1.1, server 2 = 1.0.0.1. If I look at the DNS Director rules generated I see this:

# iptables-save -t nat | grep DNSFILTER
:DNSFILTER - [0:0]
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 1.1.1.1

As you can see intercepted traffic only goes to 1.1.1.1, not 1.0.0.1.

P.S. What do you have set for "Advertise router's IP in addition to user-specified DNS"?

 

[Tech9]

It unfortunately isn't insignificant.

AdGuard Home needs RAM. Your routers are entry-level model with lass than 200MB free RAM after boot.

 

[CB7]

AdGuard Home needs RAM. Your routers are entry-level model with lass than 200MB free RAM after boot.

Yup, AGH + other processes. Which is why its nice to have two instances running on separate devices so that when the router is temporarily not serving requests (in a timely manner) (eg: AGH updating, blocklist updates or degraded performance due to (lack of) available resources): the clients on the network are not affected and can simply continue getting a response from the instance on the AP.

I don't see how you could have got the results you posted before you deleted them. But then I don't know how AGH inserts itself in the DNS flow and how it interacts with dnsmasq. I also don't know how you have configured your WAN DNS settings.

But DNS Director only intercepts traffic that would otherwise be routed to the internet. e.g. 8.8.8.8 in your previous test.

I've just setup DNS Director on my router with Global Redirection = Router. DHCP's DNS server 1 = 1.1.1.1, server 2 = 1.0.0.1. If I look at the DNS Director rules generated I see this:

# iptables-save -t nat | grep DNSFILTER
:DNSFILTER - [0:0]
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 1.1.1.1

As you can see intercepted traffic only goes to 1.1.1.1, not 1.0.0.1.

P.S. What do you have set for "Advertise router's IP in addition to user-specified DNS"?

I do know the probable cause for those results. There's two things:
1.) Local DNS traffic, or at least to the router and AP, wasn't being redirected (as you also point out). That explains why both AGH instances are receiving DNS traffic despite DNS Director being enabled (and only being capable of redirecting to 1 IP).
2.) The AGH process likely hadn't actually quit (yet) on the router the first time around when I ran the manual look-up for ads.google.com; so it was probably still responding. When both were killed, it went to the time-out. (As expected at that point.) Next time with such a test, I'll do -9 for good measure.

Ergo: it looks like, indeed, DNS Director's explanation is meant to be understood singular rather than plural; as your results also indicates. But as both local resolvers can work simultaneously on LAN despite DNS Director's limitations: this is perfectly fine, I'm happy. Maybe the VPN's will always hit the router but that was supposed to happen anyway as its the one on the more juicy UPS.

For your other questions, if still relevant:
- WAN DNS is set to Quad9. (Before, it was set to be using itself essentially; but this caused severe issues due to the router sending tens of thousands of DNSKEY lookups per second to AGH. Never figured out why it did that.)
- Advertise router's IP in addition to user-specified DNS is disabled, although it had crossed my mind to test if that would change the situation for DNS Director. But judging by your posts and analysis, I suppose its very likely that it won't.


Either way, everything is working exactly how I wanted it now. Two resolvers, both operational; and both on the ASUS devices. Very happy to see its possible and works.

Thank you very much everyone!