AdGuardHome and DoH

So, I want to make DoH work. But every time I off plain DNS there is no name resolving at all. So what I've done:

  1. Setup ADH via that guide (manual one, not via opkg): https://forum.openwrt.org/t/how-to-updated-2021-installing-adguardhome-on-openwrt-manual-and-opkg-method/
    Also skip setting up cloudflare DNS
  2. I've already have nginx proxy manager installed on PC in my local network, so I've made a cert for dns.mydomain.com and copied necessary pems to my router.
  3. Ofc turned on the setting at AGH web-interface, but still only plain dns. Whats wrong and how to make it work? Maybe there is another option.
    I use AGH only for blocking some ads, so may be it's not that necessary for my, idk rly. Hope somebody will help

AGH for router - AdGuard Home, opkg and ping on router not working - #7 by frollic.

AGH is working. But if I turn off plane DNS to force using only encrypted one - it doesn't

do you mean upstream resolution stops, or local resolution stops when you enable encryption ?

So resolution stops everywhere like DNS doesn't work at all. On router itself and on other devices in LAN network. So yes, upstream resolution stops and local one too.

For example I get this if plain DNS is unchecked

root@OpenWrt:~# nslookup google.com
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to ::1#53: connection refused
;; no servers could be reached


Also in logs here is only plain dns. But https://one.one.one.one/help/ says that DoH is Ok, but sometimes not. I can't understand how it works =\

You need to reconfigure AGH to listen on port 53.

It listens port 53, ofc

Ok then, have fun with your "everything is working".

So, the installation was made by guide on my first post. I moved dnsseq to 54 port, and set adguard to 53. How else should I force it to listen 53 port?
And I have that error only when I uncheck plain dns in Adguard settings

Screenshot with plain DNS checked in AdGuard settings

dnsmasq I assume ?

based on your screen shot (please don't use screen shots), post it as plain text, use the </> button when you do.

if AGH (I don't use it) plain DNS setting is for down stream clients, not upstream servers, no wonder nslookup and other cli tools fail...

Yes, sorry.

Okey, but when I uncheck that plain dns every device can't resolve

Again, no idea which services AGH provides, but if the clients aren't configure to use an encrypted DNS service as a replacement, who are they supposed to query ?

So netstat gives the following:

tcp        0      0 :::853                  :::*                    LISTEN      2866/AdGuardHome
tcp        0      0 :::53                   :::*                    LISTEN      2866/AdGuardHome
udp        0      0 :::53                   :::*                                2866/AdGuardHome
udp        0      0 :::853                  :::*                                2866/AdGuardHome
tcp        0      0 x.x.x.x:54         0.0.0.0:*               LISTEN      3671/dnsmasq
tcp        0      0 192.168.1.1:54          0.0.0.0:*               LISTEN      3671/dnsmasq
tcp        0      0 127.0.0.1:54            0.0.0.0:*               LISTEN      3671/dnsmasq

udp        0      0 х.х.х.х:54         0.0.0.0:*                           3671/dnsmasq
udp        0      0 127.0.0.1:54            0.0.0.0:*                           3671/dnsmasq
udp        0      0 192.168.1.1:54          0.0.0.0:*                           3671/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           3671/dnsmasq


So as far as I understand AdGuard listens 53 for plain dns and 853 for DoH and DoT. And dnsmasq listens 54, as it should be according to the manual I used to install AGH

Router provides DNS to Lan clients in my case, as far as I understood

your netstat disagress with you ...

Hm, okey. I've tried to chande /opt/AdGuardHome.yaml

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

Tried to put here 127.0.0.1 and 192.168.1.1 but service don't restart then. When restored 0.0.0.0 AGH works ok

0.0.0.0 should make it bind to all interfaces, which it doesn't appear to do, or your netstat post's incomplete ...

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.1.1:54          0.0.0.0:*               LISTEN      6857/dnsmasq
tcp        0      0 188.244.3.57:54         0.0.0.0:*               LISTEN      6857/dnsmasq
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2460/uhttpd
tcp        0      0 192.168.1.1:8112        0.0.0.0:*               LISTEN      6483/AdGuardHome
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2460/uhttpd
tcp        0      0 127.0.0.1:54            0.0.0.0:*               LISTEN      6857/dnsmasq
tcp        0      0 192.168.1.1:8443        0.0.0.0:*               LISTEN      6483/AdGuardHome
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1297/dropbear
tcp        0      0 fe80::5e02:14ff:fee4:8d35:54 :::*                    LISTEN      6857/dnsmasq
tcp        0      0 :::443                  :::*                    LISTEN      2460/uhttpd
tcp        0      0 ::1:54                  :::*                    LISTEN      6857/dnsmasq
tcp        0      0 fe80::a639:b3ff:fe73:1110:54 :::*                    LISTEN      6857/dnsmasq
tcp        0      0 fe80::a639:b3ff:fe73:1110:54 :::*                    LISTEN      6857/dnsmasq
tcp        0      0 :::80                   :::*                    LISTEN      2460/uhttpd
tcp        0      0 :::853                  :::*                    LISTEN      6483/AdGuardHome
tcp        0      0 :::22                   :::*                    LISTEN      1297/dropbear
tcp        0      0 :::53                   :::*                    LISTEN      6483/AdGuardHome
udp        0      0 127.0.0.1:54            0.0.0.0:*                           6857/dnsmasq
udp        0      0 192.168.1.1:54          0.0.0.0:*                           6857/dnsmasq
udp        0      0 188.244.3.57:54         0.0.0.0:*                           6857/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           6857/dnsmasq
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::546                  :::*                                3281/odhcp6c
udp        0      0 :::53                   :::*                                6483/AdGuardHome
udp        0      0 ::1:54                  :::*                                6857/dnsmasq
udp        0      0 fe80::a639:b3ff:fe73:1110:54 :::*                                6857/dnsmasq
udp        0      0 fe80::5e02:14ff:fee4:8d35:54 :::*                                6857/dnsmasq
udp        0      0 fe80::a639:b3ff:fe73:1110:54 :::*                                6857/dnsmasq
udp        0      0 :::853                  :::*                                6483/AdGuardHome
udp        0      0 :::51820                :::*                                -

Here is full output of netstat -tulnp

seems to be working even though AGH isn't explicitly listed as listening on 192.168.1.1.

I just installed it, moved dnsmasq to port 54, and left everything else untouched.

nslookup on router and client works flawlessly.

C:\Users\froll>nslookup google.com 192.168.1.1
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4018:807::200e
          142.250.201.142

root@OpenWrt:/etc/config# nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   google.com
Address: 2a00:1450:4018:807::200e

Non-authoritative answer:
Name:   google.com
Address: 142.250.201.142

root@OpenWrt:/etc/config# nslookup google.com 192.168.1.1
Server:         192.168.1.1
Address:        192.168.1.1:53

Non-authoritative answer:
Name:   google.com
Address: 2a00:1450:4018:807::200e

Non-authoritative answer:
Name:   google.com
Address: 142.250.201.142

bind_hosts in adguardhome.yaml is 0.0.0.0.

You see, my main idea is to force ADH to use only DoH. It works for me if I left everything untouched as you. But if I check for dnsleaks, for example one.one.one.one/help sometimes it shows in debug info that DoH not used, but sometimes DoH is used.