AdGuardHome error "dns: buffer size too small" after upgrading to 24.10.0

dsouza · March 18, 2025, 2:40pm

I am getting random bursts of "dns: buffer size too small" errors from AdguardHome after I upgraded to OpenWrt 24.10.0 (I am getting this in two different devices, R6S and AX6S).

Things that I have already tried and did not solve the issue:

Upgraded AdguardHome to the latest version (to v0.107.57)
Increased rmem and wmem sizes in /etc/sysctl.conf to 16MiB as folows:

net.core.rmem_default=16777216
net.core.wmem_default=16777216
net.core.rmem_max=16777216
net.core.wmem_max=16777216

If anyone is experiencing this issue and has a solution please share, thanks!

Mon Mar 17 13:31:44 2025 daemon.err AdGuardHome[21608]: 2025/03/17 16:31:44.263904 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 13:31:51 2025 daemon.err AdGuardHome[21608]: 2025/03/17 16:31:51.161674 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 14:43:13 2025 daemon.err AdGuardHome[21608]: 2025/03/17 17:43:13.655046 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 14:43:16 2025 daemon.err AdGuardHome[21608]: 2025/03/17 17:43:16.656018 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 16:02:30 2025 daemon.err AdGuardHome[21608]: 2025/03/17 19:02:30.315891 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 16:02:33 2025 daemon.err AdGuardHome[21608]: 2025/03/17 19:02:33.321458 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 16:28:57 2025 daemon.err AdGuardHome[21608]: 2025/03/17 19:28:57.739237 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 16:29:00 2025 daemon.err AdGuardHome[21608]: 2025/03/17 19:29:00.606672 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 18:08:02 2025 daemon.err AdGuardHome[21608]: 2025/03/17 21:08:02.753992 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Mon Mar 17 18:08:05 2025 daemon.err AdGuardHome[21608]: 2025/03/17 21:08:05.592637 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"

frollic · March 18, 2025, 2:45pm

NanoPi R6S, with 8GB RAM ?

the mem params can probably be bumped up, a lot, at least on the R6S.

github.com/AdguardTeam/AdGuardHome

error handling UDP packet: dns: buffer size too small

opened 12:04PM - 08 Jun 20 UTC

closed 11:03AM - 29 Jun 20 UTC

SanderGit

### Issue Details * **Version of AdGuard Home server:** * 0.102.0 * **How… did you setup DNS configuration:** * To CloudFlare DNS * **If it's a router or IoT, please write device model:** * Raspberry Pi model 2B+ * **Operating system and version:** * Raspbian 10.4 ### Expected Behavior Normal operation ### Actual Behavior CPU spinning 300% with AdGuardHome process. Logs in error log file. ### Additional Information AdGuardHome.err shows: 2020/06/08 12:36:43 [info] got invalid number of questions: 0 2020/06/08 12:36:43 [info] got invalid number of questions: 0 2020/06/08 12:36:51 [info] error handling UDP packet: dns: buffer size too small 2020/06/08 12:36:54 [info] error handling UDP packet: dns: buffer size too small The interrnet connection has been interrupted, it is likely that the issue is related to the interruption, but AdGuardHome could not recover from it by itself.

dsouza · March 18, 2025, 10:14pm

Yep, R6S with 8GiB of RAM.

I had already increased to 16MiB, let me try 128MiB (which is really a lot for UDP buffers...) and see if the error goes away.

Dante · March 19, 2025, 12:51am

Is there anything non-stock about your Adguard Home setup? I'm curious because I'm on this version for 3 weeks now I think and I don't have anything similar. Which upstreams do you use? Could it be related to QUIC ones as per the GitHub issue (I only use TLS ones)? I somehow doubt the total buffer size is the problem.

dsouza · March 19, 2025, 9:51pm

I have my own configurations, but nothing crazy. I tested 1.1.1.1 and 8.8.8.8 as upstreams, both with tls:// and https://, and the error happens with both.

I have "AdGuard browsing security web service" enabled, increased DNS cache size to 67108864 and override TTL min/max to 3600/86400, and two client configurations.

My config is here: https://pastebin.com/JLw46y05 (password and uuids redacted).

Dante · March 19, 2025, 11:14pm

Nothing jumps out in the config, so perhaps the issue is elsewhere. Have you tried starting with a fresh Adguard config either way with minimal changes?

dsouza · March 21, 2025, 12:03am

Increasing net.core buffers to 128MiB did not help. Errors still appears in burst randomly once or twice a day.

So this is not related to buffer size. I don't want to mess with my main router. When I have time I will setup a spare R4S I have with vanilla OpenWrt and default clean Wireguard setup, and check if this issue still remains.

Dante · March 26, 2025, 4:45pm

Any updates on trying to set up that spare router?

dsouza · March 27, 2025, 9:52am

Not done yet, let me see if I can do this weekend.

For now upgrading to AdguardHome 0.107.59 in the R6S 24.10.0 has not resolved the issue.

dsouza · March 27, 2025, 11:17pm

@Dante I had sometime to install it today early morning.

I did a clean install of OpenWrt 24.10.0 on an R5S, installed AdGuardHome 0.107.57 (default via opk install), and did some basic configuration.

Then I changed my main router to set the R5S AdguardHome as default DNS server via DHCP (dhcp_option 6,192.168.1.92, 3,192.168.1.92) and I would wait all clients in my network to renew DHCP to start using the fresh AdguardHome.

Well, this setup is up an running for about 10 hours now. But after 8 hours I got the first two "buffer too small" errors:

Thu Mar 27 18:08:01 2025 daemon.err AdGuardHome[6070]: 2025/03/27 21:08:01.554061 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Thu Mar 27 18:08:04 2025 daemon.err AdGuardHome[6070]: 2025/03/27 21:08:04.557772 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"

I will keep this server running for at least one more day, but so far it seems that even starting from a fresh install and config I am getting the same errors.

dsouza · March 28, 2025, 7:39pm

More of the same errors keep coming in the fresh install:

Fri Mar 28 08:19:58 2025 daemon.err AdGuardHome[1917]: 2025/03/28 11:19:58.706014 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Fri Mar 28 08:20:01 2025 daemon.err AdGuardHome[1917]: 2025/03/28 11:20:01.705738 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Fri Mar 28 10:55:41 2025 daemon.err AdGuardHome[1917]: 2025/03/28 13:55:41.630753 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Fri Mar 28 10:55:45 2025 daemon.err AdGuardHome[1917]: 2025/03/28 13:55:45.675817 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Fri Mar 28 16:20:23 2025 daemon.err AdGuardHome[1917]: 2025/03/28 19:20:23.938867 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
Fri Mar 28 16:20:26 2025 daemon.err AdGuardHome[1917]: 2025/03/28 19:20:26.940006 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"

dsouza · March 28, 2025, 7:45pm

BTW, just checked the queries around the same time as last error (16:20:26), nothing catches the eye:

dsouza · March 29, 2025, 12:48pm

For now, I am giving up on trying to solve these issues. They happen a few times a day, and I have not noticed any impact on the client side (possibly, clients just retry the DNS resolution when this happens).

If I have time, I may repeat this test using a snapshot build that includes some additional kernel 6.6 patches that could have some positive side effects, but it is more likely that I will wait for 24.10.1 to upgrade my main router and see if these errors go away.

Dante · March 31, 2025, 1:47pm

I haven't dug too deep into this, but looking at the source briefly:

req := &dns.Msg{}
err := req.Unpack(packet)
if err != nil {
	p.logger.Error("unpacking udp packet", slogutil.KeyError, err)

it looks like the DNS response is invalid, so nothing to do with any buffer setting on the router. Perhaps enabling verbose logging could shed some light, as there's a Debug log message right above that.

dsouza · April 1, 2025, 10:10am

OK, I enabled AdGuardHome verbose log, and also configured a separate log file.

So far I've captured only two instances of the "dns: buffer size too small" error. Below is the log session with the debug messages right before the error. Nothing seems unusual.

The only thing in common in these two errors are that they seem to originated of a DNS resolution from client 192.168.1.248 (Samsung A55 device).

However I am not sure the log time sequence can be trusted (I suppose AdGuardHome is multithreaded). The only debug message in the code you referred above before the error is 2025/04/01 09:54:52.758247 18344#238 [debug] dnsproxy: handling new udp packet raddr=192.168.1.248:57170 but it does not help (except pointing the originating client).

I will keep monitoring.

Log 1

(...)
2025/04/01 09:54:55.014103 18344#312 [debug] dnsforward: started processing querylog and stats
2025/04/01 09:54:55.014144 18344#312 [debug] dnsforward: client ip for stats and querylog: 192.168.1.248
2025/04/01 09:54:55.014218 18344#312 [debug] dnsforward: finished processing querylog and stats
2025/04/01 09:54:55.014324 18344#312 [debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 59422"
2025/04/01 09:54:55.014386 18344#312 [debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0"
2025/04/01 09:54:55.014444 18344#312 [debug] dnsproxy: out line_num=3 line=""
2025/04/01 09:54:55.014503 18344#312 [debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
2025/04/01 09:54:55.014561 18344#312 [debug] dnsproxy: out line_num=5 line=";locationhistory-pa.googleapis.com.\tIN\t A"
2025/04/01 09:54:55.014620 18344#312 [debug] dnsproxy: out line_num=6 line=""
2025/04/01 09:54:55.014678 18344#312 [debug] dnsproxy: out line_num=7 line=";; ANSWER SECTION:"
2025/04/01 09:54:55.014738 18344#312 [debug] dnsproxy: out line_num=8 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.172.170"
2025/04/01 09:54:55.014807 18344#312 [debug] dnsproxy: out line_num=9 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.162.234"
2025/04/01 09:54:55.014868 18344#312 [debug] dnsproxy: out line_num=10 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.172.42"
2025/04/01 09:54:55.014928 18344#312 [debug] dnsproxy: out line_num=11 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.172.138"
2025/04/01 09:54:55.014987 18344#312 [debug] dnsproxy: out line_num=12 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t142.251.128.170"
2025/04/01 09:54:55.015047 18344#312 [debug] dnsproxy: out line_num=13 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t142.251.128.234"
2025/04/01 09:54:55.015105 18344#312 [debug] dnsproxy: out line_num=14 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.30.234"
2025/04/01 09:54:55.015165 18344#312 [debug] dnsproxy: out line_num=15 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.28.170"
2025/04/01 09:54:55.015224 18344#312 [debug] dnsproxy: out line_num=16 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.28.42"
2025/04/01 09:54:55.015283 18344#312 [debug] dnsproxy: out line_num=17 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t142.251.129.10"
2025/04/01 09:54:55.015343 18344#312 [debug] dnsproxy: out line_num=18 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t142.251.128.202"
2025/04/01 09:54:55.015403 18344#312 [debug] dnsproxy: out line_num=19 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.30.138"
2025/04/01 09:54:55.015463 18344#312 [debug] dnsproxy: out line_num=20 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.28.202"
2025/04/01 09:54:55.015522 18344#312 [debug] dnsproxy: out line_num=21 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.28.138"
2025/04/01 09:54:55.015581 18344#312 [debug] dnsproxy: out line_num=22 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.162.10"
2025/04/01 09:54:55.015640 18344#312 [debug] dnsproxy: out line_num=23 line="locationhistory-pa.googleapis.com.\t3600\tIN\tA\t172.217.30.106"
2025/04/01 09:54:55.015698 18344#312 [debug] dnsproxy: out line_num=24 line=""
2025/04/01 09:54:55.765390 18344#313 [debug] dnsproxy: handling new udp packet raddr=192.168.1.248:57170
2025/04/01 09:54:55.765457 18344#313 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
(...)

Log 2

(...)
2025/04/01 09:54:52.740681 18344#235 [debug] dnsforward: started processing querylog and stats
2025/04/01 09:54:52.740721 18344#235 [debug] dnsforward: client ip for stats and querylog: 192.168.1.248
2025/04/01 09:54:52.740786 18344#235 [debug] dnsforward: finished processing querylog and stats
2025/04/01 09:54:52.740861 18344#235 [debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NXDOMAIN, id: 6"
2025/04/01 09:54:52.740921 18344#235 [debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0"
2025/04/01 09:54:52.740983 18344#235 [debug] dnsproxy: out line_num=3 line=""
2025/04/01 09:54:52.741043 18344#235 [debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
2025/04/01 09:54:52.741102 18344#235 [debug] dnsproxy: out line_num=5 line=";*google.com.\tIN\t A"
2025/04/01 09:54:52.741159 18344#235 [debug] dnsproxy: out line_num=6 line=""
2025/04/01 09:54:52.741218 18344#235 [debug] dnsproxy: out line_num=7 line=";; AUTHORITY SECTION:"
2025/04/01 09:54:52.741278 18344#235 [debug] dnsproxy: out line_num=8 line="com.\t522\tIN\tSOA\ta.gtld-servers.net. nstld.verisign-grs.com. 1743500892 1800 900 604800 900"
2025/04/01 09:54:52.741335 18344#235 [debug] dnsproxy: out line_num=9 line=""
2025/04/01 09:54:52.758247 18344#238 [debug] dnsproxy: handling new udp packet raddr=192.168.1.248:57170
2025/04/01 09:54:52.758326 18344#238 [error] dnsproxy: unpacking udp packet err="dns: buffer size too small"
(...)

dsouza · April 1, 2025, 10:50am

BTW, I am not a developer (anymore), but if I am reading it correctly, it seems that the unpack function (method?) used by AdGuardHome seems to come from https://github.com/miekg/dns/ library.

I really do not know golang, but as far as I can understand, the error ErrBuf is the "buffer size too small" message and it comes from the unpack() method from this code:

func (e *EDNS0_SUBNET) unpack(b []byte) error {
	if len(b) < 4 {
		return ErrBuf
	}
(...)

In this case, I do not understand it would mean that the UDP packet size is less than 4? I mean, it is not about increasing buffers, but it is about how to handle an UDP DNS message that contains less than 4 bytes.

Dante · April 5, 2025, 10:34pm

I looked into it a bit more. The actual Unpack that dnsproxy calls is here:

github.com/miekg/dns

msg.go

v1.1.62


      
          func (dns *Msg) Unpack(msg []byte) (err error) {
          	dh, off, err := unpackMsgHdr(msg, 0)
          	if err != nil {
          		return err
          	}
          
          	dns.setHdr(dh)
          	return dns.unpack(dh, msg, off)
          }

Which calls unpack here:

github.com/miekg/dns

msg.go

v1.1.62


      
          func (dns *Msg) unpack(dh Header, msg []byte, off int) (err error) {
          	// If we are at the end of the message we should return *just* the
          	// header. This can still be useful to the caller. 9.9.9.9 sends these
          	// when responding with REFUSED for instance.
          	if off == len(msg) {
          		// reset sections before returning
          		dns.Question, dns.Answer, dns.Ns, dns.Extra = nil, nil, nil, nil
          		return nil
          	}
          
          	// Qdcount, Ancount, Nscount, Arcount can't be trusted, as they are
          	// attacker controlled. This means we can't use them to pre-allocate
          	// slices.
          	dns.Question = nil
          	for i := 0; i < int(dh.Qdcount); i++ {
          		off1 := off
          		var q Question
          		q, off, err = unpackQuestion(msg, off)
          		if err != nil {
          			return err

This file has been truncated. show original

Which in turn calls a bunch of other methods that parse parts of DNS message and if any offset doesn't match, e.g. exceeds the length of the message, they throw the aforementioned ErrBuf:

github.com/miekg/dns

msg.go

v1.1.62


      
          	// expanding to at most 4 bytes (\DDD). If all other labels are of the maximum
          	// length, then the final label can only be 61 octets long to not exceed the
          	// maximum allowed wire length.
          	maxDomainNamePresentationLength = 61*4 + 1 + 63*4 + 1 + 63*4 + 1 + 63*4 + 1
          )
          
          // Errors defined in this package.
          var (
          	ErrAlg           error = &Error{err: "bad algorithm"}                  // ErrAlg indicates an error with the (DNSSEC) algorithm.
          	ErrAuth          error = &Error{err: "bad authentication"}             // ErrAuth indicates an error in the TSIG authentication.
          	ErrBuf           error = &Error{err: "buffer size too small"}          // ErrBuf indicates that the buffer used is too small for the message.
          	ErrConnEmpty     error = &Error{err: "conn has no connection"}         // ErrConnEmpty indicates a connection is being used before it is initialized.
          	ErrExtendedRcode error = &Error{err: "bad extended rcode"}             // ErrExtendedRcode ...
          	ErrFqdn          error = &Error{err: "domain must be fully qualified"} // ErrFqdn indicates that a domain name does not have a closing dot.
          	ErrId            error = &Error{err: "id mismatch"}                    // ErrId indicates there is a mismatch with the message's ID.
          	ErrKeyAlg        error = &Error{err: "bad key algorithm"}              // ErrKeyAlg indicates that the algorithm in the key is not valid.
          	ErrKey           error = &Error{err: "bad key"}
          	ErrKeySize       error = &Error{err: "bad key size"}
          	ErrLongDomain    error = &Error{err: fmt.Sprintf("domain name exceeded %d wire-format octets", maxDomainNameWireOctets)}
          	ErrNoSig         error = &Error{err: "no signature found"}
          	ErrPrivKey       error = &Error{err: "bad private key"}

That goes back to my previous comment about the DNS message being invalid. I guess if you want to dig deeper you could capture the DNS packets to figure out which ones are invalid (if any), or if AdGuard is somehow mangling these messages on their way to be unpacked, but I think that's going a bit too far. Considering it's just a few messages here and there, my gut feeling this is something coming from the upstream DNS resolvers.