DNS Hijacking with IPv6 to set AdGuard Home

First of all, I have pretty novice knowledge of networking in general so please, feel free to correct me on any misinterpretation/misconception I may have, just be patient in doing so.

I just installed AdGuard Home but some devices manage to bypass it and still show me ads. After researching it I found out that the DNS Hijacking setup should address that, which is available below:

DNS Hijacking

But the thing is, on that tutorial, it tells me to select IPv4 and IPv6 on the "Restrict to address family" option, and as soon as I do that, I get the following error which prevents me from saving those settings:

If I choose automatic or IPv4 only I can save that, but as you might know, that's different from what the tutorial is telling me to do.

The question is, if I do save selecting one of the mentioned available options, will that work as intended? Preventing any device from bypassing ADH blocking abilities?

And if it does, will that work on IPv6 clients either?

Every tutorial I found showing how to prevent that, targets old OWRT versions that don't use nftables, so it's useless for me, if you know any tutorial targeting the current version, I'll be thankful to have it.

Do not specify ip4 address, own ip4/6 address is presumed.

I'm sorry, I'm afraid I didn't understood quite well your answer, you telling me that I should not specify an internal IP address nor port?

config redirect 'dns_intr'
        option name 'IntrDNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'

I have no idea how to run that code, just tried via ssh and get an error in every single line. Is it possible to do the same via Luci?

It is meant to be a section in /etc/config/firewall

I guess I don't have the knowledge to apply that. If you could indicate a layman friendlier way to do it I'll be happy to know

In your screenshot above leave out the IPv4 address selection in the bottom.
As you cannot divert the IPv6 traffic to the IPv4 address.

The section which @brada4 mentioned is in

/etc/config/firwall

You may edit this file via ssh and a texteditor like vi or nano.

Then restart the firewall service either through the UI (System-Startup) or on the command line:

service firewall restart
1 Like

Like this

Thanks for the clarification. I'll try to research a bit on your advice to know how edit such files.

Thanks for the screenshot, I tried to do the same as shown below:

But after saving it, some devices are still able to bypass AGH blocking. Any advice on that?

ubus call system board
opkg list-installed adguardhome

Is that what you've asked for?

root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R2S",
"board_name": "friendlyarm,nanopi-r2s",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "rockchip/armv8",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}

No output was given when running the second line of code. I guess that's because I didn't installed AGH using luci but instead installed curl and run the following:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

You can ash provider of package about things they do not block, here you asked about DNS hijacking and it works quite well.

AFAIK they don't have such place. What I'm trying to do is to block ads on every single device but some of them (not all) are able to bypass it. I used such terms as DNS hijacking because I thought that was the problem since every case I see about it used that term to address that issue, but couldn't replicate the given solutions because they were always targeted to old OWRT versions. Should I make a new post explaining the issue without using such terms or is it indeed related?

So install OpenWRT package which does all the customisations needed.

Alright, so that issue is just a matter of lack of customization? Once I uninstall my version and install the way you recommend it I shouldn't face that specific issue anymore?

No idea, you asked about DNS hijacking rule, you got answer. I have no idea what 3rd party 100MB binary does and does not.

1 Like

You should start another thread; it keeps things tidy and searchable.

The bypas is DoH, even some games use that to help you with ingame ads :face_with_spiral_eyes: