I do not use AGH much too bloated to my taste, nothing DNSMasq with HTTPS-DNS-proxy and an adblocker can do 
But 127.0.0.1:54 is your local address and if AGH is not running on the router that might not be correct better try to use the routers IP address.
Other thing to look at is if you have DNS hijacking (DNS redirection) implemented that can be responsible for looping
Negative, I do not.
It is
But if it were looping it wouldn't resolve at all, no? But it eventually resolves.
You set selective forwarding for any domain // via dnsmasq. Kind of dont be so stubborn and read the fine man&al pages...
You are pretty much on your own using openwrt guide to configure 3rd party produce. You could use windows guidance as well.
Alright, I have now removed that line and switched over to the opkg package
opkg list-installed adguardhome
adguardhome - 0.107.46-1
With no effect
AGH is your main DNS resolver (port 53), AGH forward local DNS queries to port 54 (dnsmasq) and non-local queries to your upstream resolvers (such as Google DNS).
I see you're also forwarding non-expanded hosts [//] from AGH to dnsmasq:
upstream_dns:
- '[//]127.0.0.1:54'
This is ok and desirable in most cases, but you need to make sure dnsmasq is treating these queries accordingly.
In dnsmasq:
Remove 192.168.0.1 from dnsmasq forward list, you should not be forwarding from dnsmasq to AGH.
Add expandhosts '1' to make sure non-expanded hosts are expanded to .lan;
Add local '/lan/' to make sure all queries *.lan are resolved in dnsmasq;
It's good practice to disable caching when using dnsmasq only for local queries, to make sure local queries are always up to date (in case a DHCP lease is renewed with a different IP);
Finally, add noresolv '1' to make sure you're not leaking any queries to your ISP DNS servers.
Your dnsmasq config should look like this:
config dnsmasq
option authoritative '1'
option domain 'lan'
option rebind_protection '0'
option localservice '0'
option cachesize '0'
option port '54'
option local '/lan/'
option expandhosts '1'
option noresolv '1'
AGH config:
local_ptr_upstreams:
- 192.168.0.1:54
Change to:
local_ptr_upstreams:
- 127.0.0.1:54
Difference is minimal on most setups, but its always best to use loopback interface where applicable to avoid network overhead.
One question regarding this:
upstream_dns:
- 8.8.8.8
- 8.8.4.4
Is there any specific reason for you to use plain text DNS (unencrypted DNS over port 53)?
If not, I'd change that to not expose your queries in plain text for your ISP, governement or whoever to read.
In terms of encrypted DNS speed, there isn't much practical difference but in theory from fastest to slowest:
DNS over QUIC > DNS over HTTPS/3 > DNS over TLS > DNS over HTTPS/2 > DNSCrypt.
Personally I recommend DNS over QUIC and TLS for privacy reasons, DNS over HTTPS adds unnecessary fingerprints that could be used to identify the source (you).
Thanks! Seems to be resolved!
No, I simply didn't know any better.
I haven't heard about QUIC before, Does it require SSL? So ill setup unencrypted dns for ntp.
Also, How do i know if i am over quic? DNS set to 8.8.8.8 still gives a positive on https://quic.nginx.org
QUIC is actually pretty old, it was developed around 2011 if I'm not mistaken, it's adoption only started to gain traction now due HTTP 3.
HTTPS 2 is the traditional TCP as transport layer and TLS as security layer.
HTTPS 3 uses UDP and QUIC as transport layer, QUIC works in both spectres (transport layer and security layer) by integrating TLS directly into its protocol.
Newer websites and browsers use HTTP3 (hence QUIC) to enhance browsing experience.
This website you linked, it just tests if you connected to it by using HTTPS3. It is not a DNS test.
Also, DNS over QUIC and DNS over HTTPS/3 are two different things.
DoH3 is like this:
DoQ is like this:
They are similar, but DoQ doesn't use HTTP, it's DNS encrypted using QUIC instead of DNS converted to HTTP then encrypted using QUIC.
This is why in a technical sense, DoQ is a superior solution, it's simpler, it's faster, it doesn't add HTTP fingerprints, it uses a dedicated port (853).
Why these fingerprints matter? If you inspect a DoH packet, you can technically trace it back to the source and identify that it's DNS related (so sharing port 443 with regular web traffic does not mean the packet is immune from being disclosed as DNS traffic). While in a DoQ packet the only thing you'll know is that it's destination is a DNS resolver due it's port being 853.
For an easy NTP workaround just set this.
'[/openwrt.pool.ntp.org/]8.8.8.8'
This basically says, resolve openwrt ntp servers by using unecrypted dns to google dns.
Ah the documentation [OpenWrt Wiki] AdGuard Home needs to be updated. Just this part:
# 1. Enable dnsmasq to do PTR requests.
# 2. Reduce dnsmasq cache size as it will only provide PTR/rDNS info.
# 3. Disable rebind protection. Filtered DNS service responses from blocked domains are 0.0.0.0 which causes dnsmasq to fill the system log with possible DNS-rebind attack detected messages.
# 4. Move dnsmasq to port 54.
# 5. Set Ipv4 DNS advertised by option 6 DHCP
# 6. Set Ipv6 DNS advertised by DHCP
uci set dhcp.@dnsmasq[0].noresolv="0"
uci set dhcp.@dnsmasq[0].cachesize="1000"
uci set dhcp.@dnsmasq[0].rebind_protection='0'
uci set dhcp.@dnsmasq[0].port="54"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="${NET_ADDR}"
I did update a few parts earlier today.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.