Dear My Friend Mercy,
I was finally able to get AGH up, running with no issues. I changed to Quad9 for Bootstrap DNS. My main problem was that I was using too many and / or too aggressive DNS filters which would result in faulty connections.
Thanks for getting AGH fixed for all of us.
I've substantially re-edited the wiki to make it flow better.
A number of sections were moved and also edited so the Table of Contents now properly lists them as subsections.
Added an updated set of space requirements and example sizes.
Added in NFT tables replacement for IP Tables rule.
Added link to AGH page and their logo to the wiki.
Moved dnsmasq to port 54 to avoid clashing mDNS 5353 (new)
I've highlighted NTP / SSL warning and made it highly prominent as this has bitten a few people. However looping your router DNS through AGH is NOT a recommended configuration for that very reason that NTP lookups WILL fail if the date/time is incorrect. There is also a race condition with the opkg version due to start up values that is still being resolved. Thus it is HIGHLY preferable your router uses a separate unencrypted upstream DNS to avoid the NTP issue.
Fixes for my thread :
NTP warning enhanced and link to wiki entry.
I've replaced my PTR picture in my thread to use 192.168.1.1 instead of local lookup. It was causing confusion and I've added a note to that too. Apparently I had fixed the wiki but not my thread. (Sorry @StrikerFX )
Added in NFT tables replacement for IP Tables rule and link to wiki.
Moved dnsmasq to port 54 to avoid clashing mDNS 5353 (new)
Additional:
Part of me wants to maybe duplicate the wiki and make one that shows the full path for a manual edge install as the thread install is somewhat difficult to read. You can use my thread with the wiki to do a manual install but you would have to keep checking where the process diverges.
Yet at the same time I am reluctant to duplicate it as large portions would be the same. I need to think about it and maybe ask the admins what their opinion is.
Any opinions from those who have followed my thread/instructions? Feedback is welcome.
(edit) or would a few extra sections marked optional on the main wiki with the manual thread method be better or more confusing?
Maybe one of the more experienced folks around here would like to chime in about redirecting OpenWrt builtin dnsmasq port to 5353, as this is also the port used for DNS-SD on Apple products and Avahi on Debian and Ubuntu.
I'll admit upfront that I'm not experienced enough to advise either for or against the use of this port, but I'm afraid it could interfere with locating services, specifically for things (e.g network printers, network scanners, you name it...) under the .local domain.
Also, by default, OpenWrt dhcp settings set the search domain to .lan, but I'm not sure what impact would result if users would manually change the search domain to .local, as I was once tempted to do, but ended up deciding to leave unchanged.
EDIT: In my own AGH edge setup I decided to use port 53000 instead for OpenWrt's builtin dnsmasq port.
you can choose any port number you wish. Just check for it being reserved. I wasnt aware 5353 was used for DNS-SD and repeating port numbers is a common trick when "proxying" other ports. eg 8080 for http. I perhaps should have checked that. I could make a note in the thread and wiki you can use a different port as an option?
As a rule regarding ports, ports under 1024 are considered privileged ports and usually reserved.
if you change the search domain name you just have to change the redirect to match. All it does is change the appended domain.
Having had a bit to ponder I think I may just redo my instructions and make it so dnsmasq is pushed from 53 to port 54.
54, Assigned, Xerox Network Systems (XNS) Clearinghouse (Name Server). Despite this port being assigned by IANA, the service is meant to work on SPP (ancestor of IPX/SPX), instead of TCP/IP.
While this is an assigned port, its likelihood of being used is low.
mDNS on 5353 is much more likely to be used and thus really should be avoided.
Port 8080 for the web interface for AGH is acceptable as Luci runs on port 80 and SSL on 443. Unless anyone has modified their OpenWrt install, 8080 should be free. If they have, then the nginx reverse proxy method will make the AGH interface available instead.
I will also make it clearer in my instructions that ports can be changed if required but point out there are assigned ports you should avoid as they are either assigned services or reserved and as a rule you should not use ports that are actively used for other services.
(edit) My thread and wiki now updated with port 54 instead and updated pictures for rDNS as well as info about reserved ports.
Manually installed AGH comes up late in the boot process. OpenWrt will have the network and dnsmasq up and ready and fire a NTP update before AGH is active and thus will fail as AGH isn't active. The opkg version has a similar issue because the OpenWrt defaults try to load AGH before the network comes up. James was looking into if moving the startup time was a better idea.
What i suggest is to enable NTP logging with the following. Then manually adjust AGH startup with its init.d start values.
create a file /etc/hotplug.d/ntp/20-ntpd-logger and place the following in it.
Thanks so much for this write up! This is very detailed, but still very easy to follow at the same time.
I'm running into a problem (which I have seen further up, but the solution didn't seem very clear to me) whereby I'm unable to run opkg update or ping any sort of url for that matter following an Adguard Home install.
For example;
root@OpenWrt:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=250 time=3.424 ms
64 bytes from 1.1.1.1: seq=1 ttl=250 time=3.508 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 3.424/3.466/3.508 m
This only appears to be at the router level, as I'm able to browse the internet fine on my devices connected to it (albeit with poor WiFi strength, but that's a whole other issue!).
I saw that there was a suggestion to update the upstream router DNS, but I've changed it from 192.168.1.1 in LuCI to 1.x.x.1 but that hasn't seemed to have fixed anything.
check your ipv6 route/info. its trying to use ipv6 and not getting replys. you can disable ipv6 to ensure your ipv4 works ok and then trouble shoot your connection further. its usually the PD settings.
Do a separate troubleshooting post and detail your network there.
However IANA specifies that port 5353 is allocated to mDNS and thus in order to ensure we do not cause problems by having a incompatible service on a port it should not be on, it is safer to use port 54 instead. You can also use other unallocated port like cesarvog did by using 53000.
The whole point of my instructions and also networking in general is to ensure we do not cause other issues with our changes. Standards are there for a reason
Cheers, the router was fully booted, As i logged onto the web page, for either, but using the routers click here to load from NTP it wouldnt do anything, I had to load times from browser, then it worked
Do you mean dont have the router use the Adgaurd as its DNS and just manually set it to use 1.1.1.1 etc?
My point was not that 5353 was ok. I use 5335.
Seems like a better idea to use an unassigned port rather than an assigned port.
No matter how unlikely its use may be.
Yes. It is a much safer option and its why I have a separate WAN DNS script so you can setup the router to bypass your ISP DNS for a more reliable provider like Cloudflare... (kinda ironic considering their major outage recently). You can pick any DNS provider you wish. I just like Cloudflare because usually 1.1.1.1 is the fastest DNS service.
But looping the router DNS back through AGH is NOT recommended NOR is it required.
You can even set up your router with a different DNS to the DOH DNS that AGH uses for some redundancy.
The combination of NTP issues and also AGH's position in the startup queue does cause issues. It really requires some diagnostics and a patch issuing to fix that. But the AGH team I'd prefer them to fix the DHCP issues so I can make this whole process simpler by doing a complete cutover from OpenWrt DNS/DHCP straight to AGH DNS/DHCP which would avoid some of the more complex surgery that I have developed for this process.
BTW, sorry for my limited knowledge. Right now I am using dnsmasq`s DHCP (not AGH DHCP).
How do I make the router itself (ssh session to OpenWrt for example) resolve both (1) general DNS and (2) local DHCP hostnames without having OpenWrt land DNS to back through AGH?
I mean, if I have OpenWrt configured to use an upstream DNS (such as 1.1.1.1), it will bypass AGH (and will resolve internet hostnames) but it will not be able to resolve local hostnames assigned via DHCP/dnsmasq.
However, if I configure OpenWrt to back through AGH (network.lan.dns='192.168.1.1') which is not recommended, it will resolve both local hostnames (since AGH is configured to use 192.168.1.1:5353 for local PTR queries - and yes, I am still using port 5353).
(edit2)
Internally we do this with AGH so downstream clients get searched for first.
What you are wanting to do is have your router be aware DNS wise of its downstream clients. Thus you want selective forwarding of those requests to AGH but everything else go upstream to your external DNS.
Thanks. While /etc/hosts could work for static/reserved IPs, it does not work with dynamically assigned addresses (which is a nice feature of dnsmasq being able to resolve DHCP hostnames).
But I'm not sure I understand your suggestion of domain interception (probably due to my limited knowledge! ).
Please notice that I am not talking about OpenWtr's dnsmasq server. I am talking about configuring a regular OpenWrt interface to act as a client of AGH. I really fail to understand why this is would not be desirable (expect the ntp issue when using DoH/DoT which has a simple workaround as already discussed):
Everything configured per your recommendations in AGH wiki with local domain interception ([/lan/]127.0.0.1:5353 [//]127.0.0.1:5353) and Private Reverse DNS Server (192.168.1.1:5353).
All clients in the network will use 192.168.1.1:53 (AGH) as configured via DHCP
Then I changed only the local lan interface DNS client to point to AGH (uci set network.lan.dns='192.168.1.1'). No dnsmasq configuration change involved as far as I understand (however TBH I'm not sure how this configuration affects OpenWrt's dnsmasq)
In the router itself, for Internet DNS queries: OpenWrt (Client) -> query to 192.168.1.1:53 (AGH) -> upstream DNS server.
In the router itself, for local DNS queries: OpenWrt (Client) -> query to 192.168.1.1:53 (AGH) -> 192.168.1.1:5353 (local dnsmasq DNS server via local domain interception).
In step 5, since the local OpenWrt dnsmasq DNS server is aware both of static and dynamic DHCP reservations, it will correctly resolve the local host names. If I omit step 3, the query in step 5 will fail.
So, why would you advice against using the configuration in step 3 above?