Hi!
What is the backup DNS server in this AGH setup - for the cases when AGH becomes unresponsive? Is there any?
I followed the instructions, got AGH running for a while, but it got totally unresponsive after some time, bringing down DNS resolving for any client. AGH is installed on external drive (/opt) - lack of space should not be an issue. Only a couple of blocklists, which supposedly should be OK for LinksysWRT1900ACS to handle.
Perhaps, any suggestions where to look for fixing?
Thank you!
Please post your yaml, dhcp and firewall files
Hi!
Apologies for the late reply. The settings are below.
Thank you!
yaml:
bind_host: 0.0.0.0
bind_port: 8080
users:
- name: ____
password: ____
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 127.0.0.1
- ::1
- 172.17.73.11
- fd6f:e08a:d5ae::1
port: 53
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
protection_disabled_until: null
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://family.adguard-dns.com/dns-query
- '[/lan/]127.0.0.1:54'
- '[//]127.0.0.1:54'
- '[/pool.ntp.org/]1.1.1.1'
- '[/pool.ntp.org/]1.0.0.1'
- '[/pool.ntp.org/]2606:4700:4700::1111'
- '[/pool.ntp.org/]2606:4700:4700::1001'
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: false
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
safe_search:
enabled: false
bing: false
duckduckgo: false
google: false
pixabay: false
yandex: false
youtube: false
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 172.17.73.11:54
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
ignored: []
interval: 2160h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
ignored: []
interval: 24h
enabled: true
filters:
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
name: WindowsSpyBlocker - Hosts spy rules
id: 1680717706
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 20
dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option noresolv '0'
option cachesize '1000'
option rebind_protection '0'
option port '54'
list server '172.17.73.11'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option leasetime '24h'
list dhcp_option '6,172.17.73.11'
list dhcp_option '3,172.17.73.11'
list dns 'fd6f:e08a:d5ae::1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
I'd suggest you start from default settings.
Only changes you've to do in DHCP is that turn off rebind_protection and set dns port to 54.
In Netowrk > WAN disable Use DNS servers advertised by peer
Refer my yaml file:
bind_host: 192.168.1.1
bind_port: 8080
beta_bind_port: 0
users:
- name: ____________
password: ___________
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 192.168.1.1
- 127.0.0.1
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 2160h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- '[/lan/]127.0.0.1:54'
- '[//]127.0.0.1:54'
- '[/pool.ntp.org/]1.1.1.1'
- '[/pool.ntp.org/]1.0.0.1'
- '[/pool.ntp.org/]8.8.8.8'
- '[/pool.ntp.org/]8.8.4.4'
- https://dns.cloudflare.com/dns-query
- https://dns.google/dns-query
- https://doh.opendns.com/dns-query
- https://blitz.ahadns.com
- https://dns.nextdns.io
- https://basic.rethinkdns.com
upstream_dns_file: ""
bootstrap_dns:
- 1.1.1.1
- 1.0.0.1
- 8.8.8.8
- 8.8.4.4
all_servers: true
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 3600
cache_ttl_max: 86400
cache_optimistic: true
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 192.168.1.1:54
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 784
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
name: OISD Blocklist Full
id: 1678555417
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
name: OISD Blocklist Basic
id: 1678555418
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 14
Noted if there's enough space for AGH then it shouldn't be a problem.
DNS bind_host add only your router IP and 127.0.0.1
Thanks! The major difference in yaml files was in bind_host line. I used 0.0.0.0, not the router IP. Changed this.
I also found out that my USB dongle (plugged into USB 3.0) with AGH installed was at times not properly handled / seen by OpenWrt. This may have been the reason of "unresponsive" AGH. Plugged the dongle into USB 2.0. For now seems to be working OK.
Still, any idea how to ensure fallback to OpenWrt internal DNS resolver if AGH is for whatever reason not available / not performing?
1 Like
Don't know if this will work but try adding AGH IP followed by router IP with it's port under "Use custom DNS servers"
A bit of a curiosity. I have used this guide previously to setup AdGuard successfully; however, now that I have changed ISPs, the setup doesn't seem to make as much sense to me anymore. For context and for diagnostic purposes of the reader, my topology looks as follows FTTP ONT -> x86 router (with OpenWRT 22.03.3 installed) with PPPoE as the WAN interface with VLAN ID tags 911 and a IPv6 assigned address from the ISP -> Belkin RT3200 dumbAP (with a Master OpenWRT Build installed) providing Wi-Fi.
Adguard DNS settings as follows:
Now for the part where I am a bit confused and am hoping for some pointers. The Adguard dashboard is reporting that it is indeed getting DNS queries from my router, but a dnsleak test shows that my ISP is acting as the DNS resolver.
How do I ensure that Adguard is indeed forwarding all the traffic to my preferred DNS resolver?
Make sure to untick Use DNS servers advertised by peer in network> wan section.
Then you have to port forward and add NAT rule as below
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option name 'AdGuardHome DNS Interception'
option src_ip '!192.168.1.1'
option dest_ip '192.168.1.1'
option dest_port '53'
config nat
option name 'Prevent hardcoded DNS'
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.1.1'
option dest_port '53'
option target 'MASQUERADE'
Thank you Alan. It turned out I had forgotten that I switched wan6 interface protocol which had a knock-on effect on the settings.
hi,
i take it this is on /etc/config/firewall?
thanks
Since setting up AGH I'm finding that my router crashes (or at least becomes unresponsive) after an indeterminate amount of time. I suspect it's falling foul to some kind of memory leak caused by AGH (eg: https://github.com/AdguardTeam/AdGuardHome/issues/5606). I've set a task to restart AGH once a day which I hoped would be enough.
Before jumping to conclusions though, is there a way to determine if it is in fact AGH or not some other issue brought forward by it? Basically, how does one attain logs on a crash?
I'm running v0.107.21 AGH on OpenWrt 22.03.5. For me there's no memory leak issue or at least ever faced. In Luci > Status > System Log can give you more info
Great guide, I installed AdGuardHome using opkg.
I failed in 4 things:
- Did not understand how to make openwrt.lan url work again with AdGuard as DNS resolver. I enabled rDNS but nothing changed. Is that related?
- Did not manage to add the firewall rules in order to prevent DNS hijaking. Basically the custom firewall rule tab is no longer there in luci, and I do not know how to exclude router and adguard from those dns hijaking firewall rules.
- Did not manage to enable DNS encryption on AdGuardHome. I am having trouble adding any SSL certificate. The procedures in the github/wiki are not clear to me.
- Can´t find why stats that appear in AdGuardHome dashboard get reset after each router reboot. I do not have any USB port on my router but it has plenty of free memory! BTW also OpenWRT statistics in luci are lost after reboot...
Thanks in advance for any help.
Has anyone managed to actually run this with any kind of stability? I've had nothing but issues in the month or so I've moved to it - dropped DNS, filters not loading, memory leaks and router crashes. This is on an armv7 256mb machine.
I really like the idea but given how important DNS is I've kinda lost faith in this as a real option, versus adblock which had uptime into the months.
Late to the party. Show me your network, firewall and AGH yaml file