AdGuard and Pi-hole have an option to get the host names. I used both. I also tried using the DNS forwardings option, but in AdGuard only the router appears as a client. I mean, the router acts as an intermediary and not transparently as I would like. I also tried re-forwarding (for interception) port 53 in lan to AdGuard IP with the port it works on (8853), but I don't see that it works because when switching to 1.1.1.1 on the client, the ads are seen.
yes its the downside of interception. The router sends DNS requests and so will look like its the client. that was why i put my AGH on my router instead.
AdGuard installed on your router shows the IP or hostnam in your control panel? If you used DHCP option 6, I'll tell you that the clients also appear in the AdGuard panel installed on another device. I thought that the "transparent" DNS forwarding (using the router's IP as DNS and AdGuard the one that responds and showing the clients IP) would work because it is local and not like what they publish as "Hijaking DNS" in which it forces to use router DNS and in the end it still allows Cloudflare DNS to be used on the client.
Router runs DHCP. AGH runs on the router and thus picks up the hosts from the /etc/hosts file so it reports the hostname rather than the ip. I had previously run PiHole on a seperate device but moved to AGH and installed it directly on my router and stopped using PiHole.
Option 6 dhcp should cover most of your clients. DNS interception and redirection to your AGH should cover any "naughty" clients trying to sidestep AGH. There are also rules you can implement to stop clients from using their own DNS and sidestepping out (basically blocking DNS queries). But that is something you should ask in another thread as it is rather specialised and honestly something that corporate networks do to control their networks.
The closest thing I did to DNS hijacking is blocking requests to external DNS with firewall and not forwarding for example 1.1.1.1 to AdGuard because I see that it does not work (ads appear). Ideally, the client can only use the IP of AdGuard and that of the router as DNS and the latter forward to AdGuard. In practice, AdGuard would be the only one answering customer requests regardless of whether they use DHCP or not.
using the DNS redirection from the https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_redirection link should do what you want.
Intercept any DNS coming to the router and forward it to the AGH. It will unfortualtly appear as if the router is requesting it but then all your filtering etc will still work.
So as a solution to all this is to block all external DNS servers for the client (you can only use the AdGuard IP as DNS). In turn, allow upstream DNS only for AdGuard (Cloudflare's DoH and DoT). Block DNS requests to the router except for AdGuard or Pi-hole to get the hostnames that are in OpenWrt (static IPs with custom hostname). What exactly does that guide do? What is shown in this other guide?
Here is my firewall configuration so you can see if it can be improved.
DNSBench shows that only AdGuard (netbook) can be used.
Yes and that guide pretty much does what you want to do.
If you have setup the MASQUERADE rule then any DNS queries to your router will be handled by AGH transparently. (but it will appear to AGH that the router is requesting it)
I have tested it and OpenWrt forwards to AdGuard as an intermediary. Only 1 client (router) appears on the control panel. I appreciate your help.
1 Like
Can someone tell me which version that I should use ?
I have a TP-Link WDR4900 V1.0
Hardware spec here https://openwrt.org/toh/tp-link/tl-wdr4900
I did try the MIPS variants and ARM variants and it wont run.
Error --> line 1: syntax error: unexpected "(" - or something like that
Thanks
I highly suggest using the 107 edge builds. your router has 128mb of ram so u should be able to use a few lists without too much trouble. i don't suggest putting in too many lists or you will run out of memory.
Install script is as follows:
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge
my filters from my agh yaml file. (you can just copy and paste the filters into your file or add them manually via the web interface.)
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1625359387
- enabled: true
url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
name: Scam Blocklist by DurableNapkin
id: 1625359388
- enabled: true
url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
name: The Big List of Hacked Malware Web Sites
id: 1625359389
- enabled: true
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
name: https://github.com/StevenBlack/hosts
id: 1625359390
- enabled: true
url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
name: https://firebog.net/ - OSINT.digitalside.it
id: 1625359391
- enabled: true
url: https://v.firebog.net/hosts/Easyprivacy.txt
name: https://firebog.net/ - EasyPrivacy
id: 1625359393
- enabled: false
url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
name: https://www.github.developerdan.com/hosts/
id: 1633201708
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
name: https://github.com/anudeepND/whitelist
id: 1625359392
Thanks, I will give it a try.
Your router is (32 bit, big endian) powerpc, neither mips nor arm.
I tried all variant of mips and arm but none works, that is why I posted here which variant I should use.
@slh I am trying to understand why putting this in Custom filtering rules will not work. It is suppose to restrict a client to only that domain, and disallow all others out there.
#/.*/$client=ClientName
#@@||good.example.com^$client=ClientName
Thanks a lot.
I just restarted my router and have again issues with DNS resolution. AGH is not reachable. I already restarted it twice. Based on the logs it seems to be an issue with free space:
Tue Nov 2 16:25:26 2021 daemon.err AdGuardHome[7843]: 2021/11/02 20:25:26.843971 [error] Couldn't save YAML config: open /opt/AdGuardHome/.AdGuardHome.yaml220282665: no space left on device
Tue Nov 2 16:25:26 2021 daemon.err AdGuardHome[7843]: 2021/11/02 20:25:26.844028 [fatal] open /opt/AdGuardHome/.AdGuardHome.yaml220282665: no space left on device
Tue Nov 2 16:25:31 2021 daemon.err AdGuardHome[7918]: 2021/11/02 20:25:31 [info] Service control action: run
Tue Nov 2 16:25:31 2021 daemon.err AdGuardHome[7918]: 2021/11/02 20:25:31.877641 [info] AdGuard Home, version v0.107.0-a.165+48b0cefb
Tue Nov 2 16:25:31 2021 daemon.err AdGuardHome[7918]: 2021/11/02 20:25:31.877681 [info] AdGuard Home is running as a service
Tue Nov 2 16:25:31 2021 daemon.err AdGuardHome[7918]: 2021/11/02 20:25:31.897960 [error] Couldn't save YAML config: open /opt/AdGuardHome/.AdGuardHome.yaml432154258: no space left on device
Tue Nov 2 16:25:31 2021 daemon.err AdGuardHome[7918]: 2021/11/02 20:25:31.898022 [fatal] open /opt/AdGuardHome/.AdGuardHome.yaml432154258: no space left on device
Tue Nov 2 16:25:36 2021 daemon.err AdGuardHome[7925]: 2021/11/02 20:25:36 [info] Service control action: run
Tue Nov 2 16:25:36 2021 daemon.err AdGuardHome[7925]: 2021/11/02 20:25:36.935484 [info] AdGuard Home, version v0.107.0-a.165+48b0cefb
Tue Nov 2 16:25:36 2021 daemon.err AdGuardHome[7925]: 2021/11/02 20:25:36.935527 [info] AdGuard Home is running as a service
Tue Nov 2 16:25:36 2021 daemon.err AdGuardHome[7925]: 2021/11/02 20:25:36.963130 [error] Couldn't save YAML config: open /opt/AdGuardHome/.AdGuardHome.yaml309458816: no space left on device
Tue Nov 2 16:25:36 2021 daemon.err AdGuardHome[7925]: 2021/11/02 20:25:36.963187 [fatal] open /opt/AdGuardHome/.AdGuardHome.yaml309458816: no space left on device
At the same time the status bars are somehow inconsistent:
Any ideas?
So I fixed it with the tip from @mercygroundabyss here. How can I prevent this from happening in the future without manual intervention. It seems like I have enough space overall, but the logs take it (although I tell AGH to delete them every 7 days).
you dont actually have system space left. you have free Memory but your free disk space was down to 4.1kb.
SSH in and do a
df -h
as a quick fix you can delete the /opt/AdGuardHome/agh-backup folder contents.
as an example however after 2wks of being up I have 45mb of queries. If you are short on space i suggest you set the query log to shorter time (24hrs maybe). The statistics logging is far easier on disk space.
root@OpenWrt:/opt/AdGuardHome/data# ll -h
drwxr-xr-x 3 root root 512 Oct 29 09:42 ./
drwxrwxrwx 4 root root 736 Oct 30 09:06 ../
drwxr-xr-x 2 root root 800 Nov 2 09:52 filters/
-rw-r--r-- 1 root root 45.4M Nov 2 20:42 querylog.json
-rw-r--r-- 1 root root 8.9M Oct 29 09:00 querylog.json.1
-rw-r--r-- 1 root root 32.0K Oct 30 05:28 sessions.db
-rw-r--r-- 1 root root 4.0M Nov 2 21:00 stats.db
root@OpenWrt:/opt/AdGuardHome/data# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 4.5M 4.5M 0 100% /rom
tmpfs 59.5M 1.5M 58.1M 2% /tmp
/dev/ubi0_2 105.9M 81.1M 20.1M 80% /overlay
overlayfs:/overlay 105.9M 81.1M 20.1M 80% /
tmpfs 512.0K 0 512.0K 0% /dev
root@OpenWrt:/opt/AdGuardHome/data# uptime
21:19:29 up 13 days, 8 min, load average: 0.06, 0.11, 0.05
Also currently the AGH binary is 35mb (and you need at least double that as it backs up the current version then gets the new version)
1 Like
They changed log rotation recently. so you need double the amount of space for logs as they rotate them now.
There is documentation on filtering and clients here.
And more about client tags here