Sanity Check - (i think i got it but not certain) configure adguard home on seperate device to show clients instead of router

this has been asked before, but i cannot find the specific answer, just pieces here and there, i have made it work based on piecing things together but I want to verify my knowledge and maybe clarify it a bit

the steps i performed are:

install default openwrt on flint2

install default adguardhome on rpi4 default port 53

go to dhcp and dns→ ports, change dns port in luci to 54,

go to dhcp and dns→ forwards, add 192.168.1.125(adguardhome ip)

go to lan→ dhcp→ advanced → add 6,192.168.1.125(adguardhome ip)

disable wan dns peers

is this the current correct method? am i doing anything extra that i dont need to? am i missing anything?

thanks for sticking with me

You have to express that in uci terms.
agh needs dnsmasq only for local zones ie .lan. and 2 reverse ones, for the rest it can consult the internet.

any chance you can clarify that for me? im just describing my gui movements.

end goal is that the devices use openwrt for their dhcp, and adguardhome for their dns

im wondering if this wouldnt be simpler to just do it all on one device and follow the one page guide… but then if one breaks they both break

Your superfluous description is not sufficient to assesss agh workings.
1/ what are upstreams of agh
2/ and of dnsmasq
3/ any firewall rules related to dns

don't need to move dnsmasq port on router if DNS isn't running on the openwrt device, only need to use the 6 DHCP option.

DNS is always port 53, put it anywhere else, name resolution will break.

i apologize for the poor descriptions, im learning a new software and trying to understand how they work together

im using https://dns.cloudflare.com/dns-querywith bootstrap set to 1.1.1.1 1.0.0.1, in agh on raspberry pi4, on my local network with an ip of 192.168.1.125,

i originally tried setting the wan dns to agh per one suggestion. this gave me only a single client in agh, being the flint2

i then tried another suggestion of setting the dns in the lan settings, which gave the same result

i found an article stating to use the 6,ip option and thats when i started to get things working, but alot of other suggestions were made with it, such as setting the dns forwards under dhcp and dns, that is why i ended up as confused as i am,

assuming the only dns set in openwrt is the resolv file with default isp dns, if i go and change the lan→dhcp→advanced 6,192.168.1.125, and dhcp and dns→resolve and hosts files ignore resolv file everything connected to my local network should then use agh for dns by default?

"DNS latency/performance

For the best performance and lowest latency on DNS requests, AGH should be your primary DNS resolver in your DNS chain. If you currently have dnsmasq or unbound installed, you should move these services to an alternative port and have AGH use DNS port 53 with upstream DNS resolvers of your choice configured. This wiki recommends keeping dnsmasq/unbound as your local/PTR resolver for Reverse DNS.

this is why i was referencing changing the dns port on the openwrt device to 54

That advice to change the dnsmasq port only applies if AGH is installed on the router alongside dnsmasq. You have AGH installed on a RPi.

that helps, the overabundance of setups and guides can make it hard to decide whats what sometimes, i really tried to dig this one up before posting and i ended up with so much info my head is spinning lol.

i thought it was working but i noticed the guest network could no longer resolve even using the same settings.

im back to stock now, i reinstalled openwrt fresh on my flint2, and reinstalled adguardhome on the pi

no guest network configured,

no changes to anything except the 6,ip and it seems that devices are starting to show up correctly.

but if i run dns leaktest im still seeing my default isp provided. i dont want to disable the resolv file because that seems to break things

if i use

# Intercept DNS traffic
uci -q del firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.family="any"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.dest_port="53"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
service firewall restart

will the 6,ip setting still take the hijacked requests, or will the routers dnsmasq process them?

or would this be a better option - is the dest_ip the pi4 in this example?

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.family='ipv4'
uci set firewall.dns_int.dest_ip="192.168.2.2"
uci set firewall.dns_int.src_ip='!192.168.2.2'
uci commit firewall
service firewall restart
 
# Configure network
uci add_list network.lan.ipaddr="192.168.2.1/24"
uci commit network
service network restart

Totally adapt documentation example, given your insufficient config sniplets again no opinion whether anything could ever work for you.

which code snippet would be best to provide?

vs

Kind of contradiction. Bye.

i understand your frustration with me, im frusterated too, i appreciate the assistance i will try to figure out a better way to pose my question. i have a habbit of just talking out my problems.

those code snippets are the official documentation not my config

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd18:b27b:8ef7::/48'
        option packet_steering '1'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.164.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.164.20.125'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host
        option name 'market'
        option ip '10.164.20.125'
        list mac 'D8:3A:DD:2D:B3:C4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

current adguard upstream https://dns10.quad9.net/dns-query

current adguard bootstrap

9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10

the default rdns is already using my openwrt device so i dont believe i need to manually type it here.

image922×547 18.1 KB

the above configs are all current, without a firewall rule devices that grab a new lease work as requested, i am just trying to determine which firewall rule/port forward option would be the best to ensure any devices that try to force their own dns are captured and processed through agh instead,

dns hijacking seems logical but infers that its catching it to the router itself, which im not certain would redirect it to the rpi4 agh instance

i think this is the correct option, based on the bottom of the dns hijacking page, dns redirect via the firewall, i adjusted the values from the official documentation to match what i think is the correct option, im hesitant to test this yet because i dont know how to recreate it via the gui, and while im not afraid to use uci commands, i dont know how to revert them if im wrong without just starting over entirely

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.family='ipv4'
uci set firewall.dns_int.dest_ip="10.164.20.125"
uci set firewall.dns_int.src_ip='!10.164.20.125'
uci commit firewall
service firewall restart
 
# Configure network
uci add_list network.lan.ipaddr="10.164.20.1/24"
uci commit network
service network restart

here is what i am after, configs are above

agh (10.164.20.125) available as dns server to whole home - dhcp option 6 accomplishes this, with sneaky devices being the exception.

firewall rules/port forwards to disallow devices trying to be sneaky by redirecting them back to agh

the agh device can see the hostnames of clients instead of only the router ip (rdns accomplishes this)

the openwrt router (10.164.20.1) can still get updates and time - i cant figure this out yet

the dns hijacking page/dns redirecting page, seems to assume agh is installed on the router.

the problem i run into, is, when i set the port forward with source ip !10.164.20.125 per the redirect rule, agh and clients works normally, but opkg update fails because it has no dns once the hijacking rule goes into place.

i was hoping i could set a rule that said, if this router needs dns use wan dns, if any other device needs dns use agh. but i do not know how to write this in uci terms and there does not appear to be a way with the UI.

i THINK i could set somthing in upstream resolvers in agh for requests coming from the router itself, but the documentation on that is not super clear