[Solved] AdGuard Home: WLAN clients are getting DNS from ISP

My setup:

The router and the 2 dumb APs are using OpenWrt 23.05.2.

I've installed AdGuard Home and all the configuration was done following the steps provided on the wiki (https://openwrt.org/docs/guide-user/services/dns/adguard-home).

Wired clients get the correct DNS from AdGuard Home (DNS over HTTPS/Cloudflare). Ads don't appear at all. Everything works flawlessly...

...except for the WLAN clients. Wireless clients connected through the APs are getting DNS info from the ISP (?). What can I do?

Thanks in advance.

In the APs in LuCI:
what did you put as the DNS under Interfaces->lan edit/advanced settings->Use custom DNS servers?

1 Like

let's start by looking at the config from the R4S:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

image

root@R4S:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "R4S",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@R4S:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0a:bb4c:8eb9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'REDACTED'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'auto'

root@R4S:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@R4S:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '10.0.0.1'
        option rebind_localhost '1'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '90'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        list dhcp_option '6,10.0.0.1'
        list dhcp_option '3,10.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config host
        option name 'TL-SG108PE'
        option mac 'REDACTED'
        option ip '10.0.0.2'

config host
        option name 'U6Lite'
        option mac 'REDACTED'
        option ip '10.0.0.3'

config host
        option name 'ArcherC6'
        option mac 'REDACTED'
        option ip '10.0.0.4'
		
config host
        option name 'rpi3-wired'
        option mac 'REDACTED'
        option ip '10.0.0.5'

config domain
        option name 'REDACTED.nsupdate.info'
        option ip '10.0.0.5'

Ok... now let's see your AP configs. Importantly, for the C6, what port is connected to the upstream (presumably the switch)?

1 Like

UniFi 6 Lite:

root@U6Lite:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "U6Lite",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti UniFi 6 Lite",
        "board_name": "ubnt,unifi-6-lite",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@U6Lite:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:cebe:f1e6::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

root@U6Lite:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '13'
        option band '2g'
        option htmode 'HT20'
        option country 'BR'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '48'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'wifinet0'
        option device 'radio1'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain 'REDACTED'
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'sae'
        option key 'REDACTED'
        option network 'guest'

root@U6Lite:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '10'
        option limit '90'
        option leasetime '12h'

Archer C6:

root@ArcherC6:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "ArcherC6",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer C6 v3",
        "board_name": "tplink,archer-c6-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@ArcherC6:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:982c:d384::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.4'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

root@ArcherC6:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '7'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '48'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain 'REDACTED'
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'sae'
        option key 'REDACTED'
        option network 'guest'

root@ArcherC6:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '10'
        option limit '90'
        option leasetime '12h'

Thanks!

Using a LAN port.

You appear to have 2 independent guest networks setup on each of your dumb APs:

From the U6:

And from the C6:

It would be much better to setup the guest network on the main router, and then use VLANs to run them out to the dumb APs.

I can help you with that if you'd like to do that.

Meanwhile, when you say that the WLAN clients are getting DNS from the ISP:

  • what SSID are they connecting to?
  • How have you verified that they are indeed using a different DNS server?
  • What client devices are implicated here? What OS is on them, and what applications are showing this behavior?

Please go here and look for an IPV6 DNS leak using a device on the wlan.

1 Like


V.tal = my ISP.

I suggest you kill IPV6 on all devices and try again.

We will look into the IPV4 leak later.

Sure, I'd like to do that! Thanks! :blush:

What SSID are they connecting to?
Answer: to the main SSID (not to the guest one)

How have you verified that they are indeed using a different DNS server?
Answer: 1.1.1.1/help and dnsleaktest.com

What clients are implicated here?
Answer: some Android smartphones (Android 14), and a LG TV (webOS)

Thanks!

How to disable IPv6 on all devices? :grin:

Do this on all devices.
In LuCI:
Interfaces/wan->edit/DHCP server/IPv6 settings-> disable everything.

There will still be IPv6 settings in different areas but this will kill it.
As you come upon IPv6 settings going forward, disable them all but do not change any numerical values. You may need them if you ever want IPv6 back.

You know, after you take a semester of a college level course in IPv6 and understand it.:laughing:

Then test for leaks again.

:spiral_notepad: I forgot: do the same thing in the lan interface, follow the same tree as the wan.

1 Like

First thing I'll need is a topology diagram so that I understand how the devices are connected together. A photo of a sketch on paper is sufficient, but please be sure to label each device and the ports in use.

1 Like

I may not be up when they come back.

After you help create a more elegant network, they need to go to all devices under LuCI/interfaces->configure and on the first page, at the bottom, disable IPv6.

In anticipation of you cleaning it up I did not know what your configuration will do to the interface->devices list, so I did not include it. But that is the circuit breaker for IPv6.
:spiral_notepad: I anticipate your changes will, also, end the IPv4 leak.

1 Like

I'll try that as soon as I arrive at home. Thanks!

1 Like

IPv6 was already disabled on the WAN interface.

Now I've just disabled on the LAN and WAN6 interfaces too.

Testing again on an Android device:


It works! :grin:

...but now without IPv6 support on my network. :neutral_face: