AdGuard DNS rewrites not working over VPN (wireguard)

Hey,

There is no problem with the Override DNS Settings of All Clients.

DNS redirection (Override DNS Settings of All Clients) is enabled, AdGuard Home Handle Client Requests is enabled, and the client's (test PC) network card DNS server is customized to 1.1.1.1 (ordinary UDP DNS):

51932069f77bd8df8ca30988509102151366×732 55.5 KB

The client test PC, Win CMD initiates a DNS query, and displayed DNS request is to the custom DNS server. This is the expected behavior of Win:

2dac0b62aca82a21b71335ef7b5cdc45415×170 1.55 KB

But all DNS requests from the clients will be redirected by the router to ADG:

• ADG Log:
  
  

  5e3ce18a4e978e548734cc0a4795c61f1520×964 72.9 KB
• Connection tracing cat /proc/net/nf_conntrack|grep -w dport=53 | grep [client's LAN IP or custom DNS server], redirects from port 53 to 3053 of DNS request of clients can be found:

root@GL-AX1800:~# cat /proc/net/nf_conntrack|grep -w dport=53 | grep 1.1.1.1
ipv4     2 udp      17 14 src=192.168.6.146 dst=1.1.1.1 sport=59679 dport=53 packets=1 bytes=58 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=59679 packets=1 bytes=198 mark=32768 zone=0 use=2
ipv4     2 udp      17 15 src=192.168.6.146 dst=1.1.1.1 sport=61607 dport=53 packets=1 bytes=80 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=61607 packets=1 bytes=190 mark=32768 zone=0 use=2
ipv4     2 udp      17 9 src=192.168.6.146 dst=1.1.1.1 sport=61026 dport=53 packets=1 bytes=70 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=61026 packets=1 bytes=86 mark=32768 zone=0 use=2
ipv4     2 udp      17 137 src=192.168.6.146 dst=1.1.1.1 sport=50860 dport=53 packets=2 bytes=120 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=50860 packets=2 bytes=330 [ASSURED] mark=32768 zone=0 use=2
ipv4     2 udp      17 8 src=192.168.6.146 dst=1.1.1.1 sport=49188 dport=53 packets=1 bytes=69 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=49188 packets=1 bytes=218 mark=32768 zone=0 use=2
ipv4     2 udp      17 23 src=192.168.6.146 dst=1.1.1.1 sport=63270 dport=53 packets=1 bytes=62 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=63270 packets=1 bytes=134 mark=32768 zone=0 use=2
ipv4     2 udp      17 22 src=192.168.6.146 dst=1.1.1.1 sport=51189 dport=53 packets=1 bytes=62 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=51189 packets=1 bytes=78 mark=32768 zone=0 use=2
ipv4     2 udp      17 33 src=192.168.6.146 dst=1.1.1.1 sport=56801 dport=53 packets=1 bytes=69 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=56801 packets=1 bytes=85 mark=32768 zone=0 use=2
ipv4     2 udp      17 22 src=192.168.6.146 dst=1.1.1.1 sport=53646 dport=53 packets=1 bytes=70 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=53646 packets=1 bytes=86 mark=32768 zone=0 use=2
ipv4     2 udp      17 8 src=192.168.6.146 dst=1.1.1.1 sport=59663 dport=53 packets=1 bytes=56 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=59663 packets=1 bytes=107 mark=32768 zone=0 use=2
ipv4     2 udp      17 23 src=192.168.6.146 dst=1.1.1.1 sport=61903 dport=53 packets=1 bytes=71 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=61903 packets=1 bytes=87 mark=32768 zone=0 use=2
ipv4     2 udp      17 22 src=192.168.6.146 dst=1.1.1.1 sport=51716 dport=53 packets=1 bytes=58 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=51716 packets=1 bytes=74 mark=32768 zone=0 use=2
ipv4     2 udp      17 53 src=192.168.6.146 dst=1.1.1.1 sport=61670 dport=53 packets=1 bytes=62 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=61670 packets=1 bytes=105 mark=32768 zone=0 use=2
ipv4     2 udp      17 23 src=192.168.6.146 dst=1.1.1.1 sport=55648 dport=53 packets=1 bytes=79 src=192.168.6.1 dst=192.168.6.146 sport=3053 dport=55648 packets=1 bytes=335 mark=32768 zone=0 use=2
root@GL-AX1800:~#

Note, only ordinary UDP DNS can be redirected. Encrypted DNS cannot be redirected.

I have the exact same problem than original post, also with Flint 1 AX1800. Impossible to have DNS rewrites working on VPN clients, but no problem on Wifi clients. I also have almost the same VPN client device as it is a Pixel 6a here. The WG configuration on phone is also IP=10.0.0.2/24 and DNS=10.0.0.1

However, changeing DNS configuration did not help on my side. Mine was OFF OFF ON and playing with Overrides or DNS rebind attack did not do anything, I can’t have it working.

A difference that I have compared to @bruce screenshots is that in AGH, the requests coming from VPN client are marked as coming from 127.0.0.1, and not 10.0.0.2. All other connected clients have their right IP in the logs.

An idea of what the problem is ?

1. In your phone VPN profile, is the DNS server the VPN server Tunnel IP (for example, 10.0.0.1)?
   

   

   Bruce_2025-10-15_15-29-51474×1026 51.6 KB

2. Is the AdGuard Home Handle Client Requests enabled in the ADG?

Yes to both.

I did a few more tests and I think I got the problem. As I said, my phone queries through VPN were flagged as coming from 127.0.0.1. I was trying to see if it was the same from the requests to rewrite but I couldn't find them in the query logs, so I experimented with more rewrite entries.

My rewrites were *.something.lan and *.something.local and for any reason they couldn't reach AGH query logs, so I added *.something.home and with this one, the DNS rewrite works on my phone through VPN !

So my hypothesis is that while DNS requests from wifi clients are handled directly, something at 127.0.0.1 handles the DNS requests from the WG server, and this thing does not bother forwarding to AGH the ones finishing by *.lan or *.local.
What I can't explain is why in my case, requests through WG are handled by something at 127.0.0.1 and not directly by AGH like in your screenshots...

I see, the local CNAME .lan and .local should be handled by dnsmasq and not forwarded to ADG.
The VPN tunnel DNS request will be first reach dnsmasq (127.0.0.1), and forwarded to ADG.

Is it acceptable to use .home for your local CNAME?

Or if you indeed require .lan and .local, please add them in the hosts file.