Hello.
I bought Flint 2, set up wireguard (client), global proxy. Enabled AdGuard and everything works as expected, DNS requests of all clients get to AdGuard. But if manually set up custom DNS on the client, then DNS requests of this client will not get to AdGuard. Question: how to block the Internet for clients who set up custom DNS or how to ignore the custom DNS of the client and direct his dns requests to the local adguard ?
You can't if it's DoH or DNS-over-quic or any other modern protocol.
For just plain DNS you can enable Override DNS Settings for All Clients
This setting is enabled, but the router itself writes that all the settings on this page will not work because AdGuard Home is enabled.
Quote: "AdGuard Home is enabled and this router will use the DNS server provided by AdGuard Home as the custom DNS server. The DNS server settings will not work."
Maybe there is a way to check that if there is traffic on the device, but there are no DNS requests for this device in AdGuard, then block this device?
The statement there is wrong for the overriding part. Override will work anyway.
The only thing that does not work is the DNS server IPs you entered there, because they will be overwritten by AGH.
Issue is modern clients now use fancy DoH and DoT, even when they come with these fancy disable buttons, the browser can also come with their own resolver and options, and sometimes also hardcoded like on android.
and to make things worse they can also use a hardcoded list which gives you a false sense of security i almost thought my firewall was not working only to figure out how messed up these implementations work, you can have a system dns with doh toggle, you can setup chrome to follow system dns, yet it still uses a hardcoded list of doh, only solution is to disable what they call 'secure dns', and then hope the bests clients don't use it hardcoded.
As for now there is a fallback mechanism to prevent these types of bypasses but i can ensure you its on their afford they can easily disable it, you need a DoH block list this makes clients fallback to 53 port which is classic dns, DoT is more easily blocked just block destination port 853, but DoH is a nightmare since you cannot just block 443 access to the full internet .
As for blocklists im not sure if banip works on gl software, especially since the vpn is different it might not be possible for banip to listen on it, currently this works excellent for me on normal OpenWrt, but the developer already have mentoided he only developes for OpenWrt.
Since i wanted nextdns in my use case and nextdns also depends on cloudflare for their ddos protection they also made some sort of loophole that cloudflares dns kept accessible i started using routing tables to blackhole it , but for Adguard that is not needed.
Im pretty confident they will also take out the fallback mechanism its more for legacy purposes i guess, but not for googles interest, which is scary since they kind of hold a browser monopoly.