slate ax 4.0.1 beta 2
I have noticed that the even when I have a wireguard tunnel and adguard enabled the routers own dns traffic gets routed to the repeaters dns, meaning no adblock and no encryption.
Please comment, does not seem right to me.
ADGuard Home is set by default to work only for client devices and is not used for requests from the router itself.
However, if WireGuard client is connected, requests from the router should be forwarded through the WireGuard tunnel. We will review this issue.
so it is not possible then to use encrypted dns requests from router when adguard home is enabled?
the regular dns settings are disabled when adguard home is used. Why are not adguards dns settings used for router requests?
“AdGuard Home is enabled, the router must use the DNS server provided by AdGuard Home, you can’t customize DNS servers.”
from what I can see the routers dns requests are not forwarded through the wg tunnel.
Sorry, my bad. ADGuard Home is work for requests from the router itself.
I just tested it with ADGuard Home only, WireGuard only, and both ADGuard Home and WireGuard on, and nslookup shows that 127.0.0.1#53 is used in all three cases.
Which WireGuard provider’s configuration file are you using?
Sorry, I can’t reproduce your question about Adguard Home.
I guess this may be caused by your Adguard Home settings, maybe you reset the device or upgrade beta3 without keeping the settings and try again?
About WireGuard, please check whether the WireGuard configuration file provides DNS.
Just my 2 cent. It is only an opinion, not a technical based essay.
My client (192.168.8.10) is asking for an A-record (google.com) at the DNS (192.168.8.1).
The router (192.168.8.1) pick up the request and since AdGuardHome is listening on port 53 (DNS)
it will pick up the request, check against the lists and if no match
it will forward the request.
[interesting part]
If I set the router to use adguard, it will ask at 192.168.8.1.
Here at port 53 AdGuardHome will take the request, check against the internal lists. If not match it will forward the request …
[… and so on …]
Of course, I could break the cycle and tell the service (adguardhome) to ask anywhere else. But maybe I’d like to use the DHCP given DNS to reach the internal system.
Let the user choose will increase the complexity. I see no problem, that the router itself doesn’t use agh, but all clients.
my concern is not the adblocking funcionality, I just dont want the router to send unencrypted dns requests to the repeater wifi unless I’ve choosen it. seems to me there is a problem when rebooting with adblock is enabled.
I have no special configuration in adblock, only filters and (encrypted) dns upstream configuration.
I will try with a clean install of beta3 when it is released since the issue has not been reproduced.
Okay, understood. And I can confirm in FW 4.0.1 beta2, WAN over WLAN, LAN over cable.
Adguard enabled → reboot Router
dnsmasq is bind to 127.0.0.1:53, /etc/resolv.conf is set to nameserver 192.168.xxx.53 (local DNS)
Disable Adguard → nameserver 127.0.0.1 in /etc/resolv.conf
Enable Adguard → nameserver 127.0.0.1 in /etc/resolv.conf
in netstat -tulpen |grep \:53 it seemes dnsmasq takes the whole configuration after boot and adguardhome got permission only after manual stop/start.
But does dnsmasq also handles the dhcp-client part for the SlateAX System? I think I missing something.
Can’t find any hints in the logs, now.
Edit: 192.168.xxx.53 is also the DNS in my wireguard configuration. cat /etc/config/resolv.conf.wg → nameserver 192.168.xxx.53 cat /etc/config/resolv.conf.d/resolv.conf.auto → nameserver 192.168.xxx.53 \n search [mylocaldomain].net, same content as in /etc/resolv.conf
The content in /etc/config/resolv.[wg|.d/resolv.conf.auto] is not altered by stop/start AdGuard.
Why is dnsmasq even bound to 192.168.xxx.193:53 (WWAN port)? (Just a reminder for another analysis).
Yeah, it works and it’s absolutely stable on any situation, at least on my setup. In fact I’ve been using my Slate AX with this “trick” since I am testing it and I’ve no problem at all (I am always using Adguard).