DNS Question

slate ax 4.0.1 beta 2
I have noticed that the even when I have a wireguard tunnel and adguard enabled the routers own dns traffic gets routed to the repeaters dns, meaning no adblock and no encryption.
Please comment, does not seem right to me.

root@slateax:/etc# nslookup analytics.plex.tv
Server:         192.168.28.1
Address:        192.168.28.1#53

Non-authoritative answer:
Name:   analytics.plex.tv
Address: 172.64.153.236
Name:   analytics.plex.tv
Address: 104.18.34.20
Name:   analytics.plex.tv
Address: 2606:4700:4400::ac40:99ec
Name:   analytics.plex.tv
Address: 2606:4700:4400::6812:2214

root@slateax:/etc# nslookup analytics.plex.tv 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   analytics.plex.tv
Address: 0.0.0.0
Name:   analytics.plex.tv
Address: ::

root@slateax:/etc# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 wgclient
default         www.asusrouter. 0.0.0.0         UG    20     0        0 wlan-sta0
128.0.0.0       *               128.0.0.0       U     0      0        0 wgclient
185.213.154.69  www.asusrouter. 255.255.255.255 UGH   20     0        0 wlan-sta0
185.247.71.35   www.asusrouter. 255.255.255.255 UGH   20     0        0 wlan-sta0
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.9.0     *               255.255.255.0   U     0      0        0 br-guest
192.168.28.0    *               255.255.255.0   U     20     0        0 wlan-sta0
213.112.18.39   www.asusrouter. 255.255.255.255 UGH   20     0        0 wlan-sta0

ADGuard Home is set by default to work only for client devices and is not used for requests from the router itself.
However, if WireGuard client is connected, requests from the router should be forwarded through the WireGuard tunnel. We will review this issue.

so it is not possible then to use encrypted dns requests from router when adguard home is enabled?
the regular dns settings are disabled when adguard home is used. Why are not adguards dns settings used for router requests?

“AdGuard Home is enabled, the router must use the DNS server provided by AdGuard Home, you can’t customize DNS servers.”

from what I can see the routers dns requests are not forwarded through the wg tunnel.

thanks for looking into this.

Sorry, my bad. ADGuard Home is work for requests from the router itself.

I just tested it with ADGuard Home only, WireGuard only, and both ADGuard Home and WireGuard on, and nslookup shows that 127.0.0.1#53 is used in all three cases.
Which WireGuard provider’s configuration file are you using?

first, I messed up my wg config, below is a clean reboot with wg disabled.
internet connection is repeater to 192.168.28.1

root@slateax:~# uptime
 08:07:09 up 1 min,  load average: 0.73, 0.29, 0.10
root@slateax:~# nslookup www.google.com
Server:         192.168.28.1
Address:        192.168.28.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.164
Name:   www.google.com
Address: 2a00:1450:400f:805::2004

root@slateax:~# wg
root@slateax:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         www.asusrouter. 0.0.0.0         UG    20     0        0 wlan-sta0
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.9.0     *               255.255.255.0   U     0      0        0 br-guest
192.168.28.0    *               255.255.255.0   U     20     0        0 wlan-sta0
root@slateax:~#
root@slateax:~# nslookup www.google.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.164
Name:   www.google.com
Address: 2a00:1450:400f:802::2004

adguard is enabled on boot

image2173×762 180 KB

but nslookup show it uses the upstream router dns instead of adguard

root@slateax:~# # reboot with adguard on

root@slateax:~# uptime
 08:25:26 up 1 min,  load average: 1.14, 0.37, 0.13
root@slateax:~# nslookup www.google.com
Server:         192.168.28.1
Address:        192.168.28.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.68
Name:   www.google.com
Address: 2a00:1450:400f:802::2004

root@slateax:~# # stop adguard
root@slateax:~#
root@slateax:~# nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.68
Name:   www.google.com
Address: 2a00:1450:400f:802::2004

root@slateax:~# # start adguard
root@slateax:~#
root@slateax:~# nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.168.196
Name:   www.google.com
Address: 2a00:1450:400f:803::2004



===========================================================================

root@slateax:~# # reboot with adguard off
root@slateax:~# nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.68
Name:   www.google.com
Address: 2a00:1450:400f:802::2004

root@slateax:~# # start adguard
root@slateax:~#
root@slateax:~# nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.74.68
Name:   www.google.com
Address: 2a00:1450:400f:802::2004

seems when adguard is on and I reboot it starts with wrong dns server (upstream dns) instead of 127.0.0.1

Sorry, I can’t reproduce your question about Adguard Home.
I guess this may be caused by your Adguard Home settings, maybe you reset the device or upgrade beta3 without keeping the settings and try again?

About WireGuard, please check whether the WireGuard configuration file provides DNS.

Just my 2 cent. It is only an opinion, not a technical based essay.

1. My client (192.168.8.10) is asking for an A-record (google.com) at the DNS (192.168.8.1).
2. The router (192.168.8.1) pick up the request and since AdGuardHome is listening on port 53 (DNS)
3. it will pick up the request, check against the lists and if no match
4. it will forward the request.
   [interesting part]
5. If I set the router to use adguard, it will ask at 192.168.8.1.
6. Here at port 53 AdGuardHome will take the request, check against the internal lists. If not match it will forward the request …
   [… and so on …]

Of course, I could break the cycle and tell the service (adguardhome) to ask anywhere else. But maybe I’d like to use the DHCP given DNS to reach the internal system.

Let the user choose will increase the complexity. I see no problem, that the router itself doesn’t use agh, but all clients.

my concern is not the adblocking funcionality, I just dont want the router to send unencrypted dns requests to the repeater wifi unless I’ve choosen it. seems to me there is a problem when rebooting with adblock is enabled.

I have no special configuration in adblock, only filters and (encrypted) dns upstream configuration.

I will try with a clean install of beta3 when it is released since the issue has not been reproduced.

to be clear, for the router itself that is, I still want adblocking for the clients

Okay, understood. And I can confirm in FW 4.0.1 beta2, WAN over WLAN, LAN over cable.

1. Adguard enabled → reboot Router
2. dnsmasq is bind to 127.0.0.1:53, /etc/resolv.conf is set to nameserver 192.168.xxx.53 (local DNS)

Disable Adguard → nameserver 127.0.0.1 in /etc/resolv.conf
Enable Adguard → nameserver 127.0.0.1 in /etc/resolv.conf

in netstat -tulpen |grep \:53 it seemes dnsmasq takes the whole configuration after boot and adguardhome got permission only after manual stop/start.
But does dnsmasq also handles the dhcp-client part for the SlateAX System? I think I missing something.
Can’t find any hints in the logs, now.

Edit: 192.168.xxx.53 is also the DNS in my wireguard configuration.
cat /etc/config/resolv.conf.wg → nameserver 192.168.xxx.53
cat /etc/config/resolv.conf.d/resolv.conf.auto → nameserver 192.168.xxx.53 \n search [mylocaldomain].net, same content as in /etc/resolv.conf

The content in /etc/config/resolv.[wg|.d/resolv.conf.auto] is not altered by stop/start AdGuard.

Why is dnsmasq even bound to 192.168.xxx.193:53 (WWAN port)? (Just a reminder for another analysis).

Thank you very much for your test and we will analyze it more.

Quick and dirty workaround:

Go to LuCI → Network → Interfaces → Tab: Interfaces → Interface: WWAN-sta0 → Button: [Edit]
Tab: Advanced Settings → Uncheck the Option: Use DNS servers advertised by peer → Button: [Save]
Button: [Save & Apply]

after a reboot /etc/resolv.conf is empty and nslookup google.de is asked by 127.0.0.1 …

root@GL-AXT1800:~# cat /etc/resolv.conf 
# Interface wwan
root@GL-AXT1800:~# ping -c2 google.de
PING google.de (142.250.181.195): 56 data bytes
64 bytes from 142.250.181.195: seq=0 ttl=56 time=8.823 ms
64 bytes from 142.250.181.195: seq=1 ttl=56 time=7.830 ms

--- google.de ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.830/8.326/8.823 ms
root@GL-AXT1800:~# nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      google.com
Address 1: 172.217.16.78
Address 2: 2a00:1450:4005:800::200e
root@GL-AXT1800:~# 

This needs further testing. What happens if AdGuard is stopped, will DDNS work, and so on. But at first it looks suitable.

Yeah, it works and it’s absolutely stable on any situation, at least on my setup. In fact I’ve been using my Slate AX with this “trick” since I am testing it and I’ve no problem at all (I am always using Adguard).

suspect it would not work with captive portals