AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Option to advertise the same DNS IP multiple times in DHCP response

Open ShellCode33 opened this issue 1 year ago • 6 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to request a feature or enhancement and not ask a question

The problem

I have a very strict blacklist-everything-by-default configuration for my Android TV:

# Blacklist everything
||*.*^$client='tv'

# Allow basic YT support
@@||youtube.com^$client='tv'
@@||googlevideo.com^$client='tv'
@@i.ytimg.com^$client='tv'
@@yt3.ggpht.com^$client='tv'

It was working fine for some time but suddenly stopped working. The TV is also unable to resolve local services on my LAN.

The TV periodically tries to contact Adguard Home's DNS but gets most of its requests denied:

image

My assumption is that Android ends up believing Adguard Home's DNS is not working and falls back to using Google's DNS.

Here's the network configuration of my TV:

PXL_20241007_122436359~3

PXL_20241007_122421038 MP~3

(Sorry for the disgusting pics)

As you can see, the second DNS field shows 0.0.0.0, it's most likely the reason why Android believes it's ok to fallback to some other DNS.

Proposed solution

I believe that advertising the same DNS address multiple times would resolve this issue. PiHole is already doing that:

image psd

Related PiHole issue: https://github.com/pi-hole/pi-hole/pull/3846

Alternatives considered and additional information

Using a static network configuration. I'd like to avoid that, I might buy another TV at some point, I don't want to rely on client configuration.

ShellCode33 avatar Oct 07 '24 12:10 ShellCode33

My 0.02..

I did this at home with dnsmasq.. added the same dns (dhcp option 6) and had problems with devices not working correctly and having unexpected issues..

Again, my situation was that it was a problem for me and mine..

I would create an internal nat dns redirect/hijack for outbound udp/53 and tcp/53..

You'll be surprised with what is going on there.. and forget all about this.

:)

bcookatpcsd avatar Oct 07 '24 19:10 bcookatpcsd

I'm not sure I get your point. What were the problems you were encountering ? I don't see how advertising the same DNS multiple times could go wrong

I would create an internal nat dns redirect/hijack for outbound udp/53 and tcp/53..

I don't route the traffic myself (and I'd like to avoid doing so for now), I let my ISP router handle all that, therefore I cannot block outgoing DNS traffic.

ShellCode33 avatar Oct 07 '24 23:10 ShellCode33

Where does 192.168.1.0/24 come from.. That would be where the redirection would happen..

I don't route the traffic myself (and I'd like to avoid doing so for now), I let my ISP router handle all that, therefore I cannot block outgoing DNS traffic.

Where does the dhcp come from now?

The host '0.0.0.0' is a problem and not correct.. I would fix that.

https://www.rfc-editor.org/rfc/rfc5735#section-3

(windows)

Pinging 0.0.0.0 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.

(linux)

PING 0.0.0.0 (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.025 ms

(bsd)

PING 0.0.0.0 (0.0.0.0): 56 data bytes
^C
--- 0.0.0.0 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Unless the TV is running a dns server and knows to route packets destined for 0.0.0.0 to loopback..

Again my 0.02

(windows vs linux (glibc/musl) vs bsd.. all different but similar)

https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html

nameserver and options timeout, single-request, etc..

(freebsd far less options..)

https://man.freebsd.org/cgi/man.cgi?query=resolv.conf

bcookatpcsd avatar Oct 08 '24 12:10 bcookatpcsd

Where does 192.168.1.0/24 come from.. That would be where the redirection would happen..

My ISP router

Where does the dhcp come from now?

The same as my DNS: Adguard Home. The DHCP of my ISP router is disabled.

image psd

Note that my TV is configured as a static lease with IP 192.168.1.11.

The host '0.0.0.0' is a problem and not correct.. I would fix that.

I believe it's just a placeholder used by the TV to indicate that there's no secondary DNS.

ShellCode33 avatar Oct 08 '24 12:10 ShellCode33

The DHCP within AGH does look basic.. no way to add other dhcp options..

Possibly on this linux machine you could run dnsmasq and do your own dhcp but have more insight into what is happening..

dhcp also has lots of knobs and features.. just a text file away ;)

dnsmasq --help dhcp | wc -l
62

And those are the major ones..

addn-hosts=/etc/dnsmasq.d/hosts
expand-hosts

listen-address=192.168.88.250
port=531
log-facility=/var/log/dnsmasq.log
# log-dhcp

log-async

local-ttl=300
dns-forward-max=16384
cache-size=0

user=dnsmasq
group=nogroup

no-hosts
no-negcache
no-poll
no-resolv
dns-loop-detect

domain=dnsmasq.default

interface=eth0

dhcp-authoritative
dhcp-sequential-ip
dhcp-rapid-commit

dhcp-lease-max=10240
dhcp-ignore=bootp

dhcp-no-override
dhcp-option=option:ip-forward-enable,0
dhcp-option=option:dns-server,192.168.88.252,192.168.88.200
dhcp-option=option:ntp-server,0.0.0.0
dhcp-option=option:tzdb-timezone,"America/New_York"

domain=home,192.168.88.0/24,local
dhcp-range=192.168.88.100,192.168.88.200,255.255.255.0,4h
dhcp-option=option:router,192.168.88.1
dhcp-option=option:domain-name,home

dhcp-host=cc:5e:f8:9b:34:63,192.168.88.194,brother this will create a static dhcp record for IP and DNS name..

dhcp-host=74:95:ec:64:5c:b8,car-honda this will create a static Name with a dynamic IP..

Then add these lines to your AGH config: (again, adjust as you see fit..)

[/home/]192.168.88.250:531 [/88.168.192.in-addr.arpa/]192.168.88.250:531

AGH will now go to dnsmasq for A and PTR records of your hosts and your internal domain..

Modify what you need.. start dnsmasq and tail the log.. then uncomment the log-dhcp; restart and tail the logs..

dnsmasq will give you whatever dhcp wise you are looking for today; right now..

Follow the white rabbit and take the red pill..

HTH

bcookatpcsd avatar Oct 08 '24 12:10 bcookatpcsd

Thanks but this is off topic, I know I can setup my own DHCP server and do whatever I want with it. This issue is about suggesting a new feature to Adguard devs to circumvent a limitation in Android (and probably other clients). PiHole does this already as mentionned in my original post, therefore it's a good indication that this feature somehow makes sense.

ShellCode33 avatar Oct 08 '24 13:10 ShellCode33

Devices falling back have nothing to do with the secondary DNS.. Even if you had the secondary DNS configured the TV would still fallback, i had a secondary DNS in my network in the past and many devices still tried to fallback..

If you do not want the TV to fallback either block access to the DNS they are using at the router, but i have seen devices that will flood your network with connection attempts trying to reach something, or NAT redirect it at the router for a more sane solution.

tmottabr avatar Oct 23 '24 11:10 tmottabr

Hey Adguard team, can we please get this feature? It's been a feature in Pihole for a long time.

On moving to Adguard home, I immediately noticed the amount of blocked traffic reduce by 5% with the same blocklists and same network devices. My hunch is that this feature could fix that.

karansapolia avatar Aug 28 '25 18:08 karansapolia