AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Non-standard port binding - doesn't work for localhost / AGH host

Open SSJPKXL opened this issue 3 years ago • 10 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

64-bit ARM

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

Latest Edge Release

Description

AGH is local DNS server only for local clients, not accessible from WAN, not DHCP server, running on Raspberry Pi 4 (Bullseye 64bit), installed directly from https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh .

What did you do?

Changed binding UDP port 53 to a non-standard UDP port in AdGuardHome.yaml. Router IPTables re-direct all client UDP port 53 packets to that non-standard port. Raspberry Pi IPTables accepts packets on that non-standard UDP port for all clients, except for Raspberry Pi itself, which tries to resolve domains using UDP port 53 and has 127.0.0.1 (localhost) set for nameserver in DHCPCD.conf and in RESOLV.conf. NetworkManager and DNSMasq are not running on Raspberry Pi.

I don't know if this is AGH problem or Linux problem, but how do I force AGH to make DNS queries via non-standard UDP ports for hosts that are running AGH? It just needs to query 127.0.0.1 (localhost) on non-standard UDP ports specified in AdGuardHome.yaml.

RPi is not router and allows only filterings chains for IPTables. Re-direction and pre-routing chains are not functional.

If not possible, then updating Raspberry Pi itself becp,es problematic and requires stopping AGH service, re-configuring AdGuardHome.yaml to bind to default UDP port 53, re-starting AGH service, running Raspberry Pi updates, and stopping AGH service to re-configure/bind AdGuardHome.yaml back to using non-standard UDP port...

SSJPKXL avatar Jul 27 '22 22:07 SSJPKXL

Is it possible to bind different ports to different interfaces?

SSJPKXL avatar Jul 27 '22 23:07 SSJPKXL

Thanks for the thorough description, but I'm afraid I still don't understand, what the issue is. If your request is to listen on several ports, that is coming during the v0.108 cycle, and until then you can use dnsproxy or any other DNS forwarder to forward those queries to AGH.

If it's not that, please add DNS lookup commands (for example, using dig) that should be working but don't.

Thanks.

ainar-g avatar Jul 28 '22 12:07 ainar-g

Device running AGH: Raspberry Pi Bind port for plaintext DNS (set in AdGuardHome.yaml): 79 2 Interfaces to listen on (set in AdGuardHome.yaml): -127.0.0.1 -192.168.1.5

Clients use UDP port 53 to query local DNS server, but router re-directs queries to correct port 79 because AGH listens on port 79. Clients have no problem resolving domains.

Raspberry Pi has issues resolving domains. When trying to use "sudo apt update" or any "sudo nslookup" command from Raspberry Pi, it sends queries 127.0.0.1:53 . AGH does not register such queries because it doesn't listen on port 53. It only listens on port 79. How to make Raspberry Pi send requests to 127.0.0.1:79?

SSJPKXL avatar Jul 28 '22 17:07 SSJPKXL

@7ArxS2PrqAUF9Gom, you've mentioned that system resolving is set up using /etc/resolv.conf? That's probably why the Pi itself goes to 127.0.0.1:53. As far as I know, some BSD implementations allow using the [ip]:port notation (note the square brackets), but I'm not sure if Linux does. If it doesn't, I'd just add a DNS proxy listening at 127.0.0.2:53 and put 127.0.0.2 into /etc/resolv.conf.

ainar-g avatar Jul 28 '22 17:07 ainar-g

I set up AGH to keep it fully contained and exclusively for local network:

  • Use 127.0.0.1 for system resolver (set in DHCPCD.conf and RESOLV.conf)
  • Use 127.0.0.1 for bootstrap IP
  • Not allow incoming connections from WAN
  • Encrypt all upstream traffic by specifying IP address for DoH/DoT/DoQ DNS servers (such as https://94.140.14.14/dns-query) instead of domain names (such as https://dns.adguard.com/dns-query)
  • Drop all WAN outbound UDP port 53 packets

Does AGH provide a way to setup DNS proxy or should I look into 3rd party DNS proxies? It would be a good feature to have because common/typical resolvers, such as DNSMasq, do not accept any port other than 53 for DNS resolution.

SSJPKXL avatar Jul 28 '22 19:07 SSJPKXL

https://github.com/AdguardTeam/dnsproxy/ is pretty much AdGuard Home lite. AdGuard Home uses dnsproxy's code for its own DNS handling. But really, any DNS proxy software would do.

ainar-g avatar Jul 29 '22 08:07 ainar-g

If DNS Proxy is AGH Lite and it can forward requests from one loopback address to another, then why can't the same be accomplished with AGH?

SSJPKXL avatar Jul 29 '22 11:07 SSJPKXL

I'm not sure what you're asking, sorry. If you mean, why can't AGH listen on several addresses, then I have already answered that it is planned.

ainar-g avatar Jul 29 '22 16:07 ainar-g

I see! Thank you for clarifying! Allowing multiple listening ports for same protocol and/or different listening ports for each listening interface will be a great feature!

SSJPKXL avatar Jul 29 '22 18:07 SSJPKXL

Any updates on this effort?

SSJPKXL avatar Nov 15 '22 23:11 SSJPKXL