AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Allow overriding DDR response

Open yegle opened this issue 11 months ago • 1 comments

Prerequisites

  • [x] I have checked the Wiki and Discussions and found no answer

  • [x] I have searched other issues and found no duplicates

  • [x] I want to request a feature or enhancement and not ask a question

The problem

I'm using Caddy reverse proxy in front of AdGuard Home so that I can restrict the access to the admin console while providing a public-accessible DNS-over-HTTPS service. Caddy also handles HTTP3/Quic on UDP port 443 which I thought is great.

But then I realized:

  1. If I set DoQ port to 443 in the settings, AdGuard will fail to start.
  2. If I do not set DoQ port to 443, then the DDR response will include a port that I do not open on my firewall:
$ kdig +short @MY-HOST +https _dns.resolver.arpa type64
1 MY-HOST. alpn=h2 port=443 key7="/dns-query{?dns}"
1 MY-HOST. alpn=doq port=784
  1. If I set DoQ port to empty string, the DDR response will omit the DoQ information:
$ kdig +short @MY-HOST +https _dns.resolver.arpa type64
1 MY-HOST. alpn=h2 port=443 key7="/dns-query{?dns}"

Proposed solution

It looks like the easiest way is to allow us to customize the DDR response, so that I can set DoQ port in the DDR response to 443.

Alternatives considered and additional information

No response

yegle avatar Jan 17 '25 08:01 yegle

I'd like to second this feature request. I run two machines in my local network running AdGuardHome containers, one behind NGINX Proxy Manager, and currently, I have to go into the AdGuardHome.yaml to make sure that handle_ddr is set to false, then write custom DNS filtering rules to answer DDR queries from my local machines. One of the instances is running as a Home Assistant add-on, so editing the config file is a major hassle.

The following custom filtering rules work for me on my local network to rewrite DDR response:

||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns1.domain.tld alpn=h2 port=443 dohpath=/dns-query{?dns} ipv4hint=192.168.7.53 ipv6hint=fdfe:ee82:778b:7::53
||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns1.domain.tld alpn=dot port=853 ipv4hint=192.168.7.53 ipv6hint=fdfe:ee82:778b:7::53
||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns1.domain.tld alpn=doq port=853 ipv4hint=192.168.7.53 ipv6hint=fdfe:ee82:778b:7::53
||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns2.domain.tld alpn=h2 port=443 dohpath=/dns-query{?dns} ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53
||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns2.domain.tld alpn=dot port=853 ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53
||_dns.resolver.arpa^$dnsrewrite=NOERROR;SVCB;1 dns2.domain.tld alpn=doq port=853 ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53

A checkbox on the Encryption page for selecting whether to handle DDRs or not, would be really great. Right now, custom filtering method for rewriting DDRs works, but an easier interface would be fantastic!

meghadeep-com avatar May 15 '25 05:05 meghadeep-com