Adguard DNS Protection is not working well with router advertised dns servers

[junzhli]

As title says, my router pushes their relay dns server address to client. From what i experience on using router asus ac86u, when IPv6 connectivity enabled on both macOS network adapter and router. We'll have both IPv4 and IPv6 Wan Address assigned to client (macOS), including at least two DNS servers (one is IPv4 and another one is IPv6, both are relay dns server, which is router itself ip address). In my case, first dns address is router IPv4 address (private ip) and second dns address is IPv6 address (wan ip not link-local ip) I try to override dns setting to get rid of IPv6 one, and it works well It won't work well when the IPv6 one is used (either using it alone or using it with IPv4 one) If i set public ipv6 public dns address as dns instead of using the router ipv6 one, it works again

Steps to reproduce

1. A little bit hard to reproduce this issue as i can only reproduce it with my router (asus ac86u)
2. Set up IPv6 enabled on both side (macOS and router)
3. Leave any DHCP and DNS setting with default value on router
4. Join the router wireless / ethernet network to get DNS settings pushed onto our system (macOS Monterey 13.3.1 with Adguard for Mac 2.8)
5. Set up Adguard DNS Protection
6. (4.1) Enable DNS Protection
7. (4.2) Choose Adguard DNS instead of System default
8. Go to adguard check website https://adguard.com/en/test.html

Expected behavior

See Adguard DNS is detected as the page shows

Actual behavior

Adguard DNS is not detected as the page shows

Screenshot:

Customer ID

595342

Your environment

• macOS Monterey 13.3.1
• Adguard for Mac 2.8.0.1133 release
• Router with IPv6 connectivity enabled

[Chinaski1]

Hello, sorry for the late reply.

To troubleshoot this issue, we need to get the app logs.

Here's what we need you to do:

1. Click AdGuard icon in the menu bar --> Gear --> Advanced --> Logging level --> Debug;
2. Reproduce the issue and remember the exact time it happened;
3. Menu --> Advanced --> Export Logs and System Info...;
4. Send the archive to [email protected] and mention this issue number in the subject.

[junzhli]

Thanks for the reply, I just sent to the email address

[D13410N3]

Hello. I just wanted to ask you some more information about your configuration. Is it your provider's IPv6 network? Or maybe are you using NAT64 with DNS64 on your router? What address do command ping adguard.com resolves? What output do you see executing dig adguard.com A command?

[junzhli]

@D13410N3 Yes, it's provider's IPv6 network, which it's configured behind router that connects to ISP with PPPoE to get both IPv4 and IPv6 connectivity Here's the result of the above commands:

❯ ping adguard.com
PING adguard.com (104.20.91.49): 56 data bytes
64 bytes from 104.20.91.49: icmp_seq=0 ttl=56 time=12.621 ms
64 bytes from 104.20.91.49: icmp_seq=1 ttl=56 time=11.428 ms
64 bytes from 104.20.91.49: icmp_seq=2 ttl=56 time=10.210 ms
64 bytes from 104.20.91.49: icmp_seq=3 ttl=56 time=10.954 ms
64 bytes from 104.20.91.49: icmp_seq=4 ttl=56 time=9.936 ms
64 bytes from 104.20.91.49: icmp_seq=5 ttl=56 time=9.597 ms
64 bytes from 104.20.91.49: icmp_seq=6 ttl=56 time=10.974 ms
^C
--- adguard.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.597/10.817/12.621/0.949 ms

❯ dig adguard.com A

; <<>> DiG 9.10.6 <<>> adguard.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;adguard.com.			IN	A

;; ANSWER SECTION:
adguard.com.		283	IN	A	104.20.91.49
adguard.com.		283	IN	A	104.20.90.49
adguard.com.		283	IN	A	172.67.3.157

;; Query time: 1 msec
;; SERVER: 2001:b011:3820:73b9:d65d:64ff:fe0b:a260#53(2001:b011:3820:73b9:d65d:64ff:fe0b:a260)
;; WHEN: Wed Apr 27 00:19:29 CST 2022
;; MSG SIZE  rcvd: 88

[dakuzmin69]

@junzhli Hello. We checked your logs. According to them, it turns out that everything works well, requests go through AdGuard DNS IPv6. It is also clear that you did not test on the https://adguard.com/en/test.html. To find out problems with the test page, we need debug logs where you used the test page. You can also view requests in the application filtering log.

We reviewed information about your experiments with overriding router settings. To understand the reasons for this behavior, we also need debug logs.

[junzhli]

@dakuzmin69 Hi, thanks for the reply I just sent another pack of debugging log exported from Adguard to the email [email protected] with the same issue number in the subject , which it includes all my experiments for overriding dns setting at macOS system level one and respecting router dns advertised one. I also detail the timing of the log that what I did. Maybe it helps for you. Thanks!

[Oleg-Chashko]

If there is any news on this issue?

AdGuard DNS protection, does not work on IPv6 on any selected ISP. More precisely, DNS protection works, but only once!

If you reload the page in the Internet browser, the DNS test shows that the DNS protection is not running.

---

To get around this issue, I use the following algorithm:

1. DNS protection - OFF.

2. Installing the DNS Profile.

3. AdGuard services check-page.

4. DNS test

[junzhli]

I haven't got any reply for further troubleshooting since last time I sent another pack logging with experiment workflow explained. Maybe @Chinaski1 or @dakuzmin69 can help?

[dakuzmin69]

@junzhli Hello! Sorry for the late reply, the problem is still not clear The logs show that after the last change of the dns server in the settings, you didn't check the AdGuard test page For a better understanding of the problem, please make your experiments as follows, after disabling AdGuard protection, turning off AdGuard itself and reducing Internet activity as much as possible, also open AdGuard test pages in browsers:

1. Clear the logs folder ("~/Library/Group Containers/TC3Q7MAJXF.com.adguard.mac/Library/Logs")
2. Set a new DNS server in system settings
3. Turn on AdGuard, wait about 10 seconds
4. Set debug log level
5. Enable protection, wait about 10 seconds
6. Click on the "Check again" button in each of the browsers at least 5 seconds apart
7. Disable protection
8. Collect logs
9. Turn off AdGuard

Repeat this sequence of steps for each experiment, and then send the resulting archives

[dakuzmin69]

@Oleg-Chashko Hello! Do I understand correctly that you use a DNS profile instead of AdGuard for Mac to filter dns traffic?

[Oleg-Chashko]

@dakuzmin69 Hello! That's right. This is a forced measure. It happens with all the users I know. In the provider of the internet "Vodafone Deutschland" and "Unitymedia Deutschland" (Dual Stack-Lite).

[dakuzmin69]

Please describe your network configuration and AdGuard configuration, your problem is not reproduced on our side. Do you use any potentially incompatible software?

[Oleg-Chashko]

1. Vodafone Station:
2. Synology Router:
3. Macbook Pro:

---

AdGuard configuration:

AdGuard_20220520012814.adguardsettings.zip

---

Do you use any potentially incompatible software? A very vague question. I don't even know how to answer it. But the answer is that everyone with Dual Stack-Lite has this problem.

[Oleg-Chashko]

Here is the second way around this problem: disabling IPv6 on the Synology Router.

[Oleg-Chashko]

@dakuzmin69 If you have the time and desire. I could help you by testing on my side. You give me a beta build and I'll test it. Until a positive result is achieved.

[dakuzmin69]

@Oleg-Chashko Thank you for your quick and detailed reply. We appreciate you're ready for collaboration. Though, we need time to elaborate upon your problem.

[junzhli]

Hi @dakuzmin69 Sorry for the late reply. I just sent another pack of logging with different scenarios. Hope to be helpful for this problem, thanks!

[Oleg-Chashko]

@Chinaski1 @dakuzmin69 If you disable the "Automatically filter applications" checkbox, "AdGuard DNS" starts working. The video file is attached. I think it should help you to solve this problem.

https://user-images.githubusercontent.com/62497891/170281094-36b1155e-d854-4496-be00-78a2a7570d33.mp4

[junzhli]

@Chinaski1 @dakuzmin69 I find out if the filtering mode changes to automatic proxy as shown the above reply from @Oleg-Chashko , DNS protection starts working with respecting router advertised dns servers

[Chinaski1]

@junzhli

Hello!

Could you send the logs again as I can't find them in my mailbox?

[junzhli]

Hi @Chinaski1,

Thanks for the reply. I sent you another email with title Issue number 595342 Exported debugging log #3 Reply to @Chinaski1 to [email protected] Previously, I sent the email with title Issue number 595342 Exported debugging log #3 Reply to @dakuzmin69 to the same email address

[dakuzmin69]

@junzhli Thanks for the previous logs, they were very convenient to analyze. However, in problematic cases, the logs don't show any activity for dnscheck.adguard.com. Please send new logs using the following algorithm:

0. Close all applications that may use the Internet, such as Internet browsers
1. Clear the logs folder (~/Library/Group Containers/TC3Q7MAJXF.com.adguard.mac/Library/Logs)
2. Set a new DNS server in system settings
3. Turn on AdGuard, wait about 10 seconds
4. Set debug log level
5. Enable protection, wait about 10 seconds
6. Run dig dnscheck.adguard.com in Terminal, send output of this command too
7. Disable protection
8. Collect logs
9. Turn off AdGuard

In the future, I suggest using this algorithm for collecting logs by default.

[sfionov]

@junzhli Can you please show output of scutil --dns terminal command?

[Oleg-Chashko]

com.adguard.mac.adguard.zip adguard_logs_20220601121805.zip

[Oleg-Chashko]

[dakuzmin69]

@Oleg-Chashko Please explain what actions you took while recording the logs?

[sfionov]

Seems that DNS wasn't intercepted by AdGuard :(

@Oleg-Chashko Can you please show scutil -> show State:/Network/Global/DNS?

Can you also please try with network.filtering.localnetwork Advanced settings set to true?

[Oleg-Chashko]

• scutil -> show State:/Network/Global/DNS

• Can you also please try with network.filtering.localnetwork Advanced settings set to true? Done. Test: adguard_logs_20220602014331.zip com.adguard.mac.adguard.zip Terminal Saved Output.zip

[Oleg-Chashko]

Seems that DNS wasn't intercepted by AdGuard :( I noticed that intercepts can only be 1 and 2 times. Further intercepts do not work.

[junzhli]

@sfionov Hi, here's the result

❯ scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
  nameserver[1] : 192.168.50.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
  nameserver[1] : 192.168.50.1
  if_index : 4 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)