Upstream / Bootstrap not working!

[AlexanderZuehr]

Version of AdGuard Home server: AdGuard Home, version v0.106.1 How did you install AdGuard Home: Github Releases If it's a router or IoT, please write device model: Raspberry Pi 4 4GB CPU architecture: Arm Operating system and version: Raspberry Pi OS Lite and Ubuntu server for RaspberryPi

Expected Behavior Using https://dns-unfiltered.adguard.com/dns-query as an Upstream-DNS-Server

Actual Behavior Using https://94.140.14.141/dns-query Upstream-DNS-Server

This Problem has happend on the last version too. I didnt know the problem and reinstalled the last version several times because the error was coming after i ssh into the raspberrypi or restarted it. I decided to leave my raspberrypi alone and not ssh into it and everything worked quite well until i decided to update with the webinterface and the error occured again. Thank god i've found a post at you forum and someone said to use the ip instead and it works again.

Edit: I downloaded dnslookup and it seems that the bootstrap servers are maybe not working because i get a nxdomain error.

Edit 2: First Log is with Bootstrap servers tls:// Second Log is without.

[AlexanderZuehr]

2021/05/04 22:05:19 28843#1656 [info] Creating a TLS server socket
2021/05/04 22:05:19 28843#1656 [info] Listening to tls://[::]:853
2021/05/04 22:05:19 28843#1656 [info] Creating a QUIC listener
2021/05/04 22:05:19 28843#1656 [info] Listening to quic://[::]:784
2021/05/04 22:05:19 28843#1669 [info] Entering the tcp listener loop on [::]:53
2021/05/04 22:05:19 28843#1670 [info] Entering the tls listener loop on [::]:853
2021/05/04 22:05:19 28843#1671 [info] Entering the DNS-over-QUIC listener loop on [::]:784
2021/05/04 22:05:19 28843#1668 [info] Entering the UDP listener loop on [::]:53
2021/05/04 22:05:20 28843#1656 [debug] POST /control/test_upstream_dns
2021/05/04 22:05:20 28843#1656 [debug] checking if dns server "https://dns-unfiltered.adguard.com/dns-query" works...
2021/05/04 22:05:20 28843#1700 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): Dialing to 94.140.14.140:853
2021/05/04 22:05:20 28843#1658 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): Dialing to 9.9.9.10:853
2021/05/04 22:05:20 28843#1699 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): Dialing to 94.140.14.140:853
2021/05/04 22:05:20 28843#1657 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): Dialing to 9.9.9.10:853
2021/05/04 22:05:20 28843#1700 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): dialer has successfully initialized connection to 94.140.14.140:853 in 0 milliseconds
2021/05/04 22:05:20 28843#1699 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): dialer has successfully initialized connection to 94.140.14.140:853 in 0 milliseconds
2021/05/04 22:05:20 28843#1658 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): dialer has successfully initialized connection to 9.9.9.10:853 in 1 milliseconds
2021/05/04 22:05:20 28843#1657 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): dialer has successfully initialized connection to 9.9.9.10:853 in 4 milliseconds
2021/05/04 22:05:20 28843#1676 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleTCPConnection(): Start handling the new tls connection 192.168.1.1:35018
2021/05/04 22:05:20 28843#1673 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleTCPConnection(): Start handling the new tls connection 192.168.1.1:31963
2021/05/04 22:05:20 28843#1674 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleTCPConnection(): Start handling the new tls connection 192.168.1.1:58027
2021/05/04 22:05:20 28843#1675 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleTCPConnection(): Start handling the new tls connection 192.168.1.1:65434
2021/05/04 22:05:20 28843#1697 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 42 milliseconds using tls://9.9.9.10: Failed to get a connection from TLSPool to tls://9.9.9.10:853, cause: Failed to connect to 9.9.9.10, cause: x509: cannot validate certificate for 9.9.9.10 because it doesn't contain any IP SANs
2021/05/04 22:05:20 28843#1698 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 46 milliseconds using tls://94.140.14.140: Failed to get a connection from TLSPool to tls://94.140.14.140:853, cause: Failed to connect to 94.140.14.140, cause: x509: cannot validate certificate for 94.140.14.140 because it doesn't contain any IP SANs
2021/05/04 22:05:20 28843#1656 [info] upstream "https://dns-unfiltered.adguard.com/dns-query" fails to exchange: couldn't communicate with upstream: couldn't initialize HTTP client or transport, cause: couldn't initialize HTTP transport, cause: couldn't bootstrap https://dns-unfiltered.adguard.com:443/dns-query, cause: failed to lookup dns-unfiltered.adguard.com, cause: all resolvers failed to lookup, cause: Failed to get >

[AlexanderZuehr]

2021/05/05 00:21:36 1695#1760 [debug] etchostscontainer: answer: dns-unfiltered.adguard.com -> []
2021/05/05 00:21:36 1695#1765 [debug] 94.140.14.140:53: response: ok
2021/05/05 00:21:36 1695#1757 [debug] 9.9.9.10:53: response: ok
2021/05/05 00:21:36 1695#1760 [debug] SafeBrowsing: found in cache: dns-unfiltered.adguard.com: not blocked
2021/05/05 00:21:36 1695#1741 [debug] etchostscontainer: answer: dns-unfiltered.adguard.com -> []
2021/05/05 00:21:36 1695#1760 [debug] github.com/AdguardTeam/AdGuardHome/internal/dnsfilter.(*DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for dns-unfiltered.adguard.com; Elapsed time: 0ms
2021/05/05 00:21:36 1695#1741 [debug] SafeBrowsing: found in cache: dns-unfiltered.adguard.com: not blocked
2021/05/05 00:21:36 1695#1741 [debug] github.com/AdguardTeam/AdGuardHome/internal/dnsfilter.(*DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for dns-unfiltered.adguard.com; Elapsed time: 0ms
2021/05/05 00:21:46 1695#1738 [debug] 9.9.9.10:53: response: read udp 192.168.1.112:37202->9.9.9.10:53: i/o timeout
2021/05/05 00:21:46 1695#1752 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 10001 milliseconds using 9.9.9.10: read udp 192.168.1.112:37202->9.9.9.10:53: i/o timeout
2021/05/05 00:21:46 1695#1754 [debug] 94.140.14.140:53: response: read udp 192.168.1.112:38171->94.140.14.140:53: i/o timeout
2021/05/05 00:21:46 1695#1753 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 10002 milliseconds using 94.140.14.140: read udp 192.168.1.112:38171->94.140.14.140:53: i/o timeout
2021/05/05 00:21:46 1695#1632 [info] upstream "https://dns-unfiltered.adguard.com/dns-query" fails to exchange: couldn't communicate with upstream: couldn't initialize HTTP client or transport, cause: couldn't initialize HTTP transport, cause: couldn't bootstrap https://dns-unfiltered.adguard.com:443/dns-query, cause: failed to lookup dns-unfiltered.adguard.com, cause: synthetic.wrap: all resolvers failed to lookup, cause:>
2021/05/05 00:21:46 1695#1764 [debug] 94.140.14.140:53: response: read udp 192.168.1.112:56059->94.140.14.140:53: i/o timeout
2021/05/05 00:21:46 1695#1763 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 10001 milliseconds using 94.140.14.140: read udp 192.168.1.112:56059->94.140.14.140:53: i/o timeout
2021/05/05 00:21:46 1695#1756 [debug] 9.9.9.10:53: response: read udp 192.168.1.112:43314->9.9.9.10:53: i/o timeout
2021/05/05 00:21:46 1695#1762 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): failed to lookup for dns-unfiltered.adguard.com in 10002 milliseconds using 9.9.9.10: read udp 192.168.1.112:43314->9.9.9.10:53: i/o timeout
2021/05/05 00:21:46 1695#1695 [debug] github.com/AdguardTeam/dnsproxy/upstream.exchange(): upstream https://dns-unfiltered.adguard.com:443/dns-query failed to exchange ;dns-unfiltered.adguard.com.    IN       A in 10002 milliseconds. Cause: couldn't initialize HTTP client or transport, cause: couldn't initialize HTTP transport, cause: couldn't bootstrap https://dns-unfiltered.adguard.com:443/dns-query, cause: failed to loo>
2021/05/05 00:21:46 1695#1779 [debug] 9.9.9.10:53: sending request AAAA dns-unfiltered.adguard.com.
2021/05/05 00:21:46 1695#1795 [debug] 94.140.14.140:53: sending request A dns-unfiltered.adguard.com.
2021/05/05 00:21:46 1695#1796 [debug] 94.140.14.140:53: sending request AAAA dns-unfiltered.adguard.com.
2021/05/05 00:21:46 1695#1695 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(): RTT: 10003 ms
2021/05/05 00:21:46 1695#1727 [debug] github.com/AdguardTeam/dnsproxy/upstream.exchange(): upstream https://dns-unfiltered.adguard.com:443/dns-query failed to exchange ;dns-unfiltered.adguard.com.    IN       A in 10002 milliseconds. Cause: couldn't initialize HTTP client or transport, cause: timeout exceeded: 10002 ms
2021/05/05 00:21:46 1695#1778 [debug] 9.9.9.10:53: sending request A dns-unfiltered.adguard.com.
2021/05/05 00:21:46 1695#1695 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 38933
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dns-unfiltered.adguard.com.    IN       A

2021/05/05 00:21:46 1695#1727 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(): RTT: 10003 ms
2021/05/05 00:21:46 1695#1770 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.1:26287
2021/05/05 00:21:46 1695#1727 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 299
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

2021/05/05 00:21:46 1695#1695 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): error handling DNS (udp) request: talking to dnsUpstream failed, cause: couldn't initialize HTTP client or transport, cause: couldn't initialize HTTP transport, cause: couldn't bootstrap https://dns-unfiltered.adguard.com:443/dns-query, cause: failed to lookup dns-unfiltered.adguard.com, cause: synthetic.wrap: all resolv>
2021/05/05 00:21:46 1695#1769 [debug] using settings for client pfsense-router with ip 192.168.1.1 and id ""
2021/05/05 00:21:46 1695#1742 [debug] etchostscontainer: answer: dns-unfiltered.adguard.com -> []
2021/05/05 00:21:46 1695#1769 [debug] etchostscontainer: answer: dns-unfiltered.adguard.com -> []
2021/05/05 00:21:46 1695#1796 [debug] 94.140.14.140:53: response: ok
2021/05/05 00:21:46 1695#1768 [debug] IPv6 is disabled. Reply with NoError to dns-unfiltered.adguard.com. AAAA request
2021/05/05 00:21:46 1695#1742 [debug] SafeBrowsing: found in cache: dns-unfiltered.adguard.com: not blocked
2021/05/05 00:21:46 1695#1769 [debug] SafeBrowsing: found in cache: dns-unfiltered.adguard.com: not blocked
2021/05/05 00:21:46 1695#1768 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 46514
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

[ameshkov]

Failed to connect to 9.9.9.10, cause: x509: cannot validate certificate for 9.9.9.10 because it doesn't contain any IP SANs

Why are you using tls://9.9.9.10? You should use either simply 9.9.9.10 or tcp://9.9.9.10

[AlexanderZuehr]

I used it to try out if it maybe works. I do use 9.9.9.10 but it makes no difference.

[ainar-g]

Are you sure that there are no firewalls or something like that in your system?

[AlexanderZuehr]

I am running Pfsense as my firewall, but in my opinion this shouldn't be the problem, because If i reinstall Adguard Home everything works again. Only after updating Adguard Home or restarting my Raspberry Pi it seems to break. Where can i find the files to check if the upstream/ bootstrap resolving work? Maybe in my files something is missing or corrupted. What should I pay attention to.

[ainar-g]

Firewalls can sometimes block outbound UDP requests or block them based on ports. You should probably recheck your pfSense configuration and also make sure that normal DNS requests, like:

nslookup -debug 'adguard.com' '9.9.9.10'

Are still working.

You can also try setting other bootstrap addresses, like the 8.8.8.8 and 8.8.4.4 pair.

[AlexanderZuehr]

ubuntu@dns-server:~$ nslookup -debug 'adguard.com' '9.9.9.10'
Server:         9.9.9.10
Address:        9.9.9.10#53

------------
    QUESTIONS:
        adguard.com, type = A, class = IN
    ANSWERS:
    ->  adguard.com
        internet address = 172.67.3.157
        ttl = 105
    ->  adguard.com
        internet address = 104.20.90.49
        ttl = 105
    ->  adguard.com
        internet address = 104.20.91.49
        ttl = 105
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:   adguard.com
Address: 172.67.3.157
Name:   adguard.com
Address: 104.20.90.49
Name:   adguard.com
Address: 104.20.91.49
------------
    QUESTIONS:
        adguard.com, type = AAAA, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  adguard.com
        origin = fake-for-negative-caching.adguard.com
        mail addr = hostmaster.adguard.com
        serial = 100500
        refresh = 1800
        retry = 60
        expire = 604800
        minimum = 86400
        ttl = 10
    ADDITIONAL RECORDS:
------------

---

Other Bootstrap servers have the same problem. I tried it with 8.8.8.8 or 1.1.1.1

[AlexanderZuehr]

ubuntu@dns-server:~$ nslookup -debug 'https://dns-unfiltered.adguard.com/dns-query' '9.9.9.10' Server: 9.9.9.10 Address: 9.9.9.10#53

---

QUESTIONS:
    https://dns-unfiltered.adguard.com/dns-query, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
->  com
    rdata_47 = comcast. NS DS RRSIG NSEC
    ttl = 347
->  .
    rdata_47 = aaa. NS SOA RRSIG NSEC DNSKEY
    ttl = 347
->  .
    origin = a.root-servers.net
    mail addr = nstld.verisign-grs.com
    serial = 2021050500
    refresh = 1800
    retry = 900
    expire = 604800
    minimum = 86400
    ttl = 347
ADDITIONAL RECORDS:

---

** server can't find https://dns-unfiltered.adguard.com/dns-query: NXDOMAIN

ubuntu@dns-server:~$

[ainar-g]

Your second query fails because nslookup accepts domain names and IPs, not URLs. Please consult with man nslookup for that.

Are you sure that you are not getting IPv6 for adguard.com from all of upstreams? Are you sure that your machine doesn't have outbound IPv6 traffic blocked?

[AlexanderZuehr]

IPv6 was deactivated at Adguard Home and was also block at my firewall. Allowing it at Adguard and unnlocking it at my firewall made no difference.

[AlexanderZuehr]

bind_host: 0.0.0.0 bind_port: 80 beta_bind_port: 0 users:

• name: cutted by me password: cutted by me auth_attempts: 5 block_auth_min: 15 http_proxy: "" language: "" rlimit_nofile: 0 debug_pprof: false web_session_ttl: 720 dns: bind_hosts:
  • 0.0.0.0 port: 53 statistics_interval: 1 querylog_enabled: true querylog_file_enabled: true querylog_interval: 1 querylog_size_memory: 1000 anonymize_client_ip: false protection_enabled: true blocking_mode: default blocking_ipv4: "" blocking_ipv6: "" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 ratelimit_whitelist: [] refuse_any: true upstream_dns:
  • https://94.140.14.14/dns-query
  • https://149.112.112.112/dns-query upstream_dns_file: "" bootstrap_dns:
  • 9.9.9.10
  • 94.140.14.140 all_servers: true fastest_addr: false allowed_clients: [] disallowed_clients: [] blocked_hosts:
  • version.bind
  • id.server
  • hostname.bind cache_size: 4194304 cache_ttl_min: 0 cache_ttl_max: 0 bogus_nxdomain: [] aaaa_disabled: true enable_dnssec: true edns_client_subnet: false max_goroutines: 300 ipset: [] filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: true safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 cache_time: 30 rewrites: these are there for my reverse proxy
  • domain: cutted by me answer: 192.168.1.1
  • domain: cutted by me answer: 192.168.1.1
  • domain: cutted by me answer: 192.168.1.1
  • domain: cutted by me answer: 192.168.1.1
  • domain: cutted by me answer: 192.168.1.1
  • domain: cutted by me answer: 192.168.178.1
  • domain: cutted by me answer: 192.168.1.112 blocked_services:
• dailymotion
  • hulu
  • mail_ru
  • tiktok
  • vk
  • whatsapp
  • tinder
  • viber
  • wechat
  • facebook
  • instagram
  • ok
  • qq
  • snapchat
  • vimeo
  • weibo local_domain_name: lan resolve_clients: true local_ptr_upstreams: [] tls: enabled: true server_name: cutted by me force_https: true port_https: 443 port_dns_over_tls: 853 port_dns_over_quic: 784 port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false strict_sni_check: false certificate_chain: "" private_key: "" certificate_path: /etc/letsencrypt/live/ cutted by me /fullchain.pem private_key_path: /etc/letsencrypt/live/ cutted by me /privkey.pem filters:
• enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1
• enabled: true url: https://adaway.org/hosts.txt name: AdAway Default Blocklist id: 2
• enabled: true url: https://someonewhocares.org/hosts/zero/hosts name: Dan Pollock's List id: 1619434412
• enabled: true url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt name: Perflyst and Dandelion Sprout's Smart-TV Blocklist id: 1619434413
• enabled: true url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt name: Game Console Adblock List id: 1619434414
• enabled: true url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext name: Peter Lowe's List id: 1619434415
• enabled: true url: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt name: WindowsSpyBlocker - Hosts spy rules id: 1619434416
• enabled: true url: https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt name: NoCoin Filter List id: 1619434417
• enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1619434418
• enabled: true url: https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt name: Spam404 id: 1619434419
• enabled: true url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts name: The Big List of Hacked Malware Web Sites id: 1619434420
• enabled: true url: https://curben.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt name: Online Malicious URL Blocklist id: 1619434421 whitelist_filters: [] user_rules:
• '||track.tvping.com^$important'
• '||session-cl.tvping.com^$important'
• '||hbbtv.redbutton.de^$important'
• '||backend.redbutton.de^$important'
• '||app.tvnow.rtl-hbbtv.de^$important'
• '||vox-digitaltext.rtl-hbbtv.de^$important'
• '||rtl-digitaltext.rtl-hbbtv.de^$important'
• '||browser.sentry-cdn.com^$important'
• '||logservice.hicloud.com^$important'
• '||logservice1.hicloud.com^$important'
• '||logbak.hicloud.com^$important'
• '||analytics.oneplus.cn^$important'
• '||analytics-api.samsunghealthcn.com^$important'
• '||extmaps-api.yandex.net^$important'
• '||widgets.pinterest.com^$important'
• '||supportmetrics.apple.com^$important'
• '||metrics.icloud.com^$important'
• '||metrics.mzstatic.com^$important' dhcp: enabled: false interface_name: "" dhcpv4: gateway_ip: "" subnet_mask: "" range_start: "" range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 options: [] dhcpv6: range_start: "" lease_duration: 86400 ra_slaac_only: false ra_allow_slaac: false clients: ** cutted by me ***

log_compress: false log_localtime: false log_max_backups: 0 log_max_size: 100 log_max_age: 3 log_file: /home/ubuntu/log.txt verbose: true schema_version: 10

[AlexanderZuehr]

I copied my AdguardHome.yaml maybe this helps.

[AlexanderZuehr]

Thanks, it is working now. I do have a dns catch/rewrite at my network. I needed to change it to work with Adguard Home.

This issue can be closed.

I am sorry for bothering you all.