Customizable bootstrap servers in mobileconfig API

hezhijie0327 commented 3 years ago

Have a question or an idea? Please search it on our forum to make sure it was not yet asked. If you cannot find what you had in mind, please submit it here.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

[x] I am running the latest version
[x] I checked the documentation and found no answer
[x] I checked to make sure that this issue has not already been filed

Issue Details

Version of AdGuard Home server:
- v0.107.0-a.166+176a344a
How did you install AdGuard Home:
- Docker
How did you setup DNS configuration:
- Router
If it's a router or IoT, please write device model:
- VPS
CPU architecture:
- AMD64
Operating system and version:
- Ubuntu 20.04.3 LTS

Expected Behavior

The latest *. mobileconfig is not working on iOS & macOS. After I installed this profile, I cannot reach any website. <key>ServerAddresses</key> may not mean as Bootstrap DNS servers. It works on Code A but not works on Code B.

# Code A
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerAddresses</key>
    <array>
        <string>8.8.4.4</string>
        <string>8.8.8.8</string>
    </array>
<key>ServerURL</key>
<string>https://dns.google/dns-query</string>

# Code B
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerAddresses</key>
    <array>
        <string>8.8.4.4</string>
        <string>8.8.8.8</string>
    </array>
<key>ServerURL</key>
<string>https://my.dns.server/dns-query</string>

Actual Behavior

Screenshots

Screenshot:

Additional Information

ainar-g commented 3 years ago

Hello. The docs say that those addresses are used to “determine the server addresses”. But that presents a problem: if the bootstraps do not resolve my.dns.server, the profile might not apply correctly.

@ameshkov, how should we support such private domain names in the mobileconfig API? Perhaps another input for custom bootstrap servers?

ameshkov commented 3 years ago

Yeah, this indeed looks like we need a configuration profile generator that would allow customize these fields. Let's do it in v0.108 though.

ainar-g commented 3 years ago

@ameshkov, it seems like there are at least two people whose setups are broken now. Should we perhaps consider reverting the feature and reimplementing it with more customisability in v0.108.0?

emlimap commented 3 years ago

@ainar-g My understanding from their documentation based on help text under ServerName and ServerURL fields is that iOS will try to resolve the provided hostname for DoT or DoH only if ServerAddresses field is empty. So if provided it will try and use that as resolved address for the hostname bypassing DNS lookup. Essentially hardcoding the IP addresses for the server in profile.

This will explain why original author couldn't get it working with their AGH instance when server address is set to Google's.

I couldn't find many real world uses that are public. NextDNS have a profile generator where they don't set server addresses unless enable Bootstrap IPs under advanced settings. They set the list to their anycast IP's so not the best example

ainar-g commented 3 years ago

@emlimap, the original issue is #3568. From my initial understanding, apparently shared by @enxoco, those addresses are the ones that are used to resolve the hostnames in ServerName and ServerURL. Apple's documentation there is lacking, unfortunately, because it tells you what happens when ServerAddresses aren't set, but not what they're actually used for, so your assumption about them being the addresses of the DNS server itself might be correct, although that doesn't quite explain why the current setup seems to work in our tests.

enxoco commented 3 years ago

In order to get my config working on iOS I simply added the public IP address for my AdGuard server as the "Bootstrap server". Admittedly I don't have a real world iOS device to test on at the moment so the only thing I can test against is a simulator device on my Mac. This is what I have in my mobileconfig.

`

                        <key>ServerAddresses</key>

            <array>
                <string>123.23.23.23</string>
            </array>
            <key>ServerName</key>
            <string>dns.myserver.com</string>
            <key>ServerURL</key>
            <string>https://dns.myserver.com/dns-query/mike-iphone</string>`

Where 123.23.23.23 is the publicly resolvable IP address of my AdGuard server and dns.myserver.com is the domain name associated with said AdGuard server.

enxoco commented 3 years ago

Also this feature isn't a must have for me. In my use case I can simply just edit the mobileconfig file myself.

emlimap commented 3 years ago

@ainar-g Agreed. Their documentation leaves a lot for the user to figure out by themselves. It would have been nice if they had told us what would happen in various case scenarios.

When connected to wifi I could see iOS trying to resolve the DoH hostname using the DNS servers provided by DHCP as the profile doesn't have any server addresses set. So I presumed it resorted to using the DNS servers it got from wifi/mobile internet.

This is also how Firefox works when you enable DoH. Up until a few versions ago they let you set a bootstrap address which is more like a server address as it connects to provided IP with provided hostname. They removed boostrap address variable in about:config, so now it uses system's DNS resolver to do resolve the hostname.

It is interesting that it works for you in your tests. Let me test a few things and get back to you.

@enxoco It is interesting that it doesn't work for you without setting server address. I just added a profile without one, and it works on for me on iOS 14.8.

Do you use VPN on your phone by any chance? iOS prioritizes the DNS servers provided by VPN over DoH/DoT when you are connected to VPN.

enxoco commented 3 years ago

@emlimap Not using any VPN. Like I said I don't actually have access to a physical iOS device so my test is purely based on using the simulator. That being said, my issue could just be with how simulated devices behave. I just assumed that it would apply to an a physical iOS device as well but I have seen experienced other features (outside of AdGuard) that don't work in a simulator but work perfectly fine on a physical device.

ainar-g commented 3 years ago

We'll release an edge build where ServerAddresses are set to the server's actual DNS IPs later today then. Considering that manually setting those addresses seems to work for most people.

leo15dev commented 3 years ago

@emlimap I had the experience that set the Adguard Home in my local network and used the other DoH in my iphone by installed mobileconfig file. Your observation is correct. If you do not provide the bootstrap DNS in the mobileconfig file, iOS will use your system network default DNS to resolve your DoH / DoT hostname. If you include in the bootstrap DNS in the mobileconfig file, then it will use bootstrap DNS to resolve your DoH / DoT hostname first. So in most of case, you do not need to add bootstrap DNS in the mobileconfig file, it will work well, unless you do not want to your network provider know what DoH / DoT you used. And only in some country, like China, the user may had the DNS hijack problem by their DNS provider which followed their government rule, so they may had the problem if they do not add the bootstrap DNS in the mobileconfig file. So, there is no need to force everyone to add the bootstrap DNS in the mobileconfig file, is better to set this as option.

ainar-g commented 3 years ago

@enxoco, @hezhijie0327, the commit that adds AGH's addresses is in the edge channel now. Could you please test it?

There could still be issues, depending on how Apple devices go through the IPs. If this latest change won't make the situation better, we'll probably roll back the feature and instead include the custom field in v0.108.

leo15dev commented 3 years ago

@ainar-g I found the problem when you added the DNS server IP addresses to the mobileconfig file. In my case, I installed the Adguard Home by docker and give it the own network (e.g. 172.20.0.1) and set it the fixed address (e.g. 172.20.0.10). The Adguard Home is bind to the dns host at 172.20.0.10, and run behind the nginx reverse proxy. When you use the mobileconfig API responses to generate mobileconfig file, the ServerAddresses will showed 172.20.0.10. That is not the real server IP address for my server. When you installed this mobileconfig file, the iOS can not resolve your server name by this address ( 172.20.0.10 ), and it will not use the system network default DNS to resolve your sever name when you already added the ServerAddresses into the mobileconfig file. So the DoH or DoT provide by this mobileconfig file, can not be used.
So the ServerAddresses part why not like as Client ID part, let user to decide to add it or not by themselves? And when the user decides to add the ServerAddresses into the mobileconfig file, it should be have the multiple lines input ability. Thank you.

ainar-g commented 3 years ago

@leo15dev, thanks for the feedback! I think it's wiser to just rollback the addition of this field and implement it properly, with a custom input, in the next cycle. Especially since @enxoco said that the original issue wasn't a big one.

quyleanh commented 1 year ago

Even when I use my public IP address for ServerAddresses field, the mobileconfig file doesn't work on macOS (12.6). It only work on iOS devices. Don't know why...

AdguardTeam / AdGuardHome