Open Altycoder opened 3 years ago
ainar-g
commented
3 years ago Hello and thank you for your report. Which addresses do you use in the dns.bind_hosts section of your AdGuardHome.yaml? Also, if you could enable verbose logging, restart AGH, and post log here or send them to use, we would appreciate that.
Altycoder
commented
3 years ago I did the initial setup via port 3000 and the wizard gave me nothing ipv6 related so it's just bound to my lan port ipv4 address of 192.168.1.1 in the yaml file.
My WAN ipv6 address is dynamic so whilst I could specify an ipv6 GUA address in the yaml file I would have to edit and restart if/when my WAN address changes?
I don't really want to use ULAs due to their low priority with iOS and I can already do this with docker (and have confirmed the low priority).
Edited log file attached, I've removed some ipv4 client related stuff for privacy / reduce length and note I bound adguard to port 53531 as 53 is currently being used by unbound/pfsense (I just did this to generate a log).
ainar-g
commented
3 years ago Yes, it seems like currently the only way to get this working is with one or more IPv6 global unicast addresses in the config file. In the future, we should probably add an ability to put network interface names there instead of just IP addresses.
If you add one of the GUAs to the dns.bind_hosts field and restart AGH, does resolving over IPv6 start working?
Altycoder
commented
3 years ago I've not tried that, but I've just checked the config file for my working docker version and that's bound to 0.0.0.0 - I should have checked that first clearly.
I've tried this on my pfsense box and it seems to be working. iOS is using it (based on 5 min of testing) and not prefering ipv4 which is good but I'm getting some wonky ipv6-test.com scores. Using nextdns I can get 19/20 but with adguard home on my pfsense appliance bound to 0.0.0.0 I'm getting 13/20 on some devices (possibly client firewalls blocking icmp ping).
What I can't tell at the moment is that if my ipv6 prefix changes overnight for example whether this will keep working or if Adguard Home will need restarting. Any ideas how it will cope with a new ipv6 prefix when bound to 0.0.0.0 alone?
Altycoder
commented
3 years ago Also, will binding to 0.0.0.0 expose my AGH to the internet? I hope not!
ainar-g
commented
3 years ago Any ideas how it will cope with a new ipv6 prefix when bound to 0.0.0.0 alone?
We haven't tested such configurations, so I can't say for sure. But since using null IP basically means “listen on all interfaces”, my guess would be that it should work.
Also, will binding to 0.0.0.0 expose my AGH to the internet? I hope not!
Unfortunately, it probably will, if your machine is connected to the Internet and has an external IP address. A workaround would be to just block network traffic from unnecessary interfaces using pf or similar filtering facilities of your OS, but that isn't ideal either.
Altycoder
commented
3 years ago Unfortunately, it probably will, if your machine is connected to the Internet and has an external IP address. A workaround would be to just block network traffic from unnecessary interfaces using
pfor similar filtering facilities of your OS, but that isn't ideal either.
OK, pfsense blocks all incoming ports by default but I think I'll also put in a manual external port 53 block as well (and also block the port that the UI is listening on).
adworacz
commented
3 years ago I just worked around this issue by using 0.0.0.0 myself. It is overly broad now, as it listens on every interface, including my WAN interface.
That said, the risk is low/practically null, as my router blocks incoming connections by default, so there's no way for AdGuardHome to receive external DNS traffic.
That said, I would like to be able to properly bind to JUST my local LAN (so 192.168.1.1 and the proper IPv6 equivalent). I'm happy to test any future features as well, as I'm already on the Beta channels.
claudiobgit
commented
2 years ago I confirm the same issue on v0.107.2 on Ubuntu snap, where it's not possible to bind 0.0.0.0 (if one would ever want so). Considering that most ISP's devices supply their own unchangeable DNS resolvers via DHCP, the missing of this feature makes it impossible for AdGuard-Home users to bypass supplied servers on ipv6 and the only avalaible chance is to disable ipv6 at all on the interface to avoid leaking.
Trying to install adguard home on my (fully working) pfsense mini-pc which has working ipv4 and ipv6 connectivity, tested via ipv6-test.com and test-ipv6.com. lan clients receive both ipv4 and ipv6 IP addresses and dns info and work as intended.
Installing adguard home however only results in ipv4 working, the ipv6 address of my lan port is not picked up. Screenshot of ifconfig below.
Version of AdGuard Home server: v0.106.3 and/or v0.107.0-b.11 (tried both) How did you install AdGuard Home: installed from freebsd amd64 binary from github (both latest stable and latest beta)
Issue Details
Expected Behavior
When setting up adguard home both ipv4 and ipv6 address of lan port are picked up and both protocols are listened to on port 53. When logging in via port 3000 only ipv4 address is present and ipv6 port 53 not available to lan clients.
(pfsense dns resolver removed from port 53)
Actual Behavior
Only ipv4 address picked up and working, ipv6 address not picked up and dns not working for lan clients.
Screenshots
ifconfig showing ipv6 gua is present on lan port (igb1), last few bits of address obscured for privacy:
Additional Information
I have previously had adguard home working in docker with both ipv4 and ipv6 but get a dynamic ipv6 address from my isp so would prefer it on my pfsense appliance as ipv6 ULA gets a lower priority than ipv4 for some OSes such as iOS.