Open accountForIssues opened 2 years ago
If your AGH is served on dns.domain.tld…. Then shouldn’t your test client be tls://testclient.dns.domain.tld
@gspannu I got your reply as I was typing mine.
Looks like AGH expects clients to follow clientid.dns.domain.tld
format.
It's not surprising but maybe other formats can be added/supported ? It would be nice if AGH used subdomains to get the client id. Maybe I'm the one who's different :)
Also, Caddy doesn't work with SAN certificates so I had to manually generate certificates (using lego) so that dns.domain.tld
and *.dns.domain.tld
share the same one.
My issue is solved. The issue can be kept opened if additional client id formats can be added, otherwise you can close this issue.
@accountForIssues, what do you mean by “additional ClientID formats”? Can you give an example of what that would look like?
It's not surprising but maybe other formats can be added/supported ?
If you use DNS-over-HTTPS, the ClientID is put inside the path part of the URL.
@gspannu I got your reply as I was typing mine.
Looks like AGH expects clients to follow
clientid.dns.domain.tld
format.It's not surprising but maybe other formats can be added/supported ? It would be nice if AGH used subdomains to get the client id. Maybe I'm the one who's different :)
If my AGH was hosted at abc.xyz.domain.tld
- I would expect DNS resolutions to happen ONLY on the specified domain
For DoT requests:
DNS should resolve on abc.xyz.domain.tld and *.abc.xyz.domain.tld
examples:
tls://abc.xyz.domain.tld
tls://client01.abc.xyz.domain.tld
tls://client02.abc.xyz.domain.tld
tls://client0x.abc.xyz.domain.tld
For DoH requests
DNS should resolve on abc.xyz.domain.tld/dns-query and abc.xyz.domain.tld/dns-query/*
examples:
https://abc.xyz.domain.tld/dns-query
https://abc.xyz.domain.tld/dns-query/client01
https://abc.xyz.domain.tld/dns-query/client02
https://abc.xyz.domain.tld/dns-query/client0x
I would not expect AGH to resolve anything on *.xyz.domain.tld
or on *.domain.tld
and I believe that is what AGH does today.
For DoT requests:
DNS should NOT resolve on xyz.domain.tld or domain.tld
Below examples should fail
tls://xyz.domain.tld
tls://client01.xyz.domain.tld
tls://client02.domain.tld
For DoH requests
DNS should NOT resolve on xyz.domain.tld/dns-query or domain.tld/dns-query/*
Below examples should fail:
https://xyz.domain.tld/dns-query
https://xyz.domain.tld/dns-query/client01
https://domain.tld/dns-query/client02
@ainar-g
Consider this,
DOMAIN_NAME = domain.tld
AGH_SERVER = dns.domain.tld
Currently, AGH expects DoT URLs to follow the form client.AGH_SERVER
. This is all fine and as expected. (In hindsight, I was probably a bit too quick in opening this issue)
But, if I want my clients to follow client.DOMAIN_NAME
, then I can, in theory, do AGH_SERVER = domain.tld
. However, in this case, AGH is also served on DOMAIN_NAME
.
There doesn't seem to be a way to serve AGH on AGH_SERVER
&& having DoT URL as client.DOMAIN_NAME
.
I suggest giving users an advanced setting (may be hidden in YAML) where they are able to choose, the dashboard serve URL and something like DoT_CLIENT_SUFFIX which will be used instead of AGH_SERVER to get the client ID.
So,
AGH_SERVER = dns.domain.tld # AGH is now served here
DoT_CLIENT_SUFFIX = domain.tld # AGH uses this to detect client IDs in DoT
All of this is mainly to avoid sub-subdomains and very long urls. (and give users more freedom in config) :)
@accountForIssues, you can technically do something like that already if you add a dns
client with all settings set to defaults.
We'll see what kind of changes we can make to the current mechanism, but it is good to remember that more freedom often means more complexity, and we have already had several issues where people got confused about some aspects of ClientID, so adding even more variability doesn't exactly seem like a wise choice to me.
Using
adguardhome:edge
from docker as of issue creation.Issue Details
I added persistent clients and then I added the client ids to the access list. DoH works fine, identifies clients and returns dns. DoT on the other end rejects all queries.
I use Caddy as reverse proxy but only for DoH. DoT is directly connected via the default port. So,
DoH -> Caddy -> AGH DoT -> AGH
DoT works fine if I remove the client IDs from the access list.
AGH is served on
dns.domain.tld
. I addtestclient
as client ID in persistent clients.Expected Behavior
A request to
tls://testclient.domain.tld
should be recognized as a DoT request fromtestclient
.Actual Behavior
DoT request from
tls://testclient.domain.tld
is dropped.Relevant part of debug log:
[debug] client __REDACTED_IP__ (id "") is not in access allowlist
So, it looks like the client id is being dropped from the DoT url. If the access list is empty, everything works as usual.
Adguard tls settings
The TLS cert is valid for *.domain.tld
Am I missing something simple ? Why is the id part being dropped from the DoT url ?