AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home/overview.html
GNU General Public License v3.0
25.77k stars 1.85k forks source link

local DNS from only one Android device permanently blocked #4464

Open chriskloe opened 2 years ago

chriskloe commented 2 years ago

chris@server:/opt/AdGuardHome$ ./AdGuardHome -v --version AdGuard Home Version: v0.107.5 Channel: release Go version: go1.16.15 Build time: 2022-03-04T12:59:06Z+0000 GOOS: linux GOARCH: amd64 Race: false Dependencies: github.com/AdguardTeam/dnsproxy@v0.40.7-0.20220207171519-b3947de6a902 (sum: h1:6pxvSWL9tVelFo0R3t6Pn8u6YU5dCqTVehvNnP6lOqI=) github.com/AdguardTeam/golibs@v0.10.4 (sum: h1:TMBkablZC0IZOpRgg9fzAKlxxNhSN2YJq7qbgtuZ7PQ=) github.com/AdguardTeam/urlfilter@v0.15.2 (sum: h1:LZGgrm4l4Ys9eAqB+UUmZfiC6vHlDlYFhx0WXqo6LtQ=) github.com/NYTimes/gziphandler@v1.1.1 (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=) github.com/aead/chacha20@v0.0.0-20180709150244-8b13a72661da (sum: h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=) github.com/aead/poly1305@v0.0.0-20180717145839-3fee0db0b635 (sum: h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=) github.com/ameshkov/dnscrypt/v2@v2.2.3 (sum: h1:X9UP5AHtwp46Ji+sGFfF/1Is6OPI/SjxLqhKpx0P5UI=) github.com/ameshkov/dnsstamps@v1.0.3 (sum: h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=) github.com/beefsack/go-rate@v0.0.0-20200827232406-6cde80facd47 (sum: h1:M57m0xQqZIhx7CEJgeLSvRFKEK1RjzRuIXiA3HfYU7g=) github.com/cheekybits/genny@v1.0.0 (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=) github.com/digineo/go-ipset/v2@v2.2.1 (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=) github.com/fsnotify/fsnotify@v1.5.1 (sum: h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=) github.com/go-ping/ping@v0.0.0-20210506233800-ff8be3320020 (sum: h1:mdi6AbCEoKCA1xKCmp7UtRB5fvGFlP92PvlhxgdvXEw=) github.com/google/go-cmp@v0.5.5 (sum: h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=) github.com/google/gopacket@v1.1.19 (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=) github.com/google/renameio@v1.0.1 (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=) github.com/insomniacslk/dhcp@v0.0.0-20210310193751-cfd4d47082c2 (sum: h1:NpTIlXznCStsY88jU+Gh1Dy5dt/jYV4z4uU8h2TUOt4=) github.com/josharian/native@v0.0.0-20200817173448-b6b71def0850 (sum: h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=) github.com/kardianos/service@v1.2.0 (sum: h1:bGuZ/epo3vrt8IPC7mnKQolqFeYJb7Cs8Rk4PSOBB/g=) github.com/lucas-clemente/quic-go@v0.24.0 (sum: h1:ToR7SIIEdrgOhgVTHvPgdVRJfgVy+N0wQAagH7L4d5g=) github.com/marten-seemann/qtls-go1-16@v0.1.4 (sum: h1:xbHbOGGhrenVtII6Co8akhLEdrawwB2iHl5yhJRpnco=) github.com/mdlayher/ethernet@v0.0.0-20190606142754-0394541c37b7 (sum: h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=) github.com/mdlayher/netlink@v1.4.0 (sum: h1:n3ARR+Fm0dDv37dj5wSWZXDKcy+U0zwcXS3zKMnSiT0=) github.com/mdlayher/raw@v0.0.0-20210412142147-51b895745faf (sum: h1:InctQoB89TIkmgIFQeIL4KXNvWc1iebQXdZggqPSwL8=) github.com/miekg/dns@v1.1.45 (sum: h1:g5fRIhm9nx7g8osrAvgb16QJfmyMsyOCb+J7LSv+Qzk=) github.com/patrickmn/go-cache@v2.1.0+incompatible (sum: h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=) github.com/pkg/errors@v0.9.1 (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=) github.com/satori/go.uuid@v1.2.0 (sum: h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=) github.com/ti-mo/netfilter@v0.4.0 (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEXQUhe02a/10orzg=) github.com/u-root/u-root@v7.0.0+incompatible (sum: h1:u+KSS04pSxJGI5E7WE4Bs9+Zd75QjFv+REkjy/aoAc8=) go.etcd.io/bbolt@v1.3.6 (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=) golang.org/x/crypto@v0.0.0-20211215153901-e495a2d5b3d3 (sum: h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=) golang.org/x/net@v0.0.0-20211216030914-fe4d6282115f (sum: h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=) golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c (sum: h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=) golang.org/x/sys@v0.0.0-20211216021012-1d35b9e2eb4e (sum: h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=) golang.org/x/text@v0.3.7 (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=) gopkg.in/natefinch/lumberjack.v2@v2.0.0 (sum: h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=) gopkg.in/yaml.v2@v2.4.0 (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=) howett.net/plist@v0.0.0-20201203080718-1454fab16a06 (sum: h1:QDxUo/w2COstK1wIBYpzQlHX/NqaQTcf9jyz347nI58=

The network is configured as DHCP and FritzBox is sending the IP of the server, where AdGuardHome is running as DNS. The server is configured with a fixed IP in the FritzBox.

My server with AdGuard is running on:

Expected Behavior

I am runing several clients in the network that need to resolve local IP-addresses to access file shares, services like nextcloud, a database, tvheadend and so on running on the same server than AdGuardHome. To make that work I set up a dns forwarding rule in the adguard home configuration (shown above) and I made Adguard home start with the extra option --no-etc-hosts (why is this not an option available from the settings page?!). For most of the clients and most of the software running that works perfectly well.

Actual Behavior

I have one client in the network, a Samsung Android Tablet running Anroid 8.1.0 that repeatedly gets NXDOMAIN-responses when trying to resolve local services. Most of the time this affects file shares (samba), and mysql-database running on the server. Very weird: accessing tvheadend on the same server seems to work. Attached a screenshot from the AdGuardHome accesslog showing some rejected resolves during startup of kodi on that tablet. Unbenannt

Please contact me if you need more information. Thanks in advance for any kind of support, this issue is really annoying.

By the way: another annoying topic: it would be great to see a reason for any kind of reject from the log. Reading only "NXDOMAIN" drives me nuts.

fernvenue commented 2 years ago

Seems like your device is hitting a rate limit or something, I'm not sure, you can use verbose log to get more information.

chriskloe commented 2 years ago

Sorry for the delay, I got not much time for experiments....

what I did:

But this is something I am discovering rom time to time when I want to play around with the settings to fix the problem: sometimes it suddenly starts to work for a while but short time later it doesn't work again. So no clear repeatable behaviour what is an indiciation for a software bug for me.

I am still trying to get a log of that behaviour and I will post it as soon as I got it.

chriskloe commented 2 years ago

OK, this time it worked. When I am interpreting the log in the right ways this is the section showing a failed attempt:

2022/04/10 22:14:38.521227 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.178.51:6827 2022/04/10 22:14:38.528072 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 24976 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;server.fritz.box. IN A

2022/04/10 22:14:38.528380 14821#509 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked 2022/04/10 22:14:38.528516 14821#509 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms 2022/04/10 22:14:38.528680 14821#509 [debug] 192.168.178.1:53: sending request A server.fritz.box. 2022/04/10 22:14:38.531326 14821#509 [debug] 192.168.178.1:53: response: ok 2022/04/10 22:14:38.531477 14821#509 [debug] github.com/AdguardTeam/dnsproxy/upstream.exchange(): upstream 192.168.178.1:53 successfully finished exchange of ;server.fritz.box. IN A. Elapsed 2.812636ms. 2022/04/10 22:14:38.531557 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).replyFromUpstream(): RTT: 2.933282ms 2022/04/10 22:14:38.531656 14821#509 [debug] client ip: 192.168.178.51 2022/04/10 22:14:38.531761 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 24976 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;server.fritz.box. IN A

;; AUTHORITY SECTION: fritz.box. 9 IN SOA fritz.box. admin.fritz.box. 1649621678 21600 1800 43200 10

This is another query from another client in the same timeframe that passed (in fact it's the laptop I used to access the log):

2022/04/10 22:14:45.551252 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.178.55:63858 2022/04/10 22:14:45.558060 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 17080 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;server.fritz.box. IN A

2022/04/10 22:14:45.558167 14821#411 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked 2022/04/10 22:14:45.558298 14821#410 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked 2022/04/10 22:14:45.558360 14821#411 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms 2022/04/10 22:14:45.558406 14821#410 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms 2022/04/10 22:14:45.558521 14821#410 [debug] serving response from general cache 2022/04/10 22:14:45.558536 14821#411 [debug] 192.168.178.1:53: sending request AAAA server.fritz.box. 2022/04/10 22:14:45.558595 14821#410 [debug] client ip: 192.168.178.55 2022/04/10 22:14:45.558695 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 17080 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;server.fritz.box. IN A

;; AUTHORITY SECTION: fritz.box. 2 IN SOA fritz.box. admin.fritz.box. 1649621678 21600 1800 43200 10

2022/04/10 22:14:45.561969 14821#411 [debug] 192.168.178.1:53: response: ok

Is there any information to read from that? I just see "NXDOMAIN" another time but no reason, no failure, no error code...

chriskloe commented 2 years ago

FYI: I am usually working with the first two entries on the general settings page enabled (this translates to something like "Block domains by filters and host-files" and "use AdGuard webservice for internet safety" from the German UI. For a test I deactivated both entries and it immediately started to work, even after a restart of AdGuardHome. I'll wait a while, see if it keeps working tomorrow and keep you updated.

Stopped working again. After enabling both filters it works again (not for long I guess). There's definitely something buggy!

chriskloe commented 2 years ago

To convince you it's not a kodi related issue: the same happens when I want access the AdGuardHome webpage on the server from the tablet. FYI: no change with the latest update.

ainar-g commented 2 years ago

Apologies, this issue seems to have slipped through the cracks.

I assume that server.fritz.box is a domain name that is dynamically allocated by the router? The logs don't show anything unusual, so my first assumption is that perhaps the router “forgets” that domain every once in a while?

chriskloe commented 2 years ago

Hupps, there is still an open topic. Some updates later it is still not working. What I am reading from the logs cited above: tablet is asking for the ip-adress of server.fritz.box AGH is forwarding the request to the router Router is answering properly with an ip AGH is not forwarding the ip but responding with NXDOMAIN. It would be great to have a reason for that conversion in the log! The problem repeatedly disappears as soon as I let the router set the DNS address to it's own one instead of AGH (using DHCP/DDNS),