DNS Rewrites issue

[PVasileff]

Prerequisites

• [X] I have checked the Wiki and Discussions and found no answer

• [X] I have searched other issues and found no duplicates

• [X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Other (please mention in the description)

Setup

On one machine

AdGuard Home version

0.107.23

Description

Hello,

I have migrated from pihole to adguard at my home.

I have purchased domain that in example I will call: domain.com

That domain using cloudflare dns and in cloudflare I pointed it to my public, static IP address that I have from my ISP In Cloudflare for my domain - proxied records not enabled.

In Adguard (that I have using only for dns in my home network) i have configured domain.com to point to local IP address: 172.17.72.246.

I do that in /etc/hosts on my adguard server.

The idea is if I open domain.com at home to be resolved from 172.17.72.246.

Sometimes (again I telling sometimes) some devices connected to my home network (laptop, phones, tablets etc) got an error to open domain.com because it resolving from my public IP address, NOT from 172.17.72.246 that I have configured in /etc/hosts.

Any idea why that heppening?

[PVasileff]

I found another similar case in internet, for example: https://www.reddit.com/r/Adguard/comments/sntdw2/dns_rewrites_not_working/

[ppfeufer]

Add your DNS rewrites to AGH instead of a hosts file that only one machine can access ...

https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite

[PVasileff]

Add your DNS rewrites to AGH instead of a hosts file that only one machine can access ...

https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite

Unable to understand why that is needed and what at is reason for that?

I have ~ 100 rewrites lines in /etc/hosts for different local ips and hosts...
In link that you sent me also has that:

/etc/hosts syntax: the old, tried-and-true approach that uses the same syntax that operating systems do for their hosts files.

IP of adguard is configured on my mikrotik to be a dns server for all devices in my network. What do you mean with

"that only one machine can access ..."

[ppfeufer]

You have essentially 2 ways to add DNS rewrites to AGH

1.) Filters -> DNS rewrites and add them there (which might be the easier approach for you)

2.) Add them in a file to your "block lists" with the syntax from the wiki article. (This is much more flexible and allows for more than Name to IP resolution)

/etc/hosts is a local file that only the machine that it is on can read. I don't know precisely how AGH handles the hosts file on the machine installed, but I would not rely on it too much. Add your DNS rewrites to AGH, that's what it's for.

[PVasileff]

The quick method for me was to add entries to the hosts file because that's how I used it on pihole and I did not want to add them one by one through the web interface.

I will be happy if any of developers explain me - did I can use /etc/hosts file on adguard to rewrite dns records in AGH, and if yes, why that with resolving happening sometimes and records in /etc/hosts was ignored and AGH response with A records from upstreams, not in /etc/hosts?

In query log always I see Dns rewrited host to ip in hosts file, but my phones sometimes got an error because in local network their try to my open domain via public IP and that is not possible, because on Mikrotik, I have configured dstnat (not harpin nat - i dont want to use harpin nat) for port 80/443 to local ip, and that is the reason that I want to use rewrites in local network.

[ppfeufer]

The hosts file is only used by the machine it's on as a local DNS override. The hosts file is not meant to be a DNS override for your local network.

AGH is the DNS resolver, configure network-wide DNS rewrites there.

[PVasileff]

The hosts file is only used by the machine it's on as a local DNS override. The hosts file is not meant to be a DNS override for your local network.

AGH is the DNS resolver, configure network-wide DNS rewrites there.

You are right, but Adguard works with /etc/hosts and serving records from /etc/hosts to another machines in network :)

I and need to know if the documentation about /etc/hosts file for rewrite is true or not :)

[PVasileff]

As additional of my last post and for information to @ppfeufer - In AGH you have essentially 3 ways to add DNS rewrites, not 2, as you wrote.

1. /etc/hosts
2. Filter -> DNS rewrites
3. Filter -> Custom filtering rules

and I have tested the all three methods and all of them works, but I want to know why when using only /etc/hosts for rewrites - somteimes devices (phones with android for example with disabled Private DNS option in settings) in my home network - sometimes they resolve domain.com from my public ip address from my ISP (not from rewrited IP) and got errors with connections in apps like nextcloud. aquamail, DAVx5

That is my case and I will be happy hear compentently answer.

[PVasileff]

Any other ideas here?

I tried to block outgoing connection on my mikrotik router to port 853 with logging to prevent phone to use 'secure dns', but problem still happen and on mikrotik logs does not have information any ip address to tried to make requests to 853 :)

I added rewrites in DNS Rewrite menu, but when added from there - the adguard when you try to dig -x ip does not return ptr records and need to be added in custom rewrite rule ..., if IP and host added in /etc/hosts file - I have both A and PTR records :)

[PVasileff]

Back again to Pihole - everything is working without this issue. May be adguard is not better than pihole.. Sad story

[ainar-g]

Apologies for the belated response.

Sometimes (again I telling sometimes) some devices connected to my home network (laptop, phones, tablets etc) got an error to open domain.com because it resolving from my public IP address, NOT from 172.17.72.246 that I have configured in /etc/hosts.

If you do not see queries that return those public IP addresses in AdGuard Home's query log then it's probably because those devices use another DNS server. And why they do that depends on the device, but generally if there are two fields for DNS address, you should put the IP address of AdGuard Home into both fields. Otherwise, the device will occasionally switch to using some default (Google DNS, etc.).

[PVasileff]

Apologies for the belated response.

Sometimes (again I telling sometimes) some devices connected to my home network (laptop, phones, tablets etc) got an error to open domain.com because it resolving from my public IP address, NOT from 172.17.72.246 that I have configured in /etc/hosts.

If you do not see queries that return those public IP addresses in AdGuard Home's query log then it's probably because those devices use another DNS server. And why they do that depends on the device, but generally if there are two fields for DNS address, you should put the IP address of AdGuard Home into both fields. Otherwise, the device will occasionally switch to using some default (Google DNS, etc.).

The phones that have this issue is Huawei Nova 5T, and connected to my home network via wireless connection and the DNS server (adguardhome ip address) recieved from dhcp..

Both devices are with disabled "Private DNS" option.

If they switch back to LTE/3G network via operator my domain is reachable and does not have issues with access, because with mobile internet, domain is accesable via public ip address.

From month ago I swiching back to pihole and with pihole I dont have that problem..

I unable to found reason why hit that issue with adguard.. and that is strange - why adguard tried to resolve domain from public address, and not tried to access it to IP address added in /etc/hosts file record for that domain when devices using AGH ip for DNS.

As I wrote in my previous posts in that thred:

I tried to block outgoing connection on my mikrotik router to port 853 with logging to prevent phone to use 'secure dns', but problem still happen and on mikrotik logs does not have information any ip address to tried to make requests to 853

I know the scheme I'm using is not standard and most people probably use harpin nat but I don't want that. Adguard is great more flexible than pihole with more options but what happens keeps me from using it.

[ainar-g]

I see, thanks. If you ever decide to investigate further, a few things that could help clarify the issue:

1. Inspecting the Query log to see if the query has reached AdGuard Home at all. If not, that could have something to do with DHCP and the behavior I've described above.

2. Enabling the verbose log to see if there are any warnings or errors in the processing of /etc/hosts.

3. Clearing DNS cache and possibly setting the cache TTL value for the public domain lower to make sure that the DNS cache isn't playing a role here.

[dimatha]

Having the same issue with v0.107.27 (tried 0.108 beta as well).

DNS Cache is not set.

$ dig @192.168.10.1 registry.sakun.example.com

Rewrite section:

  rewrites:
    - domain: '*.sakun.example.com'
      answer: 192.168.192.100

Debug:

2023/04/05 22:03:47.314899 6398#166 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.10.114:63554 2023/04/05 22:03:47.314963 6398#166 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 6563 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version 0; flags: ; udp: 4096 2023/04/05 22:03:47.315055 6398#166 [debug] applying filters: looking for client with ip 192.168.10.114 and clientid "" 2023/04/05 22:03:47.315137 6398#166 [debug] applying filters: no clients with ip 192.168.10.114 and clientid "" 2023/04/05 22:03:47.315201 6398#166 [debug] dnsproxy: cache: disabled; not caching 2023/04/05 22:03:47.315258 6398#166 [debug] https://doh.opendns.com:443/dns-query: sending request A registry.sakun.example.com. 2023/04/05 22:03:47.432552 6398#166 [debug] https://doh.opendns.com:443/dns-query: response: ok 2023/04/05 22:03:47.432590 6398#166 [debug] time.Duration.Milliseconds(): upstream https://doh.opendns.com:443/dns-query successfully finished exchange of ;registry.sakun.example.com. IN A. Elapsed 117.345703ms. 2023/04/05 22:03:47.432623 6398#166 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).replyFromUpstream(): RTT: 117.379259ms 2023/04/05 22:03:47.432646 6398#166 [debug] client ip: 192.168.10.114 2023/04/05 22:03:47.432686 6398#166 [debug] github.com/AdguardTeam/dnsproxy/proxy.(Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 6563 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version 0; flags: ; udp: 4096

;; QUESTION SECTION: ;registry.sakun.example.com. IN A

;; ANSWER SECTION: registry.sakun.example.com. 240 IN A 77.XX.XX.XX

Is there anything else I can look into to provide more details ? May be something with the config format ?

[dimatha]

Ok, creating a new config file from scratch fixing the problem. Still don't know why, diff doesn't show big difference.

[dimatha]

Enabling "Settings -> General -> Block Domains using filters and hosts files" reactivates rewrite functionality. Make sure you do the same in the Client Settings if applicable.

Is that intended ?

[PVasileff]

;; ANSWER SECTION: registry.sakun.example.com. 240 IN A 77.XX.XX.XX

I haven't run debug on me, but from the logs of @dimatha it looks like AGH is trying to resolve the domain via upstream instead of taking into rewrite rules, as i guessed and in my case.. хаха, and AGH dont log that request :)

@ainar-g :)

[ainar-g]

@dimatha, yes. Currently, the DNS rewrite page is considered a part of the filtering functionality. We plan on introducing more fine-grained settings in later releases.

[MistakingManx]

It started working for me after I disabled my device's IPv6 and manually set the IPv4 DNS to go-to the server.

For some reason, my router just plain-out ignores the DNS settings, so it must be done on each device.

[SebbesApa]

Anyone got rewrites to work? I'm on v0.107.43 and it just stoppad working. I'm not shure when though. Did not made any config changes.

Edit. Ok so i just tried to add ".something" to my rewires, and that makes it work. Although it did work before without it.

[jcconnell]

Enabling "Settings -> General -> Block Domains using filters and hosts files" reactivates rewrite functionality. Make sure you do the same in the Client Settings if applicable.

Is that intended ?

Was experiencing the rewrite issue described here. This fixed it immediately

[kieraneglin]

(v0.107.43, only DNS rewrites - I never touched the hosts file. Testing exclusively on a Macbook w/ Firefox)

I was seeing odd behaviour with DNS rewrites using the .local TLD. Everything worked great if I used a subdomain or wildcard but bare domains did not work. Some example DNS rewrites (all pointing to the same IP of my local Unraid server):

• server.local - doesn't work
• *.local - doesn't work (also why would you do this)
• my.server.local - works!
• www.server.local - works!
• *.server.local - works!

Weird! No combination of restarting/clearing cache would resolve it. It turns out it must be something with that TLD specifically because literally any other TLD would work:

• server.lan - ("fake" TLD) works!
• server.net - works!

One caveat is that using a "fake" TLD may mean that you can't just type server.lan and have it resolve in some browsers since it'll search for that literal phrase. You must specify the protocol by including http(s)://, but you can just save it as a bookmark and it should autofill correctly next time.

[ansanper]

(v0.107.43, only DNS rewrites - I never touched the hosts file. Testing exclusively on a Macbook w/ Firefox)

I was seeing odd behaviour with DNS rewrites using the .local TLD. Everything worked great if I used a subdomain or wildcard but bare domains did not work. Some example DNS rewrites (all pointing to the same IP of my local Unraid server):

• server.local - doesn't work
• *.local - doesn't work (also why would you do this)
• my.server.local - works!
• www.server.local - works!
• *.server.local - works!

Weird! No combination of restarting/clearing cache would resolve it. It turns out it must be something with that TLD specifically because literally any other TLD would work:

• server.lan - ("fake" TLD) works!
• server.net - works!

One caveat is that using a "fake" TLD may mean that you can't just type server.lan and have it resolve in some browsers since it'll search for that literal phrase. You must specify the protocol by including http(s)://, but you can just save it as a bookmark and it should autofill correctly next time.

I got the same results, the odd behavior with .local. I did some testing and found that there was a IPv6 DNS server running before the DNS I set (AdGuard). My ISP is ATT and apparently, they are forcing to use their IPv6 DNS server and by disabling IPv6 from my ATT router fixed the issue and now DNS rewrites are working.

My recommendation is to run ipconfg /all (for Windows) and check which DNS servers your device is using and in which order.

[danielraffel]

I can’t get DNS Rewrites to work in AGH v0.107.44. I set up AGH on an Ubuntu server in GCP and am running Tailscale so I can use AGH DNS both inside and outside of my home network. I did have to modify /etc/hosts on the VM running AGH to add my custom domain and its Tailscale IP. I’ve tried disabling and enabling General Settings > Block domains using filters and hosts files but that hasn’t changed things. Rewrites just don’t seem to work. FWIW I wrote up notes on how I configured everything.

https://danielraffel.me/2024/02/09/tailscale-adguard-on-gcp/

[Wetzel402]

I can't seem to get DNS rewrites working at all either. I have AGH v0.107.44 running in docker at IP 192.168.1.220. I've set that IP as the DNS in my router, added [/*.local/]192.168.1.1 (my router IP) to my upstream DNS servers, and tried adding both my router IP and/or my AGH IP to private reverse DNS servers. I've tried some tests using printer.local, mainsail.local, www.printer.local, etc in DNS rewrites to no avail. I'm not sure if I've configured something wrong or if its a bug...

[kieraneglin]

@Wetzel402 try using printer.lan - that's what I'm using and it works well. You may have to explicitly add the protocol for your browser to navigate to it (ie: http://printer.lan)

[Wetzel402]

@Wetzel402 try using printer.lan - that's what I'm using and it works well. You may have to explicitly add the protocol for your browser to navigate to it (ie: http://printer.lan)

I gave it a try but unfortunately that doesn't work for me either. All requests show a status of NXDOMAIN despite having a rewrite filter set.

[Wetzel402]

My issue was addressed by this.

[HVR88]

Various replies to points brought up:

.local TLD

You can't reliably use ".local" in DNS resolving as it's reserved for multicast DNS (mDNS) - connections might work from Windows systems but they will never work from MacOS, iOS or any Apple system (and likely other systems).

There's no solution for this other than adding an additional domain before your target (subdomain) like this: target.mydomain.local - and it's the same story in ADGH or Pi-Hole, etc.

Made-up TLDs

If you want to use any made up TLD or one that's been proposed but not yet adopted, like .lan you can put a period at the end instead of specifying the transport. Just type mydomain.lan. into your browser address bar and it'll send the name for resolving instead of passing it to the search engine.

Real IANA/ICANN TLDs

You can rewrite various TLDs, but not all.

"The Original" TLDs can be rewritten - these are .com, .org, .edu, .net, .gov, etc.

Country Code TLDs can be rewritten - .us, .ca, .ie, .cz, .pt, etc.

Infrastructure TLD can be rewritten - .arpa

ICANN gTLD (Generic Top Level Domains) cannot all be rewritten. Some work and some don't. * I'm testing from a Mac at the moment, browser choice doesn't make a difference (Firefox, Chrome, Safari).

.app doesn't work .dev doesn't work

.aero works .adult works

etc... I'm not going to test them all.

IMO, the only question regarding Adguard Home with respect to the above, is why do some gTLDs fail to work? Once I came to the conclusion that .local was never going to work, I hoped I'd just be able to co-opt the .app gTLD for my lan services. Looks like I might have to settle on something else.

And my most significant regret in getting to this point, is that the time I've spent on this wasn't billable hours.

[nsu700]

This does not work for me as well, I am running AdGuardHome v0.107.50 in my rasperripy, with my private domain set in the DNS rewrite rule, no matter how I dig, nslookup to verify the domain, it always return NXDOMAIN, however in the ADGuardHome "Custom filing rule" tab, I checked the same domain in the "Check the filtering", it told me the rewrite rule is applied and returns the expected IP, I have googled a lot, and someone set enabling the "Block domains using filters and hosts file" works, but unfortunately it does not work for me either, not sure what I can do now

[nsu700]

I have followed this guide to set a rewrite for example.com for test, but not works for me as well

❯ nslookup example.com 192.168.31.99
Server:     192.168.31.99
Address:    192.168.31.99#53

Non-authoritative answer:
Name:   example.com
Address: 93.184.215.14

[FrederikSchack]

I've had issues with rewrite and ad-blocking not working reliably, especially on Windows computers.

Disabling IPv6 solved my issues on the Windows machines and as a bonus, my browsing experience improved on those computers too.

What I understand is that Windows will try to use IPv6 before IPv4 and if IPv6 is not working correctly, it will fall back to IPv4, which of course will be felt as a delay. I don't know why it prevents rewrites? Maybe it has something to do with time-outs?

[nsu700]

I still could not make it work, instead, I now set an external DNS to resolve my domain, and in the AGH, I have set a DNS upstream for my private domain, which works for me now But it would be great to use the DNS rewrite function, as I dont want to host another server if possible

[lemisieur]

Same here, can't figure it out

[HVR88]

I ended up using a local Unbound resolver as upstream on pfSense as well as using one of my registered domain names for the LAN.

Using some rewrites only for an alternative to outright blocking.

[sulemanhasib43]

I am using Version: v0.107.52 and facing the same issue. I am trying to resolve a .win TLD to a local ip. Now it just simply resolved to cloudflare proxy IPs. My domain is at cloudflare.

I have enabled "Block domains using filters and hosts files". I have disabled IPv6. My setup is on docker bridge network. I have tried rewrites and custom filtering rules. Almost what ever is out there on github and reddit have tried an no luck...

Looking forward if someone can point us in right direction!