adguardhome导致服务器崩溃或过载

[duckxx]

Prerequisites

• [X] I have checked the Wiki and Discussions and found no answer

• [X] I have searched other issues and found no duplicates

• [X] I want to report a bug and not ask a question or ask for help

• [X] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux/386

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.33

Action

触发条件：添加黑/白名单，更新黑/白名单，自动更新黑/白名单或应用某设置。

以下操作触发该bug的概率极高，一台来自中国的服务器，添加的规则库高于20万条并添加多条这样的规则库，并且规则库链接来自GitHub，当第一次添加链接提示时间过长或添加失败，说明触发成功，然后继续添加规则，直到添加成功，并且整个库的规则高于100万条。 如未触发，请在常规设置里，将自动更新间隔调为1小时，或自己点检查更新。 如果还没触发，请继续使用，并且频繁手动更新一个规则库，规则库越大，触发成功率越高。

触发成功后，根据触发严重程度，你每一次应用设置和更新黑/白名单都会使硬盘，CPU使用率100%，并且adguardhome直接崩溃，连接不上服务器，如果手动重启adguardhome，会很大概率导致adguardhome的dns解析不再起作用。

比如添加这种大型黑名单： https://cdn.jsdelivr.net/gh/jerryn70/GoodbyeAds@master/Formats/GoodbyeAds-AdBlock-Filter.txt

在任何操作系统也一样，该bug已存在一年以上了。

Expected result

触发率100%

Actual result

触发率百分百

Additional information and/or screenshots

已尝试过使用别的服务器，结果都一样。

[Freebase394]

Hi user @duckxx .

cn_CN 感谢您提交的材料！ 首先，如果您能用英语提交，我们将不胜感激。 这只是为了让大家更容易理解和交流，并互相帮助！下次请按照上述方式提交。 我承认，我也曾被吓了一跳，同样的事情也发生在我身上！

据我所知，是的，AdGuardHome在最新发布的版本中有一个异常，@ainar-g已经发现了这个问题，新的修复方法正在测试版中测试。要测试测试版，请您测试以下版本？

安装测试版的脚本： curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c beta

en_EN Thank you in advance for your submission! First of all, we would appreciate if you could make your submissions in English[en_EN - United States | American]. It's just to make it easier for everyone to understand and communicate and help each other! Next time please do it in the way mentioned above.

As far as I could tell, yes, AdGuardHome in one of the latest releases has an anomaly that has already been identified by @ainar-g and the new fix is being tested in the "beta" version. To test the beta version, could you please test the following version?

Script to install a beta version: curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c beta

I confess that I have also been taken by surprise, and that the same thing has happened to me! Folow this issue here: #5964
Its something related to DNS Issues mentioned here: #5896

I have added your list to my AdGuardHome to see and check on my own Can you please mention what are the characteristics of your machine, like amount of RAM | CPU (ammount or cores/threads - total physical and virtual) HDD disk space and SWAP size, and which operating system you are using?

[duckxx]

@Freebase394 This is the configuration of my server. It is sufficient to run AdGuardHome....

[duckxx]

@Freebase394 This is a screenshot of cloud disk performance after triggering the bug last year. This is the cloud disk performance document from the server provider.

https://help.aliyun.com/document_detail/25383.html

[duckxx]

就在今天，两次因adguardhome导致服务器过载，无法连接服务器，并且间隔不够30分钟。

Just today, the server was overloaded twice due to adguardhome, unable to connect to the server, and the interval was less than 30 minutes.

[duckxx]

当你成功触发该bug后，就算使用日志查询，也会很大概率立即触发该bug使服务器马上过载。

When you successfully trigger the bug, even if you use log queries, there is a high probability that the bug will immediately trigger and cause the server to overload.

[yoyo930021]

在今天的版本有很多相關的修復，或許你可以試試。

In today's version, there are several relevant fixes that you can try it.

[duckxx]

@Freebase394

已更新至107.34版本，但是该bug依然存在，触发该bug时，adguardhome的登录界面可以进入了，但是dns解析器不工作了，并且adguardhome处于运行状态，服务器和硬盘依然处于过载状态。 在重启adguardhome后，dns解析竟然高达1000ms甚至更高的延迟，并且需要等5分钟左右dns解析器才进入工作状态。 浏览安全和家长控制开启后dns解析器不工作了，并且adguardhome处于运行状态。

It has been updated to version 107.34, but the bug still exists. When the bug is triggered, the login interface of Adguardhome can be accessed, but the DNS parser is no longer working, and Adguardhome is running, while the server and hard drive are still overloaded.After restarting Adguardhome, the DNS parsing latency reached up to 1000ms or even higher, and it took about 5 minutes for the DNS parser to enter the working state.After browsing security and parental control are enabled, the DNS parser no longer works and the adguardhome is running.

[ainar-g]

Your issue is likely different from the one from #5896. How many rules do you have in your rule lists exactly?

Linux/386

Are you really using an old, 32-bit x86 CPU? Because those most likely don't have enough power for lists with over a hundred thousand rules.

[duckxx]

Your issue is likely different from the one from #5896. How many rules do you have in your rule lists exactly?

Linux/386

Are you really using an old, 32-bit x86 CPU? Because those most likely don't have enough power for lists with over a hundred thousand rules.

系统那里选错了，是Alibaba Cloud Linux 3.2104 64位，这是操作系统的官方介绍。

https://www.aliyun.com/product/alinux

我的黑/白名单加起来有300万条，但是有过很长时间能正常运行。adguardhome运行时，CPU负载率30%，内存使用率50%。

The system was mistakenly selected, it is Alibaba Cloud Linux 3.2104 64 bit, which is the official introduction of the operating system.

https://www.aliyun.com/product/alinux

My blacklist/whitelist adds up to 3 million entries, but it has been running normally for a long time. When running adguardhome, the CPU load rate is 30% and the memory usage rate is 50%.

[ainar-g]

That is a lot of rules, and you should probably consider using more compressed rule lists.

What is the update interval for your lists? Could this be the time when the rule-list update is kicking in?

[duckxx]

That is a lot of rules, and you should probably consider using more compressed rule lists.

What is the update interval for your lists? Could this be the time when the rule-list update is kicking in?

是的，目前正在不断精简规则列表，值得注意的是，就算直接把黑/白名单删减留下一个1000条规则，也会触发，就算规则不多，频繁手动更新一个有改动的规则库，也会触发。查询日志时也会触发，自动更新关闭的情况下。列表更新间隔为12小时，每次自动更新都会触发。

还有一个小bug，在dns设置中，如果填入ipv6的dns，dns的结尾为:，比如2402:4e00::，那么在配置文件中显示的是这样的： "2402:4e00::" 并且upstream_dns_file: ""中的"不见了

Yes, the rule list is currently being continuously streamlined. It is worth noting that even if the black/white list is directly deleted and left with 1000 rules, it will still trigger. Even if there are not many rules and a rule library with changes is frequently manually updated, it will still trigger. When querying logs, it will also trigger when automatic updates are turned off. The list update interval is 12 hours, and every automatic update will trigger.

There is also a small bug. In the DNS settings, if you fill in the IPv6 DNS and the end of the DNS is:, such as 2402:4e00::, then the configuration file will display as follows: "2402:4e00::" And upstream_dns_file "" in file is "" missing.

[ainar-g]

That is a YAML syntax error, not an AdGuard Home one. You need to use quotation marks.

[szhu25]

If it's only appearing when AdGuard Home updates the filtering rules, I wonder if it might have any relation with the fact that raw.githubusercotent.com takes seconds to load when opening in China (at least that's my experience using Tencent Cloud Beijing)...

I currently have 15 blocklists with total of 3090263 rules, my AdGuard Home instance uses around 20% CPU & 10 - 15% of memory on a Raspberry Pi 400 (I believe this would be a normal load for my home)

[duckxx]

If it's only appearing when AdGuard Home updates the filtering rules, I wonder if it might have any relation with the fact that raw.githubusercotent.com takes seconds to load when opening in China (at least that's my experience using Tencent Cloud Beijing)...

I currently have 15 blocklists with total of 3090263 rules, my AdGuard Home instance uses around 20% CPU & 10 - 15% of memory on a Raspberry Pi 400 (I believe this would be a normal load for my home)

是的，因为中国的服务器访问国外网站几乎都是150ms以上，我的黑/白名单都是拦截中国的广告，追踪器和虚假诈骗。值得注意的是有一部分黑名单竟然放行广告接口和追踪器！并且出现在adguardhome的添加列表上就是anti-ad。 并且有一个列表是没有意义的，都是文字描述，里面没有域名或IP，就是Dandelion Sprout's Game Console Adblock List。

@ainar-g

Yes, because almost all Chinese servers visit foreign websites for over 150ms, my black/white list intercepts Chinese advertisements, trackers, and false scams. It is worth noting that some blacklists have even released advertising interfaces and trackers! And appearing on the add list of adguardhome is Anti-AD. And there is a meaningless list, all written descriptions, without domain names or IPs, which is the Dandelion Sprout's Game Console Adblock List.

https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt

https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt

[szhu25]

Yes, because almost all Chinese servers visit foreign websites for over 150ms, my black/white list intercepts Chinese advertisements, trackers, and false scams. It is worth noting that some blacklists have even released advertising interfaces and trackers! And appearing on the add list of adguardhome is Anti-AD.

In some cases, blocking an entire domain might cause issues for some app or websites, and a whitelist on domain level would be needed (with the intention of blocking it in more granular levels). It's the project maintainers' decision to create whitelist, and you probably should create a issue or search in there to see why they added a whitelist for that specific host.

https://github.com/privacy-protection-tools/anti-AD/issues

And there is a meaningless list, all written descriptions, without domain names or IPs, which is the Dandelion Sprout's Game Console Adblock List.

I think that list is working as intended. There are a handful of hosts being blocked by the list (with lots more note)

[duckxx]

@ainar-g 还有一个不安全的bug，就是加密设置，未打开HTTPS 自动重定向的情况下， 访问http://dns.test.com不会跳转到管理页面。 但是访问https://dns.test.com会自动跳转到https://dns.test.com:3000并成功进入登录页面。 我想这样才对，访问http://dns.test.com和https://dns.test.com不跳转登录页面，完整输入并加上端口号才能进入登录页面，https://dns.test.com:3000

There is also an unsafe bug. It's encryption settings. When HTTPS automatic redirection is not turned on.access http://dns.test.com Will not jump to the management page.But visiting https://dns.test.com Will automatically jump to https://dns.test.com:3000 And successfully entered the login page.I think that's the right way to visit http://dns.test.com and https://dns.test.com Do not jump to the login page, complete the input and add the port number to enter the login page, https://dns.test.com:3000

[szhu25]

Instead of adding potentially duplicate or conflicting filtering lists to your instance, I would suggest to look into aggregated lists such as OISD.nl, Energized, 1Hosts

Search or experiment with each of the aggregate lists to see if it covers all the lists (or most of the lists) you had in your instance, then you can begin replacing them with one mega list.

[duckxx]

Yes, because almost all Chinese servers visit foreign websites for over 150ms, my black/white list intercepts Chinese advertisements, trackers, and false scams. It is worth noting that some blacklists have even released advertising interfaces and trackers! And appearing on the add list of adguardhome is Anti-AD.

In some cases, blocking an entire domain might cause issues for some app or websites, and a whitelist on domain level would be needed (with the intention of blocking it in more granular levels). It's the project maintainers' decision to create whitelist, and you probably should create a issue or search in there to see why they added a whitelist for that specific host.

https://github.com/privacy-protection-tools/anti-AD/issues

And there is a meaningless list, all written descriptions, without domain names or IPs, which is the Dandelion Sprout's Game Console Adblock List.

I think that list is working as intended. There are a handful of hosts being blocked by the list (with lots more note)

如果拦截某些追踪器会导致不能正常使用，应该将这些域名在拦截库里移除，让使用者自行拦截，并且不应该在规则库里放行，并且没有注释说明。

If certain trackers are intercepted, they may not function properly. These domain names should be removed from the interception library. Allow users to intercept on their own. And release should not be added to the library. And there are no annotations.

[duckxx]

@ainar-g 就在刚刚，启用有60万规则的列表后，不到2小时就触发了bug，并且持续满载时间超过30分钟。

Just now, after activating the list with 600000 rules, the bug was triggered in less than 2 hours and lasted for more than 30 minutes at full load.

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt

[duckxx]

@ainar-g 这是触发该bug后debug模式的数据。

https://wwpt.lanzoul.com/ibOnA12dp8vg

[Potterli20]

这下我就放心了，两年前的问题，终于有人提问了。 800w的去广告规则在docker是正常，但在实机安装就是不行 150m的dns文件在docker是正常，但在实机安装也是不行 不过已经很久问的问题了，他们修不修复已经无所谓，这是go语言回收问题

[handongming]

go语言回收是什么问题呢？ 老铁你头像真炸裂

[Potterli20]

go语言回收是什么问题呢？ 老铁你头像真炸裂

就是内存泄露 回收内存不

[GXY1122]

解决了吗，同样遇到了

[duckxx]

This problem still exists, but after replacing the system to Ubuntu24.04, the situation has been alleviated.

I also found a bug that causes adguardhome to crash directly, that is, set up one or more upstream DNS servers in the upstream server and select concurrent requests. If one of the upstream servers cannot be resolved and replaced with another upstream DNS, it will cause adguardhome to crash directly.

However, the CPU and memory are not full, and have been at a normal level.