Open Akiya82 opened 6 months ago
Can you elaborate on how Nginx is involved? DoT and DoQ are both typically on port 853, while DoH is typically on 443.
All DNS over HTTPS (DoH) requests are routed through Nginx Proxy Manager (Adguard — Nginx — User).
DNS over QUIC (DoQ) and DNS over TLS (DoT) go directly to AdGuard Home from the user (Adguard — User).
If I try to exclude Nginx from the DoH request path, it will work within the network due to the DNS zone. However, outside the local network, DoH will not work because Nginx proxies all my web resources, and either DoH to AdGuard Home or everything else will stop functioning. This is because I can specify only one destination address in port 443 forwarding on the router.
If I used only one domain and a wildcard domain for AdGuard Home, all traffic would go through Nginx, and I would not know the real IP addresses when accessing AdGuard through DoT and DoQ due to the proxying of TCP and UDP streams on Nginx.
It is possible to remove the «Server Name» field altogether. Instead, the program can be given the definition of this variable and loop through the names in the certificate. The program will then search for a wildcard domain and find its non-wildcard counterpart in the certificate. As a result, the client ID will be defined automatically.
When multiple certificates are merged into one certificate, ip certificates are not recognized, but single-ip or single-domain certificates can be recognized.
This suggestion would allow for using single certs for specific devices to be used for clientID without getting a wildcard cert as well.
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question
The problem
I created a certificate with three wildcard domains and three regular domains. The wildcard domains are in the format .doh-agh.xxx.com, .dot-agh.xxx.com and *.doq-agh.xxx.com.
When I enter one of these domains in the "Server Name" field on the "Encryption" tab (for example, doh-agh.xxx.com), the client IDs of the other wildcard domains are not detected. I need these additional wildcard domains to be able to route traffic in my local network differently for different DNS protocols.
Proposed solution
I suggest adding the option to enter multiple "Server Names" in the "Encryption" tab. This way, the clientID detection will work for more than one domain.
Alternatives considered and additional information
The reason for separating the DoH, DoT, and DoQ clients by domain is to create different paths for proxying device requests within the local network. When I use only one domain, I have to remove the Nginx server from the request path to AdGuard Home, which disrupts the architecture of my home network.