Firewall blocks private DNS traffic in Automatic proxy mode

[bono3729]

Please answer the following questions for yourself before submitting an issue.

• [X] I am running the latest version
• [X] I checked the documentation and found no answer
• [X] I checked to make sure that this issue has not already been filed

AdGuard version

4.1 Nightly 10

Environment

- OS: Android 13
- Device: Various(Samsung, Xiaomi)
- Firmware: Various

Root access

• [X] Yes, I have it.

Issue Details

Prerequisites

• AdGuard DNS protection module is disabled
• Private DNS is configured in the system settings and operating
• AdGuard's operating mode is Automatic proxy

  Steps to reproduce:

1. Turn on firewall
2. Create a global firewall rules to block all traffic
3. Allow individual app traffic with custom firewall rules (for example, Chrome)
4. Wait for 1 minute

Expected Behavior

Chrome should be able to use the network, other applications should not be allowed to use the network

Actual Behavior

Internet unavailable due to blocking of all DNS traffic

Additional Information

Added by @Versty The same setup works flawlessly if the operating mode is set to Local VPN

Original text

I basically want to block all apps from connecting to the Internet, and allow only the apps I want to connect to. So the global firewall rules blocked all connections, and the custom firewall rules allowed only some apps. However, if a global firewall rule blocks all traffic, DNS traffic is also blocked. In AdGuard v3, DNS traffic was allowed in firewall rules. However, in v4, DNS disappeared from the app list. Therefore, DNS traffic cannot be allowed separately. With AdGuard DNS protection, there are no DNS issues. However, since I sometimes have to turn off AdGuard, I would like to use Android Private DNS that is independent of AdGuard for minimal protection. Since Android Private DNS is DoT, and DoT uses 853 port, the current temporary solution is to modify the range of filtering ports in low-level settings to use Android Private DNS as follows. 80..852 854..5221 5299..65535 There seems to be no problem with the use, but I don't know how it affects the actual AdGuard protection. For proper resolution, please add DNS to the custom firewall rule as before.

[Versty]

@bono3729 Hi! Unfortunately, there is no technical possibility to separate DNS system module from other system applications.

The best solution would be to create a custom firewall rule for the System apps group. Please check if it works for you and let me know the result.

[bono3729]

@Versty Hello. I set the firewall rule for 'System apps group' but it didn't work. It's very unfortunate that I can't separate the DNS module.

If so, is there no problem with all the protection features if I exclude DNS port from filtering? I'm now using 853 port without AdGuard filtering. Ad-block, DNS or firewall also works correctly. However, it is difficult for users to know if tracking protection works correctly, so I don't know if there is any problem.

If you can't detach the DNS module, I hope that excluding DNS ports from filtering is the correct solution.

[Versty]

@bono3729 Yes, excluding port 853 should work fine as a temporary solution.
We have successfully reproduced this issue and are currently looking for the cause.