Open junzhli opened 2 years ago
Hello, sorry for the late reply.
To troubleshoot this issue, we need to get the app logs.
Here's what we need you to do:
apple@adguard.com
and mention this issue number in the subject.Thanks for the reply, I just sent to the email address
Hello.
I just wanted to ask you some more information about your configuration.
Is it your provider's IPv6 network? Or maybe are you using NAT64 with DNS64 on your router?
What address do command ping adguard.com
resolves?
What output do you see executing dig adguard.com A
command?
@D13410N3 Yes, it's provider's IPv6 network, which it's configured behind router that connects to ISP with PPPoE to get both IPv4 and IPv6 connectivity Here's the result of the above commands:
❯ ping adguard.com
PING adguard.com (104.20.91.49): 56 data bytes
64 bytes from 104.20.91.49: icmp_seq=0 ttl=56 time=12.621 ms
64 bytes from 104.20.91.49: icmp_seq=1 ttl=56 time=11.428 ms
64 bytes from 104.20.91.49: icmp_seq=2 ttl=56 time=10.210 ms
64 bytes from 104.20.91.49: icmp_seq=3 ttl=56 time=10.954 ms
64 bytes from 104.20.91.49: icmp_seq=4 ttl=56 time=9.936 ms
64 bytes from 104.20.91.49: icmp_seq=5 ttl=56 time=9.597 ms
64 bytes from 104.20.91.49: icmp_seq=6 ttl=56 time=10.974 ms
^C
--- adguard.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.597/10.817/12.621/0.949 ms
❯ dig adguard.com A
; <<>> DiG 9.10.6 <<>> adguard.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;adguard.com. IN A
;; ANSWER SECTION:
adguard.com. 283 IN A 104.20.91.49
adguard.com. 283 IN A 104.20.90.49
adguard.com. 283 IN A 172.67.3.157
;; Query time: 1 msec
;; SERVER: 2001:b011:3820:73b9:d65d:64ff:fe0b:a260#53(2001:b011:3820:73b9:d65d:64ff:fe0b:a260)
;; WHEN: Wed Apr 27 00:19:29 CST 2022
;; MSG SIZE rcvd: 88
@junzhli
Hello. We checked your logs. According to them, it turns out that everything works well, requests go through AdGuard DNS IPv6. It is also clear that you did not test on the https://adguard.com/en/test.html
. To find out problems with the test page, we need debug logs where you used the test page. You can also view requests in the application filtering log.
We reviewed information about your experiments with overriding router settings. To understand the reasons for this behavior, we also need debug logs.
@dakuzmin69
Hi, thanks for the reply
I just sent another pack of debugging log exported from Adguard to the email apple@adguard.com
with the same issue number in the subject , which it includes all my experiments for overriding dns setting at macOS system level one and respecting router dns advertised one. I also detail the timing of the log that what I did. Maybe it helps for you. Thanks!
If there is any news on this issue?
AdGuard DNS protection, does not work on IPv6 on any selected ISP. More precisely, DNS protection works, but only once!
If you reload the page in the Internet browser, the DNS test shows that the DNS protection is not running.
To get around this issue, I use the following algorithm:
DNS protection - OFF.
Installing the DNS Profile.
AdGuard services check-page.
DNS test
I haven't got any reply for further troubleshooting since last time I sent another pack logging with experiment workflow explained. Maybe @Chinaski1 or @dakuzmin69 can help?
@junzhli Hello! Sorry for the late reply, the problem is still not clear The logs show that after the last change of the dns server in the settings, you didn't check the AdGuard test page For a better understanding of the problem, please make your experiments as follows, after disabling AdGuard protection, turning off AdGuard itself and reducing Internet activity as much as possible, also open AdGuard test pages in browsers:
Repeat this sequence of steps for each experiment, and then send the resulting archives
@Oleg-Chashko Hello! Do I understand correctly that you use a DNS profile instead of AdGuard for Mac to filter dns traffic?
@dakuzmin69 Hello! That's right. This is a forced measure. It happens with all the users I know. In the provider of the internet "Vodafone Deutschland" and "Unitymedia Deutschland" (Dual Stack-Lite).
Please describe your network configuration and AdGuard configuration, your problem is not reproduced on our side. Do you use any potentially incompatible software?
AdGuard configuration:
AdGuard_20220520012814.adguardsettings.zip
Do you use any potentially incompatible software? A very vague question. I don't even know how to answer it. But the answer is that everyone with Dual Stack-Lite has this problem.
Here is the second way around this problem: disabling IPv6 on the Synology Router.
@dakuzmin69 If you have the time and desire. I could help you by testing on my side. You give me a beta build and I'll test it. Until a positive result is achieved.
@Oleg-Chashko Thank you for your quick and detailed reply. We appreciate you're ready for collaboration. Though, we need time to elaborate upon your problem.
Hi @dakuzmin69 Sorry for the late reply. I just sent another pack of logging with different scenarios. Hope to be helpful for this problem, thanks!
@Chinaski1 @dakuzmin69 If you disable the "Automatically filter applications" checkbox, "AdGuard DNS" starts working. The video file is attached. I think it should help you to solve this problem.
@Chinaski1 @dakuzmin69 I find out if the filtering mode changes to automatic proxy as shown the above reply from @Oleg-Chashko , DNS protection starts working with respecting router advertised dns servers
@junzhli
Hello!
Could you send the logs again as I can't find them in my mailbox?
Hi @Chinaski1,
Thanks for the reply. I sent you another email with title Issue number 595342 Exported debugging log #3 Reply to @Chinaski1
to apple@adguard.com
Previously, I sent the email with title Issue number 595342 Exported debugging log #3 Reply to @dakuzmin69
to the same email address
@junzhli Thanks for the previous logs, they were very convenient to analyze. However, in problematic cases, the logs don't show any activity for dnscheck.adguard.com
. Please send new logs using the following algorithm:
~/Library/Group Containers/TC3Q7MAJXF.com.adguard.mac/Library/Logs
)dig dnscheck.adguard.com
in Terminal, send output of this command tooIn the future, I suggest using this algorithm for collecting logs by default.
@junzhli Can you please show output of scutil --dns
terminal command?
@Oleg-Chashko Please explain what actions you took while recording the logs?
Seems that DNS wasn't intercepted by AdGuard :(
@Oleg-Chashko Can you please show scutil
-> show State:/Network/Global/DNS
?
Can you also please try with network.filtering.localnetwork
Advanced settings set to true
?
scutil -> show State:/Network/Global/DNS
Can you also please try with network.filtering.localnetwork Advanced settings set to true? Done. Test: adguard_logs_20220602014331.zip com.adguard.mac.adguard.zip Terminal Saved Output.zip
Seems that DNS wasn't intercepted by AdGuard :( I noticed that intercepts can only be 1 and 2 times. Further intercepts do not work.
@sfionov Hi, here's the result
❯ scutil --dns
DNS configuration
resolver #1
nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
nameserver[1] : 192.168.50.1
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
nameserver[1] : 192.168.50.1
if_index : 4 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
Hi @dakuzmin69 ,
I sent you another email as you requested with title Issue number 595342 Exported debugging log #4 Reply to @dakuzmin69
to apple@adguard.com
Hi @dakuzmin69 ,
I sent you another email with minor update for the above one to apple@adguard.com
, and the email title's Issue number 595342 Exported debugging log #4 Reply to @dakuzmin69 (revised #1)
Thanks
@junzhli @Oleg-Chashko We found a bug, we plan to fix it in the next version. Thanks for the info, it helped us.
i notice the new version for mac is just release on aug, 3rd. (2.8.1) is the workaround for this bug included?
just saw the post is tagged with version 2.9, hope to get it released to stable version soon!
@junzhli I use the current v.2.9.0.1167 nightly. Not yet fixed the issue. 🙁
@Oleg-Chashko so sad. let's look forward to future release! btw, i notice the bug only happens with router with ipv6 stateless mode, which you'll see there are two more ipv6 addresses assigned to same device it works well after i changed to ipv6 stateful mode on router not sure if that's expected result
Unfortunately, I can't try this because my Synology Router is connected to the Internet via an IPv6 relay service. The DNS leak test only works if I have IPv4 or IPv6 enabled. With both protocols, the DNS leak test fails. I will have to wait for a version with a fix.
@Oleg-Chashko @junzhli We've found and fixed an issue that could prevent the network extension from filtering IPv6 DNS traffic, thanks to your logs. 2.9.0.1197 beta
should already contain the fix, which means that that wasn't the only bug. Could you please share the debug log again from 2.9.0.1197 beta
(or a newer version)?
AdGuard DNS Non-filtering
dig dnscheck.adguard.com
scutil --dns
@Oleg-Chashko Thanks! It looks like IPv6 DNS is still not being filtered, however this is all I can see in terms of debug network extension logs:
% cat com.adguard.mac.adguard.log | grep mac.adguard.network-extension | grep "D:"
2022-10-13 19:37:35.324882+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) AGProxyServer: Stopping server...
2022-10-13 19:37:35.325007+0300 [com.adguard.mac.adguard.network-extension:1406730] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325086+0300 [com.adguard.mac.adguard.network-extension:1406732] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325094+0300 [com.adguard.mac.adguard.network-extension:1406731] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325098+0300 [com.adguard.mac.adguard.network-extension:1406733] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337898+0300 [com.adguard.mac.adguard.network-extension:1406739] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337936+0300 [com.adguard.mac.adguard.network-extension:1406737] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337936+0300 [com.adguard.mac.adguard.network-extension:1406738] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.338123+0300 [com.adguard.mac.adguard.network-extension:1406740] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.350633+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) AGLocalApiServer: evconnlistener_free
2022-10-13 19:37:35.455534+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) ANDnsChange: Stopped listening for DNS changes
2022-10-13 19:37:35.455672+0300 [com.adguard.mac.adguard.network-extension:1406710] D: (CL: ) AGEventLoop: run(): Stopped event thread
Are you sure you had enabled debug logging before you reproduced the issue?
Are you sure you had enabled debug logging before you reproduced the issue?
Yes. I can send more logs, as many times as necessary?
adguard_logs_20221013054221.zip
(v.2.9.0.1203 - 2.9.0 RC 2) not fixed yet. :(
Safari & Google Chrome
Firefox & Google Chrome
Filtered Applications
Google Chrome:
Firefox & Safari:
hello @Oleg-Chashko , do you turn off dns over https in firefox? you can check the setting under 'network setting'
hello @Oleg-Chashko , do you turn off dns over https in firefox? you can check the setting under 'network setting'
I checked it out right away. And guess what, it wasn't on. The system selection was on.
Hello! @junzhli You must be mistaken, you must mean Google Chrome. So how did it pass the IPv4 test?
hi @Oleg-Chashko , may i know what's your macOS version? I have a new finding from my side, the problem just disappears without any reason. Here's my spec: Stateless IPv6 mode on router Adguard 2.8.1.1147 (CL-1.9.86, DNS-1.7.22) (also works on Adguard beta 2.9.0.1203)!!! macOS Monterey 12.6 DNS protection enabled and it uses Adguard DNS instead of System default Adguard test page shows Adguard DNS is working
As title says, my router pushes their relay dns server address to client. From what i experience on using router asus ac86u, when IPv6 connectivity enabled on both macOS network adapter and router. We'll have both IPv4 and IPv6 Wan Address assigned to client (macOS), including at least two DNS servers (one is IPv4 and another one is IPv6, both are relay dns server, which is router itself ip address). In my case, first dns address is router IPv4 address (private ip) and second dns address is IPv6 address (wan ip not link-local ip) I try to override dns setting to get rid of IPv6 one, and it works well It won't work well when the IPv6 one is used (either using it alone or using it with IPv4 one) If i set public ipv6 public dns address as dns instead of using the router ipv6 one, it works again
Steps to reproduce
https://adguard.com/en/test.html
Expected behavior
See Adguard DNS is detected as the page shows
Actual behavior
Adguard DNS is not detected as the page shows
Screenshot:
![Screen Shot 2022-04-21 at 5 31 59 PM](https://user-images.githubusercontent.com/4001697/164425947-5d6be538-f0d5-442b-abdc-dfb3b8c714c9.png)Customer ID
595342
Your environment