AdguardTeam / AdguardForMac

Open bug tracker for Mac version of AdGuard
https://adguard.com/
301 stars 15 forks source link

Adguard DNS Protection is not working well with router advertised dns servers #1061

Open junzhli opened 2 years ago

junzhli commented 2 years ago

As title says, my router pushes their relay dns server address to client. From what i experience on using router asus ac86u, when IPv6 connectivity enabled on both macOS network adapter and router. We'll have both IPv4 and IPv6 Wan Address assigned to client (macOS), including at least two DNS servers (one is IPv4 and another one is IPv6, both are relay dns server, which is router itself ip address). In my case, first dns address is router IPv4 address (private ip) and second dns address is IPv6 address (wan ip not link-local ip) I try to override dns setting to get rid of IPv6 one, and it works well It won't work well when the IPv6 one is used (either using it alone or using it with IPv4 one) If i set public ipv6 public dns address as dns instead of using the router ipv6 one, it works again

Steps to reproduce

  1. A little bit hard to reproduce this issue as i can only reproduce it with my router (asus ac86u)
  2. Set up IPv6 enabled on both side (macOS and router)
  3. Leave any DHCP and DNS setting with default value on router
  4. Join the router wireless / ethernet network to get DNS settings pushed onto our system (macOS Monterey 13.3.1 with Adguard for Mac 2.8)
  5. Set up Adguard DNS Protection
  6. (4.1) Enable DNS Protection
  7. (4.2) Choose Adguard DNS instead of System default
  8. Go to adguard check website https://adguard.com/en/test.html

Expected behavior

See Adguard DNS is detected as the page shows

Actual behavior

Adguard DNS is not detected as the page shows

Screenshot: ![Screen Shot 2022-04-21 at 5 31 59 PM](https://user-images.githubusercontent.com/4001697/164425947-5d6be538-f0d5-442b-abdc-dfb3b8c714c9.png)

Customer ID

595342

Your environment

Chinaski1 commented 2 years ago

Hello, sorry for the late reply.

To troubleshoot this issue, we need to get the app logs.

Here's what we need you to do:

  1. Click AdGuard icon in the menu bar --> Gear --> Advanced --> Logging level --> Debug;
  2. Reproduce the issue and remember the exact time it happened;
  3. Menu --> Advanced --> Export Logs and System Info...;
  4. Send the archive to apple@adguard.com and mention this issue number in the subject.
junzhli commented 2 years ago

Thanks for the reply, I just sent to the email address

D13410N3 commented 2 years ago

Hello. I just wanted to ask you some more information about your configuration. Is it your provider's IPv6 network? Or maybe are you using NAT64 with DNS64 on your router? What address do command ping adguard.com resolves? What output do you see executing dig adguard.com A command?

junzhli commented 2 years ago

@D13410N3 Yes, it's provider's IPv6 network, which it's configured behind router that connects to ISP with PPPoE to get both IPv4 and IPv6 connectivity Here's the result of the above commands:

❯ ping adguard.com
PING adguard.com (104.20.91.49): 56 data bytes
64 bytes from 104.20.91.49: icmp_seq=0 ttl=56 time=12.621 ms
64 bytes from 104.20.91.49: icmp_seq=1 ttl=56 time=11.428 ms
64 bytes from 104.20.91.49: icmp_seq=2 ttl=56 time=10.210 ms
64 bytes from 104.20.91.49: icmp_seq=3 ttl=56 time=10.954 ms
64 bytes from 104.20.91.49: icmp_seq=4 ttl=56 time=9.936 ms
64 bytes from 104.20.91.49: icmp_seq=5 ttl=56 time=9.597 ms
64 bytes from 104.20.91.49: icmp_seq=6 ttl=56 time=10.974 ms
^C
--- adguard.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.597/10.817/12.621/0.949 ms
❯ dig adguard.com A

; <<>> DiG 9.10.6 <<>> adguard.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;adguard.com.           IN  A

;; ANSWER SECTION:
adguard.com.        283 IN  A   104.20.91.49
adguard.com.        283 IN  A   104.20.90.49
adguard.com.        283 IN  A   172.67.3.157

;; Query time: 1 msec
;; SERVER: 2001:b011:3820:73b9:d65d:64ff:fe0b:a260#53(2001:b011:3820:73b9:d65d:64ff:fe0b:a260)
;; WHEN: Wed Apr 27 00:19:29 CST 2022
;; MSG SIZE  rcvd: 88
dakuzmin69 commented 2 years ago

@junzhli Hello. We checked your logs. According to them, it turns out that everything works well, requests go through AdGuard DNS IPv6. It is also clear that you did not test on the https://adguard.com/en/test.html. To find out problems with the test page, we need debug logs where you used the test page. You can also view requests in the application filtering log.

We reviewed information about your experiments with overriding router settings. To understand the reasons for this behavior, we also need debug logs.

junzhli commented 2 years ago

@dakuzmin69 Hi, thanks for the reply I just sent another pack of debugging log exported from Adguard to the email apple@adguard.com with the same issue number in the subject , which it includes all my experiments for overriding dns setting at macOS system level one and respecting router dns advertised one. I also detail the timing of the log that what I did. Maybe it helps for you. Thanks!

Oleg-Chashko commented 2 years ago

If there is any news on this issue?

AdGuard DNS protection, does not work on IPv6 on any selected ISP. More precisely, DNS protection works, but only once!

DNS leak test

If you reload the page in the Internet browser, the DNS test shows that the DNS protection is not running.

Screen Shot 2022-05-15 at 21 33 00

To get around this issue, I use the following algorithm:

  1. DNS protection - OFF.

    DNS Protection
  2. Installing the DNS Profile.

    DNS profile install
  3. AdGuard services check-page.

    Profile - adguard-https-mobileconfig
  4. DNS test

    Screen Shot 2022-05-15 at 21 40 14
junzhli commented 2 years ago

I haven't got any reply for further troubleshooting since last time I sent another pack logging with experiment workflow explained. Maybe @Chinaski1 or @dakuzmin69 can help?

dakuzmin69 commented 2 years ago

@junzhli Hello! Sorry for the late reply, the problem is still not clear The logs show that after the last change of the dns server in the settings, you didn't check the AdGuard test page For a better understanding of the problem, please make your experiments as follows, after disabling AdGuard protection, turning off AdGuard itself and reducing Internet activity as much as possible, also open AdGuard test pages in browsers:

  1. Clear the logs folder ("~/Library/Group Containers/TC3Q7MAJXF.com.adguard.mac/Library/Logs")
  2. Set a new DNS server in system settings
  3. Turn on AdGuard, wait about 10 seconds
  4. Set debug log level
  5. Enable protection, wait about 10 seconds
  6. Click on the "Check again" button in each of the browsers at least 5 seconds apart
  7. Disable protection
  8. Collect logs
  9. Turn off AdGuard

Repeat this sequence of steps for each experiment, and then send the resulting archives

dakuzmin69 commented 2 years ago

@Oleg-Chashko Hello! Do I understand correctly that you use a DNS profile instead of AdGuard for Mac to filter dns traffic?

Oleg-Chashko commented 2 years ago

@dakuzmin69 Hello! That's right. This is a forced measure. It happens with all the users I know. In the provider of the internet "Vodafone Deutschland" and "Unitymedia Deutschland" (Dual Stack-Lite).

dakuzmin69 commented 2 years ago

Please describe your network configuration and AdGuard configuration, your problem is not reproduced on our side. Do you use any potentially incompatible software?

Oleg-Chashko commented 2 years ago
  1. Vodafone Station: Screen Shot 2022-05-20 at 15 12 41
  2. Synology Router: Screen Shot 2022-05-20 at 15 18 45 Screen Shot 2022-05-20 at 15 18 59 Screen Shot 2022-05-20 at 15 19 40
  3. Macbook Pro: Screen Shot 2022-05-20 at 15 21 02

AdGuard configuration:

AdGuard_20220520012814.adguardsettings.zip


Do you use any potentially incompatible software? A very vague question. I don't even know how to answer it. But the answer is that everyone with Dual Stack-Lite has this problem.

Oleg-Chashko commented 2 years ago

Here is the second way around this problem: disabling IPv6 on the Synology Router.

Screen Shot 2022-05-20 at 15 43 45 Screen Shot 2022-05-20 at 15 45 36
Oleg-Chashko commented 2 years ago

@dakuzmin69 If you have the time and desire. I could help you by testing on my side. You give me a beta build and I'll test it. Until a positive result is achieved.

dakuzmin69 commented 2 years ago

@Oleg-Chashko Thank you for your quick and detailed reply. We appreciate you're ready for collaboration. Though, we need time to elaborate upon your problem.

junzhli commented 2 years ago

Hi @dakuzmin69 Sorry for the late reply. I just sent another pack of logging with different scenarios. Hope to be helpful for this problem, thanks!

Oleg-Chashko commented 2 years ago

@Chinaski1 @dakuzmin69 If you disable the "Automatically filter applications" checkbox, "AdGuard DNS" starts working. The video file is attached. I think it should help you to solve this problem.

https://user-images.githubusercontent.com/62497891/170281094-36b1155e-d854-4496-be00-78a2a7570d33.mp4

Screen Shot 2022-05-25 at 16 09 54
junzhli commented 2 years ago

@Chinaski1 @dakuzmin69 I find out if the filtering mode changes to automatic proxy as shown the above reply from @Oleg-Chashko , DNS protection starts working with respecting router advertised dns servers

Chinaski1 commented 2 years ago

@junzhli

Hello!

Could you send the logs again as I can't find them in my mailbox?

junzhli commented 2 years ago

Hi @Chinaski1,

Thanks for the reply. I sent you another email with title Issue number 595342 Exported debugging log #3 Reply to @Chinaski1 to apple@adguard.com Previously, I sent the email with title Issue number 595342 Exported debugging log #3 Reply to @dakuzmin69 to the same email address

dakuzmin69 commented 2 years ago

@junzhli Thanks for the previous logs, they were very convenient to analyze. However, in problematic cases, the logs don't show any activity for dnscheck.adguard.com. Please send new logs using the following algorithm:

  1. Close all applications that may use the Internet, such as Internet browsers
  2. Clear the logs folder (~/Library/Group Containers/TC3Q7MAJXF.com.adguard.mac/Library/Logs)
  3. Set a new DNS server in system settings
  4. Turn on AdGuard, wait about 10 seconds
  5. Set debug log level
  6. Enable protection, wait about 10 seconds
  7. Run dig dnscheck.adguard.com in Terminal, send output of this command too
  8. Disable protection
  9. Collect logs
  10. Turn off AdGuard

In the future, I suggest using this algorithm for collecting logs by default.

sfionov commented 2 years ago

@junzhli Can you please show output of scutil --dns terminal command?

Oleg-Chashko commented 2 years ago

com.adguard.mac.adguard.zip adguard_logs_20220601121805.zip

Oleg-Chashko commented 2 years ago
Screen Shot 2022-06-01 at 14 20 47
dakuzmin69 commented 2 years ago

@Oleg-Chashko Please explain what actions you took while recording the logs?

sfionov commented 2 years ago

Seems that DNS wasn't intercepted by AdGuard :(

@Oleg-Chashko Can you please show scutil -> show State:/Network/Global/DNS?

Can you also please try with network.filtering.localnetwork Advanced settings set to true?

Oleg-Chashko commented 2 years ago
Oleg-Chashko commented 2 years ago

Seems that DNS wasn't intercepted by AdGuard :( I noticed that intercepts can only be 1 and 2 times. Further intercepts do not work.

Screen Shot 2022-06-01 at 14 39 11
junzhli commented 2 years ago

@sfionov Hi, here's the result

❯ scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
  nameserver[1] : 192.168.50.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 2001:b011:3820:172b:d65d:64ff:fe0b:a260
  nameserver[1] : 192.168.50.1
  if_index : 4 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
junzhli commented 2 years ago

Hi @dakuzmin69 ,

I sent you another email as you requested with title Issue number 595342 Exported debugging log #4 Reply to @dakuzmin69 to apple@adguard.com

junzhli commented 2 years ago

Hi @dakuzmin69 ,

I sent you another email with minor update for the above one to apple@adguard.com, and the email title's Issue number 595342 Exported debugging log #4 Reply to @dakuzmin69 (revised #1) Thanks

dakuzmin69 commented 2 years ago

@junzhli @Oleg-Chashko We found a bug, we plan to fix it in the next version. Thanks for the info, it helped us.

junzhli commented 2 years ago

i notice the new version for mac is just release on aug, 3rd. (2.8.1) is the workaround for this bug included? just saw the post is tagged with version 2.9, hope to get it released to stable version soon!

Oleg-Chashko commented 2 years ago

@junzhli I use the current v.2.9.0.1167 nightly. Not yet fixed the issue. 🙁

junzhli commented 2 years ago

@Oleg-Chashko so sad. let's look forward to future release! btw, i notice the bug only happens with router with ipv6 stateless mode, which you'll see there are two more ipv6 addresses assigned to same device it works well after i changed to ipv6 stateful mode on router not sure if that's expected result

Oleg-Chashko commented 2 years ago

Unfortunately, I can't try this because my Synology Router is connected to the Internet via an IPv6 relay service. The DNS leak test only works if I have IPv4 or IPv6 enabled. With both protocols, the DNS leak test fails. I will have to wait for a version with a fix.

Bildschirmfoto 2022-08-06 um 15 35 06 Bildschirmfoto 2022-08-06 um 15 34 01
ngorskikh commented 2 years ago

@Oleg-Chashko @junzhli We've found and fixed an issue that could prevent the network extension from filtering IPv6 DNS traffic, thanks to your logs. 2.9.0.1197 beta should already contain the fix, which means that that wasn't the only bug. Could you please share the debug log again from 2.9.0.1197 beta (or a newer version)?

Oleg-Chashko commented 2 years ago
Oleg-Chashko commented 2 years ago
  1. network.filtering.localnetwork - Advanced settings set to true
  2. scutil -> show State:/Network/Global/DNS
show State DNS
ngorskikh commented 2 years ago

@Oleg-Chashko Thanks! It looks like IPv6 DNS is still not being filtered, however this is all I can see in terms of debug network extension logs:

% cat com.adguard.mac.adguard.log | grep mac.adguard.network-extension | grep "D:"
2022-10-13 19:37:35.324882+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) AGProxyServer: Stopping server...
2022-10-13 19:37:35.325007+0300 [com.adguard.mac.adguard.network-extension:1406730] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325086+0300 [com.adguard.mac.adguard.network-extension:1406732] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325094+0300 [com.adguard.mac.adguard.network-extension:1406731] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.325098+0300 [com.adguard.mac.adguard.network-extension:1406733] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337898+0300 [com.adguard.mac.adguard.network-extension:1406739] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337936+0300 [com.adguard.mac.adguard.network-extension:1406737] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.337936+0300 [com.adguard.mac.adguard.network-extension:1406738] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.338123+0300 [com.adguard.mac.adguard.network-extension:1406740] D: (CL: ) AGEventLoop: run(): Stopped event thread
2022-10-13 19:37:35.350633+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) AGLocalApiServer: evconnlistener_free
2022-10-13 19:37:35.455534+0300 [com.adguard.mac.adguard.network-extension:1406914] D: (CL: ) ANDnsChange: Stopped listening for DNS changes
2022-10-13 19:37:35.455672+0300 [com.adguard.mac.adguard.network-extension:1406710] D: (CL: ) AGEventLoop: run(): Stopped event thread

Are you sure you had enabled debug logging before you reproduced the issue?

Oleg-Chashko commented 2 years ago

Are you sure you had enabled debug logging before you reproduced the issue?

Yes. I can send more logs, as many times as necessary?

Oleg-Chashko commented 2 years ago
Screen Shot 2022-10-13 at 20 41 43

adguard_logs_20221013054221.zip

Check again
Oleg-Chashko commented 2 years ago

(v.2.9.0.1203 - 2.9.0 RC 2) not fixed yet. :(

Oleg-Chashko commented 2 years ago

Safari & Google Chrome

https://user-images.githubusercontent.com/62497891/196933670-c4b38865-985d-47f4-88ca-5b5846d09400.mp4

Firefox & Google Chrome

https://user-images.githubusercontent.com/62497891/196933732-8e317c01-55cb-4d08-8c95-30a8e1923143.mp4

Filtered Applications

ScreenFlow

Oleg-Chashko commented 2 years ago

Google Chrome:

Firefox & Safari:

junzhli commented 2 years ago

hello @Oleg-Chashko , do you turn off dns over https in firefox? you can check the setting under 'network setting'

Oleg-Chashko commented 2 years ago

hello @Oleg-Chashko , do you turn off dns over https in firefox? you can check the setting under 'network setting'

I checked it out right away. And guess what, it wasn't on. The system selection was on.

Screen Shot 2022-10-22 at 20 07 00
Oleg-Chashko commented 2 years ago

Hello! @junzhli You must be mistaken, you must mean Google Chrome. So how did it pass the IPv4 test?

junzhli commented 2 years ago

hi @Oleg-Chashko , may i know what's your macOS version? I have a new finding from my side, the problem just disappears without any reason. Here's my spec: Stateless IPv6 mode on router Adguard 2.8.1.1147 (CL-1.9.86, DNS-1.7.22) (also works on Adguard beta 2.9.0.1203)!!! macOS Monterey 12.6 DNS protection enabled and it uses Adguard DNS instead of System default Adguard test page shows Adguard DNS is working