Portmaster and DNS Server (Docker Container)

[itsnotsaved]

Pre-Submit Checklist:

• Check applicable sources for existing issues:
  • Linux Compatibility
  • VPN Compatibility
  • Github Issues

This is about compatibility with on-system DNS server (It can be any DNS server software)

What want to know?

I use AdGuardHome on my ubuntu device as a docker instance. It usually run on separate server, computer or router device. But In this case, DNS server address (AdGuardHome) is my device static LAN address itself and i have configured system DNS settings to use the LAN address as DNS server (then monitor / control DNS traffic through AdGuardHome) https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#resolved (additional changes in the system to disable DNSStubListener)

I saw portmaster has DNS server field in settings and use dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip by default.

1. Does portmaster support to use LAN DNS server address? and e.g. can i set 192.168.8.105 as DNS server?
2. If the DNS server also running in same device that portmaster running and DNS server address is same device itself IP; will portmaster works properly without trouble after set?

[itsnotsaved]

3. I noticed another problem after restart the device, i have disabled DNSStubListener for prevent resolved daemon listening on port 53 and now portmaster using port 53 then i cannot start (doesn't start) DNS server docker instance because port in-use

Error response from daemon: driver failed programming external connectivity on endpoint adguardhome: Error starting userland proxy: listen udp4 0.0.0.0:53: bind: address already in use Error: failed to start containers: 10f83818ab49

[dhaavi]

Hey @itsnotsaved, thanks for raising this issue with us.

• Does portmaster support to use LAN DNS server address? and e.g. can i set 192.168.8.105 as DNS server?

Yes, see our guide here.

• If the DNS server also running in same device that portmaster running and DNS server address is same device itself IP; will portmaster works properly without trouble after set?

The Portmaster will try to redirect any DNS queries to itself in order to create a seamless integration. We have just added an configuration option to do that, but it has not yet been released. It will go into the Beta Release Channel next week. I can ping you when that happens, if you want to.

This will also be important when you change the listener address (see below) to something not including localhost, as this is where the DNS queries are redirected to.

3. I noticed another problem after restart the device, i have disabled DNSStubListener for prevent resolved daemon listening on port 53 and now portmaster using port 53 then i cannot start (doesn't start) DNS server docker instance because port in-use

Yes, you can set the listener IP address with Internal DNS Server Listen Address.

[itsnotsaved]

Yes, you can set the listener IP address with Internal DNS Server Listen Address.

3rd question isn't related to (1) (2) unclear about a solution, how to free the port 53? because it is required for DNS server docker instance. if that was ubuntu system, then it's possible to disable DNSStubListener as mentioned

[itsnotsaved]

@dhaavi any inputs?

I noticed another problem after restart the device, i have disabled DNSStubListener for prevent resolved daemon listening on port 53 and now portmaster using port 53 then i cannot start (doesn't start) DNS server docker instance because port in-use

Error response from daemon: driver failed programming external connectivity on endpoint adguardhome: Error starting userland proxy: listen udp4 0.0.0.0:53: bind: address already in use Error: failed to start containers: 10f83818ab49

I solved this problem temporally. configured to start/execute portmaster little bit delay to all other auto-start applications then docker instance DNS server acquire the port first and no more problems. After that portmaster start and it try to kill processes / acquire 53 port as i mentioned on [610#(comment)](). Currently it's not a problem but when open portmaster UI, it's uncomfortable see 3 red/gray notifications with large insecure icon.

Note: Also, only can expect partial monitoring facility (P2P, LAN) :/ I expect to use portmaster as 1:1 alternative monitoring tool to glasswire (not support for linux) and if in a windows machine glasswire and adguardhome can run smoothly

[dhaavi]

@dhaavi any inputs?

We're just a small team and I only have a narrow time slot every day to do support stuff. It can take a while until I can cycle back to an issue and respond.

large insecure icon.

That is there because that is the case. The Portmaster is not working correctly and cannot give you proper protection. The Portmaster needs to handle DNS in order to be able to work correctly.

Note: Also, only can expect partial monitoring facility (P2P, LAN) :/ I expect to use portmaster as 1:1 alternative monitoring tool to glasswire (not support for linux) and if in a windows machine glasswire and adguardhome can run smoothly

The Portmaster ist quite different to Glasswire technically. You will not be able to do a 1:1 replace, as it does different things, and you already have a setup (with Adguard) that covers things that the Portmaster does itself.

I think the proper solution for your use case would be to ditch your adguard docker container and just configure Portmaster to use adguard - see guide here: https://docs.safing.io/portmaster/guides/dns-configuration#adguard

[itsnotsaved]

The Portmaster ist quite different to Glasswire technically. You will not be able to do a 1:1 replace, as it does different things, and you already have a setup (with Adguard) that covers things that the Portmaster does itself.

Portmaster is already 100% equivalent with glasswire from features (still need two or three small enhancements only, such as notify when new new app initiate connection, data usage history/graph; nothing else). that's why i like this tool and linux support

---

Adguard is a proprietary software (windows, mac) and most advanced desktop blocking/filtering solution, you need to reach several development targets to be equivalent with it. It's worth to install and check its features if you intend to bring it to FOSS world. Currently portmaster has some features of it; (Also, more powerful than to adguardhome)

• [x] secure dns / dns protection
• [x] domain-level / dns filtering
• [x] malware, phishing, fraud protection
• [x] windows tracking (partial, what not? turn off ad ID, disable defender sample submission, WAP routing service)
• [x] parental control (partial, what not? force safe search, block executables download)

what still need?

• [ ] stealth mode (hide referrer, user agent, block 3rd party headers, remove x-client data header from https requests), block browser APIs (able to use for tracking), control cookies, cache (lifetime, limit life session of 3rd party, self-destruct cookies)
• [ ] Advance content blocking (such as sites embed widgets, pop up ads, strip URLs of tracking parameters)
• [ ] HTTPs filtering (block more ads, tracking by filtering encrypted connections)

https://adguard.com/en/adguard-windows/overview.html https://kb.adguard.com/en/windows/features https://adguard.com/en/adguard-assistant/overview.html (part of it, in-browser access to custom element blocking)

Both glasswire and adguard can work without interfere with any DNS server (adguardhome or other) running on windows systems. but, if run portmaster then DNS server cannot start (because port 53 in-use)

---

---

(what i use) and problem discussion AdGuardHome is a opensource DNS server (same as PiHole, CoreDNS); that's not where portmaster go, such products for public (similar google dns, quad9 etc) or private (office, home networks) DNS servers.

I said above, i followed a workround to run both portmaster and AGH. (configured to start AGH container first and acquire the port 53 then portmaster start with bit-delay but if portmaster start first then AGH cannot start) After that, portmaster try to kill process and acquire the port, UI displayed red insecure icon with below notifications all the time "Stopped conflicting DNS client", "Failed to stop conflicting DNS client" "Stopped conflicting DNS client". Also, i said portmaster only provided partial monitoring facility (P2P, LAN)

▶ INFO 105 nameserver: starting to listen on 192.168.8.112:53 ▶ WARN 106 nameserver: killed conflicting service with PID 2317 over 192.168.8.112:53 ▶ INFO 108 nameserver: service-worker dns resolver requested restart: stopped conflicting name service with pid 2317 - restarting now ▶ INFO 109 nameserver: starting to listen on 192.168.8.112:53 ▶ WARN 110 nameserver: killed conflicting service with PID 2317 over 192.168.8.112:53 ▶ ERRO 112 nameserver: service-worker dns resolver failed (6): listen udp 192.168.8.112:53: bind: cannot assign requested address - restarting in 12s

Just no solution then I didn't care about that. but eventually today i noticed that have solved (restarted device few times and tested but same) but i don't have idea how.. Everytime portmaster UI appear with green secure icon / no prompts and shows closable gray notification "Stopped conflicting DNS client" only and Now no problem related network monitoring, it works as usual and show all network connections. logs look like this,

▶ INFO 162 nameserver: starting to listen on 127.0.0.17:53 ▶ WARN 163 nameserver: killed conflicting service with PID 5584 over 127.0.0.17:53 ▶ INFO 165 nameserver: service-worker dns resolver requested restart: stopped conflicting name service with pid 5584 - restarting now ▶ INFO 166 nameserver: starting to listen on 127.0.0.17:53 ▶ INFO 167 filter: connection Unknown::-2 -> 172.17.0.2 to nameserver: redirecting rogue dns query ▶ INFO 168 filter: connection Unknown::-2 -> 172.17.0.2 to nameserver: redirecting rogue dns query ▶ INFO 169 filter: re-evaluating verdict on Unknown::-2 to one.one.one.one. () ▶ INFO 170 [2x] filter: connection root:/opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v0-8-7:5990 -> 192.168.8.112 accepted: connection by Portmaster

I see only one difference on logs, ago it tried to kill over router given LAN IP (static) and now somehow kill over 127.0.0.17 and 172.17.0.2 (it's AGH docker instance IP). now everything working fine.

Finally portmaster works without having proper support/implementation for that then can you fix this port 53 struggle somehow?

---

---

I think the proper solution for your use case would be to ditch your adguard docker container and just configure Portmaster to use adguard - see guide here: https://docs.safing.io/portmaster/guides/dns-configuration#adguard

It's not fit for me; i use two DNS servers (home and in-laptop) when i am not at home I don't keep my home network turned on. i use pocket wifi/router when i am outside (shop, outdoor) / office; i need my two laptops (including laptop all VMs) and phone connect to a own DNS server.

I think the proper solution for your use case would be to ditch your adguard docker container and just configure Portmaster to use adguard - see guide here: https://docs.safing.io/portmaster/guides/dns-configuration#adguard

I like to attach this sentence to portmaster project instead and encourage you to improve the software. Now all browsers and some OS (e.g. windows) have native support for DOH. Also, popular DNS providers offer additional safe/secure DNS / Family DNS options. It means, desktop users don't need portmaster at all except for device traffic monitoring and optional SPN. If you implemented above "what still need?" then portmaster will be more useful.

• desktop users will still need portmaster, even if their home network have pihole, adguardhome (https://safing.io/blog/2021/12/09/portmaster-vs-pi-hole/)
• desktop users will still need portmaster for better protection, even if they had configured their network or devices to use public family dns, secure dns (ad/tracking blocking & threat protection)
• desktop users can leave resource consume browser adblocker extensions and get even more protection

[itsnotsaved]

Same problem with PiHole (community input)

I think title need to change as Portmaster and DNS servers. (adguard (no problem with it) and adguardhome are two products)

[SHJordan]

So... I can't make it work with Adguard for windows, even after removing DNS, and allowing a bunch of incoming rules:

It somehow still display adds on Youtube for instance. If i quit portmaster and hard refresh the youtube page, it simply works. Now I really don't know what portmaster do to trick Adguard for Windows... but It would be nice to have a list of presets preinstalled for popular apps like it. So instead of fiddling with settings it would be built-in.

I love what you have achieved so far with the software, but giving up adguard is too much =(

[dhaavi]

@SHJordan, Adguard for Windows is something completely different than Adguard Home. You can try to use Adguard's DNS Servers in Portmaster instead. Both employ kernel level filtering, so it is expected that the come in each others way.

---

@itsnotsaved:

If you want to suggest features, please create a new feature request issue for every requested feature. (Also, check if they have been requested before). We won't do break open TLS connections, as this breaks the security model of the Internet and history has shown this is a bad bad way to go. Adguard seems okay with it, but we aren't. We want to improve security and privacy overall, not just ship features. If you want more protection in your browser, add it where it belongs: to the browser.

To use the adguard docker container, you can just bind to another port, like port 54, and then point Portmaster at that.

[itsnotsaved]

@SHJordan AdGuardHome is like PiHole, CoreDNS. Just a self-hosted DNS server software with many features good for home network, single devices (or public DNS server).

So... I can't make it work with Adguard for windows, even after removing DNS, and allowing a bunch of incoming rules

display adds on Youtube for instance. If i quit portmaster and hard refresh the youtube page, it simply works. Now I really don't know what portmaster do to trick Adguard for Windows.

Adguard for windows is like portmaster. (one, paid & proprietary. another, free & opensource). I think you must choose a one I think @dhaavi you need to add a small comment on https://docs.safing.io/portmaster/install/status/software-compatibility too otherwise people blindly keep both softwares running on their devices :smile:

---

If you want to suggest features, please create a new feature request issue for every requested feature. (Also, check if they have been requested before).

Sure

To use the adguard docker container, you can just bind to another port, like port 54, and then point Portmaster at that.

I think we can't change DNS server port 53 (e.g. adguardhome or pihole etc). If change, then we need to change other devices default DNS port too. it's annoying. e.g. i don't use any ad-blocking or network filtering app on my mobile, tabs (to save battery), and use my laptop DNS server for filter ads & block other unwanted sites, domains manually

So any solution? and can you write a faq, how to set-up portmaster and a DNS server (docker) to run together? (it can be AdGuardHome, PiHole or any other DNS server software)

(pihole, same problem)

https://hub.docker.com/r/pihole/pihole (500+ million downloads) https://hub.docker.com/r/adguard/adguardhome (50+ million downloads) https://github.com/AdguardTeam/AdGuardHome/wiki/Docker (install instructions)

[itsnotsaved]

@dhaavi Please consider to share short instruction for solve this problem or if you don't have enough time now then label this issue for docs to publish detailed instruction later

[github-actions[bot]]

Auto-closing this issue after waiting for input for a month. If anyone finds the time to provide the requested information, please re-open the issue and we will continue handling it.

[itsnotsaved]

@Raphty @dhaavi It seems the compatibility issue with adguardhome dns server still exist. I'm using docker but same result for all installation types. (i guess compatibility issue with pihole dns server still exist as well)

https://hub.docker.com/r/adguard/adguardhome (installation / set-up instructions can be found in the description) https://github.com/AdguardTeam/AdGuardHome/releases (Linux / Unix / MacOS / FreeBSD / OpenBSD) https://snapcraft.io/adguard-home (snap store)

I noticed that you do not offer many features for free plan but i don't think about it seriously however this software doesn't have nice and super interesting interface as GlassWire for view "Usage" history. https://github.com/safing/portmaster/issues/151#issuecomment-1104932173 If has, i will not think twice to buy or use cracked portmaster (if has proprietary code) version. Lol. So i'm not going to keep bothering you to fix this compatibility problem.

(basic view)

p.s.: glasswire isn't available for linux

[dhaavi]

LOL.

[dhaavi]

To close this issue seriously:

• Portmaster needs to listen on port 53 locally. This is hardcoded in the system integration and cannot be changed.
• If you are running a DNS server in docker, you have a hybrid desktop/server system.
• You will need to run the DNS service in docker on a different port and then point Portmaster to that.
• If you are using the DNS server for other devices on the network, you can DNAT them to the other port.

Alternatively, assign the VM/Docker a separate IP address, one that the host does not have.

Even better: Keep your desktop a desktop and run services on a server.