this post was submitted on 17 Jul 2023
18 points (87.5% liked)

Selfhosted

40041 readers
760 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi there, I'm trying to set up AdGuard home and it doesn't seem to work properly. Maybe I'm getting it wrong on how it's supposed to work, but I'm kinda confused right now and it seems to me than Win11 is lying to me about my DNS entries ...

Here's my setup: as I have a VPS server already, I wanted to try and use it for Adguard as well. Installation there was straightforward enough and I have it up running and it has a static IP that I would use now as a DNS server, routing my traffic through it.

Now, all tutorials say that one should set the DNS entries on the router that connects to the Internet, but this option is not enabled on my router (more about this later on).

I thought, no worries, I will deal with the router situation later and just see how Adguard works with a single computer. So I went into network settings of my Win11 machine and configured my IP settings manually. Gave me a fixed IP in my home network and used the static IP from my adguard server for DNS entries. But this didn't seem to do anything. Still got ad's everywhere although my Adguard dashboard showed a lot of blocked domains (clearly identifiable as ad-servers by their name).

Ok, I went to troubleshooting and here's the first weird thing I noticed: When I sutdown Adguard (as in stopping the docker container it's running in on my server), I still can connect to the internet on my Windows machine. This shouldn't be happening, no? I set both DNS entries (main and fallback) to the same IP, where no DNS server should be running and I still got to browse the web?

So, is Windows lying to me and has a secret fallback DNS somewhere that get's used when the entries don't work? Do I not understand how this all should work?

Or - and here my specific router/modem comes into play - my hardware get's around DNS entries. I do have a "hybrid modem" which connects to the internet using both fiber DSL and LTE at the same time to get extra bandwith and speed. The customer support forum of my ISP revealed that due to the nature of this "dual line internet connection" DNS entries are fixed on the router and cannot be changed by the user.

I still think the settings in Windows should take precedence, but admittedly I have no real understanding how this is all supposed to work in detail.

So, question: how could I get Adguard to work on a VPS without being able to set DNS entries on my router? Would using a second router get around this (i.e. using the router of my ISP just as a modem and do my home network/wifi from this second router)? And why would Win11 still connect to the internet with supposedly broken DNS entries?

top 10 comments
sorted by: hot top controversial new old
[–] dud3@feddit.de 7 points 1 year ago (2 children)

You should never expose a DNS server publicly. Connect to your VPS through a VPN like Wireguard.

Do you have a second DNS server configured in Windows which it could use as a fallback?

[–] wgs@lemmy.sdf.org 1 points 1 year ago (1 children)

You should never expose a DNS server publicly

Why ?

[–] dud3@feddit.de 1 points 1 year ago (1 children)
[–] wgs@lemmy.sdf.org 2 points 1 year ago

tl;dr: attackers use open recursive DNS resolvers to amplify DDoS attacks.

Thanks for the link, I didn't know about this technique. It only applies to recursive DNS though, not authoritative ones.

[–] Solvena@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Yes, the final setup would be to run Adguard on a docker container and have this container be in a VPN. I'm not sure yet, how I would do that without messing up the other things already running on that VPS. Maybe I will go for Raspberry to run adguard at home.

Edit: I have set the second DNS in Windows to the same IP, so it shouldn't have a fallback.

[–] mspencer712@lemmy.fmhy.ml 5 points 1 year ago

Some browsers have an option for DNS over https, and might be skipping your system DNS settings. Other advice is right too: run this locally and don’t expose it to public internet queries.

[–] emhl@feddit.de 5 points 1 year ago

You should probably run Adguard home inside your home network. And can you disable your routers DHCP server? Then you can use Adguard home for that. The DHCP server assigns every computer inside the network it's IP address and DNS server

[–] wgs@lemmy.sdf.org 4 points 1 year ago

Windows does DNS cache by default, so it could be that many domains are still in your local cache. First change your DNS settings, then clear the cache with ipconfig /flushdns.

[–] Molecular0079@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Gave me a fixed IP in my home network

You don't need to have a fixed IP for your client machines.

What does ipconfig /all list as your DNS servers? Also, double check your browser's DNS Over HTTPS setting. Depending on what it is set to, you might be accidentally bypassing your configured DNS server.

To verify which DNS you're actually contacting, you can go to ipleak.net to check.

[–] mvee@lemmy.ml 1 points 1 year ago

Interesting, I would start with a Wireshark capture of the dns traffic to get a better idea of what's going on.

load more comments
view more: next ›