[GUIDE-UPDATED] AdGuard Home on DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 9, 10, 11, 12, 13  Next
Author Message
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Sun Feb 11, 2024 19:31    Post subject: Reply with quote
@marcus83

Let's summarize what we've done together to prevent DNS leaks in the next post as a reference for new AGH users.

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Sponsor
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Sun Feb 11, 2024 19:42    Post subject: Reply with quote
Prevent DNS Leaks

Go to Setup page:
1) Under "WAN Connection Type" enable "Ignore WAN DNS"
2) Under "Network Setup" change "Local DNS" to your Router-IP (ex. 192.168.1.1)
3) Under "Dynamic Host Configuration Protocol (DHCP)" enable "Forced DNS Redirection" and "Forced DNS Redirection DoT"


Verification

1) Go to "AGH GUi> Filter Menu> DNS Rewrites" and then click "Add DNS rewrite". Enter Domain name "leaktest.google.com" and Enter IP address "1.2.3.4" and then click save.

2) Open a terminal on your PC and paste the following command

Code:
nslookup leaktest.google.com 9.9.9.10


If you get an answer like this:

Code:
Server:  dns10.quad9.net
Address:  9.9.9.10

Non-authoritative answer:
Name:    leaktest.google.com
Address:  1.2.3.4


This means AGH is forced as the only DNS resolver for your entire network and you successfully immunized your network against DNS leaks.

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 3:44    Post subject: Reply with quote
Perfect!
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 5:01    Post subject: Reply with quote
@MomenMamdouh I added some upstream server DNS like OpenDNS, DNSControl D... is it possible that the upstreams bypass Google's reCAPTCHA when the VPN is active? because for the moment it no longer finally appears to me! Very Happy
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 8:03    Post subject: Reply with quote
marcus83 wrote:
@MomenMamdouh I added some upstream server DNS like OpenDNS, DNSControl D... is it possible that the upstreams bypass Google's reCAPTCHA when the VPN is active? because for the moment it no longer finally appears to me! Very Happy


In your opinion, test DNS leak 1.2.3.4 was correctly removed?

Code:

root@WRT3200ACM:~# nslookup google.com 9.9.9.10
Server:    9.9.9.10
Address 1: 9.9.9.10 dns10.quad9.net

Name:      google.com
Address 1: 172.217.23.110 mil04s23-in-f110.1e100.net
Address 2: 2a00:1450:4001:827::200e fra24s04-in-x0e.1e100.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6338
Location: UK, London, just across the river..

PostPosted: Mon Feb 12, 2024 8:37    Post subject: Reply with quote
MomenMamdouh wrote:
Prevent DNS Leaks

Go to Setup page:
1) Under "WAN Connection Type" enable "Ignore WAN DNS"
2) Under "Network Setup" change "Local DNS" to your Router-IP (ex. 192.168.1.1)
3) Under "Dynamic Host Configuration Protocol (DHCP)" enable "Forced DNS Redirection" and "Forced DNS Redirection DoT"


Verification

1) Go to "AGH GUi> Filter Menu> DNS Rewrites" and then click "Add DNS rewrite". Enter Domain name "leaktest.google.com" and Enter IP address "1.2.3.4" and then click save.

2) Open a terminal on your PC and paste the following command

Code:
nslookup leaktest.google.com 9.9.9.10


If you get an answer like this:

Code:
Server:  dns10.quad9.net
Address:  9.9.9.10

Non-authoritative answer:
Name:    leaktest.google.com
Address:  1.2.3.4


This means AGH is forced as the only DNS resolver for your entire network and you successfully immunized your network against DNS leaks.


LOCAL DNS box is made only for scenarios as client, wap, repeater modes and ect. or in other words must be left at zeros values...may be your scenario applay's im just saying it...

if you use ignore WAN DNS or no-resov option in dnsmasq... it should be fine

"Forced DNS Redirection" and "Forced DNS Redirection DoT"

forced DNS DoT will filter all DNS on port 853 so, if you use DNS over TLS it wont work...
in your case you use Quic ...but im just saying it... Laughing

yes DNS leaks are possible, in some very odd scenarios... it depends which server you use...for some reason those cannot be stopped unless you change your DNS provider...(in my case NextDNS was leaking even out of the VPN, but that was in the past)

Also make sure DNSmasq is not leaking so, no-resolv & server= are a kind of a must...

https://pastebin.com/NkKUUjsn ----> more DNS leak tests...

or

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331856

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55009 WAP
TP-Link WR1043NDv2 -DD-WRT 55109 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 55052 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55109 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55052 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55109 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Mon Feb 12, 2024 8:57; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Mon Feb 12, 2024 10:43    Post subject: Reply with quote
MomenMamdouh wrote:
Prevent DNS Leaks

Go to Setup page:
1) Under "WAN Connection Type" enable "Ignore WAN DNS"
2) Under "Network Setup" change "Local DNS" to your Router-IP (ex. 192.168.1.1)
3) Under "Dynamic Host Configuration Protocol (DHCP)" enable "Forced DNS Redirection" and "Forced DNS Redirection DoT"


Verification

1) Go to "AGH GUi> Filter Menu> DNS Rewrites" and then click "Add DNS rewrite". Enter Domain name "leaktest.google.com" and Enter IP address "1.2.3.4" and then click save.

2) Open a terminal on your PC and paste the following command

Code:
nslookup leaktest.google.com 9.9.9.10


If you get an answer like this:

Code:
Server:  dns10.quad9.net
Address:  9.9.9.10

Non-authoritative answer:
Name:    leaktest.google.com
Address:  1.2.3.4


This means AGH is forced as the only DNS resolver for your entire network and you successfully immunized your network against DNS leaks.


I see some misconceptions about how DNS works and what a DNS leak is and how to prevent it.

For some general information see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1253580

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Mon Feb 12, 2024 12:26    Post subject: Reply with quote
Alozaros wrote:


LOCAL DNS box is made only for scenarios as client, wap, repeater modes and ect. or in other words must be left at zeros values...may be your scenario applay's im just saying it...

if you use ignore WAN DNS or no-resov option in dnsmasq... it should be fine

"Forced DNS Redirection" and "Forced DNS Redirection DoT"

forced DNS DoT will filter all DNS on port 853 so, if you use DNS over TLS it wont work...
in your case you use Quic ...but im just saying it... Laughing

yes DNS leaks are possible, in some very odd scenarios... it depends which server you use...for some reason those cannot be stopped unless you change your DNS provider...(in my case NextDNS was leaking even out of the VPN, but that was in the past)

Also make sure DNSmasq is not leaking so, no-resolv & server= are a kind of a must...

https://pastebin.com/NkKUUjsn ----> more DNS leak tests...

or

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331856


Yes, my friend, I mean by prevention and forcing that no offensive client can use a DNS server other than AGH. DoT/DoQ is used and forced by the network admin, not by the client through AGH.

Local DNS: for me solved redirection looping so it is a must.

Dnsmasq options such as no-resolv is already mentioned in OP under basic setup section.

DNS leaks happen at the router or at client side. DNS provider has nothing to do with leaks

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5


Last edited by MomenMamdouh on Mon Feb 12, 2024 13:03; edited 1 time in total
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Mon Feb 12, 2024 12:44    Post subject: Reply with quote
egc wrote:
MomenMamdouh wrote:
Prevent DNS Leaks

Go to Setup page:
1) Under "WAN Connection Type" enable "Ignore WAN DNS"
2) Under "Network Setup" change "Local DNS" to your Router-IP (ex. 192.168.1.1)
3) Under "Dynamic Host Configuration Protocol (DHCP)" enable "Forced DNS Redirection" and "Forced DNS Redirection DoT"


Verification

1) Go to "AGH GUi> Filter Menu> DNS Rewrites" and then click "Add DNS rewrite". Enter Domain name "leaktest.google.com" and Enter IP address "1.2.3.4" and then click save.

2) Open a terminal on your PC and paste the following command

Code:
nslookup leaktest.google.com 9.9.9.10


If you get an answer like this:

Code:
Server:  dns10.quad9.net
Address:  9.9.9.10

Non-authoritative answer:
Name:    leaktest.google.com
Address:  1.2.3.4


This means AGH is forced as the only DNS resolver for your entire network and you successfully immunized your network against DNS leaks.


I see some misconceptions about how DNS works and what a DNS leak is and how to prevent it.

For some general information see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1253580


Great guide, thanks for sharing egc.

The verification on router-side and client-side proves that the concept is correct, but, i would be happy if you correct me on something i didn't get it correctly.

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 15:31    Post subject: Reply with quote
@MomenMamdouh can you answer some of my questions above? about reCaptcha and the DNS test 1.2.3.4

thx!
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 15:49    Post subject: Reply with quote
another piece of information please, I noticed on some clients, that there are some DNS rewrites, but I haven't set any rewrites (look at the photo) it's normal?

Last edited by marcus83 on Mon Feb 12, 2024 16:05; edited 1 time in total
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Mon Feb 12, 2024 15:58    Post subject: Reply with quote
marcus83 wrote:
marcus83 wrote:
@MomenMamdouh I added some upstream server DNS like OpenDNS, DNSControl D... is it possible that the upstreams bypass Google's reCAPTCHA when the VPN is active? because for the moment it no longer finally appears to me! Very Happy


In your opinion, test DNS leak 1.2.3.4 was correctly removed?

Code:

root@WRT3200ACM:~# nslookup google.com 9.9.9.10
Server:    9.9.9.10
Address 1: 9.9.9.10 dns10.quad9.net

Name:      google.com
Address 1: 172.217.23.110 mil04s23-in-f110.1e100.net
Address 2: 2a00:1450:4001:827::200e fra24s04-in-x0e.1e100.net


Yes, my friend, it was removed.

Regarding google reCAPTCHA it depends.

if you disabled cross-site tracking in your browser it will cause verification to fail. Also your DNS server might cause reCAPTCHA to fail if some sites are blocked such as gstatic.com etc.

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
marcus83
DD-WRT User


Joined: 04 Jan 2024
Posts: 163

PostPosted: Mon Feb 12, 2024 16:06    Post subject: Reply with quote
MomenMamdouh wrote:
marcus83 wrote:
marcus83 wrote:
@MomenMamdouh I added some upstream server DNS like OpenDNS, DNSControl D... is it possible that the upstreams bypass Google's reCAPTCHA when the VPN is active? because for the moment it no longer finally appears to me! Very Happy


In your opinion, test DNS leak 1.2.3.4 was correctly removed?

Code:

root@WRT3200ACM:~# nslookup google.com 9.9.9.10
Server:    9.9.9.10
Address 1: 9.9.9.10 dns10.quad9.net

Name:      google.com
Address 1: 172.217.23.110 mil04s23-in-f110.1e100.net
Address 2: 2a00:1450:4001:827::200e fra24s04-in-x0e.1e100.net


Yes, my friend, it was removed.

Regarding google reCAPTCHA it depends.

if you disabled cross-site tracking in your browser it will cause verification to fail. Also your DNS server might cause reCAPTCHA to fail if some sites are blocked such as gstatic.com etc.



I understand thanks again friend, if you can also answer the question above...
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Mon Feb 12, 2024 17:29    Post subject: Reply with quote
marcus83 wrote:

I understand thanks again friend, if you can also answer the question above...


I think google flagged some of your VPN IPs, that's the actual reason of keeping getting CAPTCHA.

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5


Last edited by MomenMamdouh on Mon Feb 12, 2024 17:40; edited 1 time in total
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt

PostPosted: Mon Feb 12, 2024 17:44    Post subject: Reply with quote
marcus83 wrote:
another piece of information please, I noticed on some clients, that there are some DNS rewrites, but I haven't set any rewrites (look at the photo) it's normal?

Normal if you are using force safe search

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Goto page Previous  1, 2, 3 ... 9, 10, 11, 12, 13  Next Display posts from previous:    Page 10 of 13
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum