local DNS from only one Android device permanently blocked

[chriskloe]

chris@server:/opt/AdGuardHome$ ./AdGuardHome -v --version
AdGuard Home
Version: v0.107.5
Channel: release
Go version: go1.16.15
Build time: 2022-03-04T12:59:06Z+0000
GOOS: linux
GOARCH: amd64
Race: false
Dependencies:
github.com/AdguardTeam/dnsproxy@v0.40.7-0.20220207171519-b3947de6a902 (sum: h1:6pxvSWL9tVelFo0R3t6Pn8u6YU5dCqTVehvNnP6lOqI=)
github.com/AdguardTeam/golibs@v0.10.4 (sum: h1:TMBkablZC0IZOpRgg9fzAKlxxNhSN2YJq7qbgtuZ7PQ=)
github.com/AdguardTeam/urlfilter@v0.15.2 (sum: h1:LZGgrm4l4Ys9eAqB+UUmZfiC6vHlDlYFhx0WXqo6LtQ=)
github.com/NYTimes/gziphandler@v1.1.1 (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=)
github.com/aead/chacha20@v0.0.0-20180709150244-8b13a72661da (sum: h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=)
github.com/aead/poly1305@v0.0.0-20180717145839-3fee0db0b635 (sum: h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=)
github.com/ameshkov/dnscrypt/v2@v2.2.3 (sum: h1:X9UP5AHtwp46Ji+sGFfF/1Is6OPI/SjxLqhKpx0P5UI=)
github.com/ameshkov/dnsstamps@v1.0.3 (sum: h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=)
github.com/beefsack/go-rate@v0.0.0-20200827232406-6cde80facd47 (sum: h1:M57m0xQqZIhx7CEJgeLSvRFKEK1RjzRuIXiA3HfYU7g=)
github.com/cheekybits/genny@v1.0.0 (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=)
github.com/digineo/go-ipset/v2@v2.2.1 (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=)
github.com/fsnotify/fsnotify@v1.5.1 (sum: h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=)
github.com/go-ping/ping@v0.0.0-20210506233800-ff8be3320020 (sum: h1:mdi6AbCEoKCA1xKCmp7UtRB5fvGFlP92PvlhxgdvXEw=)
github.com/google/go-cmp@v0.5.5 (sum: h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=)
github.com/google/gopacket@v1.1.19 (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=)
github.com/google/renameio@v1.0.1 (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=)
github.com/insomniacslk/dhcp@v0.0.0-20210310193751-cfd4d47082c2 (sum: h1:NpTIlXznCStsY88jU+Gh1Dy5dt/jYV4z4uU8h2TUOt4=)
github.com/josharian/native@v0.0.0-20200817173448-b6b71def0850 (sum: h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=)
github.com/kardianos/service@v1.2.0 (sum: h1:bGuZ/epo3vrt8IPC7mnKQolqFeYJb7Cs8Rk4PSOBB/g=)
github.com/lucas-clemente/quic-go@v0.24.0 (sum: h1:ToR7SIIEdrgOhgVTHvPgdVRJfgVy+N0wQAagH7L4d5g=)
github.com/marten-seemann/qtls-go1-16@v0.1.4 (sum: h1:xbHbOGGhrenVtII6Co8akhLEdrawwB2iHl5yhJRpnco=)
github.com/mdlayher/ethernet@v0.0.0-20190606142754-0394541c37b7 (sum: h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=)
github.com/mdlayher/netlink@v1.4.0 (sum: h1:n3ARR+Fm0dDv37dj5wSWZXDKcy+U0zwcXS3zKMnSiT0=)
github.com/mdlayher/raw@v0.0.0-20210412142147-51b895745faf (sum: h1:InctQoB89TIkmgIFQeIL4KXNvWc1iebQXdZggqPSwL8=)
github.com/miekg/dns@v1.1.45 (sum: h1:g5fRIhm9nx7g8osrAvgb16QJfmyMsyOCb+J7LSv+Qzk=)
github.com/patrickmn/go-cache@v2.1.0+incompatible (sum: h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=)
github.com/pkg/errors@v0.9.1 (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
github.com/satori/go.uuid@v1.2.0 (sum: h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=)
github.com/ti-mo/netfilter@v0.4.0 (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEXQUhe02a/10orzg=)
github.com/u-root/u-root@v7.0.0+incompatible (sum: h1:u+KSS04pSxJGI5E7WE4Bs9+Zd75QjFv+REkjy/aoAc8=)
go.etcd.io/bbolt@v1.3.6 (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=)
golang.org/x/crypto@v0.0.0-20211215153901-e495a2d5b3d3 (sum: h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=)
golang.org/x/net@v0.0.0-20211216030914-fe4d6282115f (sum: h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=)
golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c (sum: h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=)
golang.org/x/sys@v0.0.0-20211216021012-1d35b9e2eb4e (sum: h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=)
golang.org/x/text@v0.3.7 (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=)
gopkg.in/natefinch/lumberjack.v2@v2.0.0 (sum: h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=)
gopkg.in/yaml.v2@v2.4.0 (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=)
howett.net/plist@v0.0.0-20201203080718-1454fab16a06 (sum: h1:QDxUo/w2COstK1wIBYpzQlHX/NqaQTcf9jyz347nI58=

• How did you install AdGuard Home:

Following instructions provided by a local IT magazine (heise.de), when I remember right it was loading and executing an install script from github.

• How did you setup DNS configuration:

I got a local FritzBox that does the usual DNS and is upstream for AdGuard home:
https://dns10.quad9.net/dns-query
https://dnsforge.de/dns-query
[//fritz.box/local/]192.168.178.1

The network is configured as DHCP and FritzBox is sending the IP of the server, where AdGuardHome is running as DNS.
The server is configured with a fixed IP in the FritzBox.

• If it's a router or IoT, please write device model:
  FritzBox 7560

My server with AdGuard is running on:

• CPU architecture:
  Intel Xeon 2176

• Operating system and version:

Ubuntu 20.4.3 LTS

Expected Behavior

I am runing several clients in the network that need to resolve local IP-addresses to access file shares, services like nextcloud, a database, tvheadend and so on running on the same server than AdGuardHome.
To make that work I set up a dns forwarding rule in the adguard home configuration (shown above) and I made Adguard home start with the extra option --no-etc-hosts (why is this not an option available from the settings page?!).
For most of the clients and most of the software running that works perfectly well.

Actual Behavior

I have one client in the network, a Samsung Android Tablet running Anroid 8.1.0 that repeatedly gets NXDOMAIN-responses when trying to resolve local services. Most of the time this affects file shares (samba), and mysql-database running on the server. Very weird: accessing tvheadend on the same server seems to work.
Attached a screenshot from the AdGuardHome accesslog showing some rejected resolves during startup of kodi on that tablet.

Please contact me if you need more information.
Thanks in advance for any kind of support, this issue is really annoying.

By the way: another annoying topic: it would be great to see a reason for any kind of reject from the log. Reading only "NXDOMAIN" drives me nuts.

[fernvenue]

Seems like your device is hitting a rate limit or something, I'm not sure, you can use verbose log to get more information.

[chriskloe]

Sorry for the delay, I got not much time for experiments....

what I did:

• enabled logging (and forgot verbose for the first run).
• tried to start kodi on the tablet, the failure happened. In AGH web interface I saw close together a totally working DNS lookup of the server of one client and another with response NXDOMAIN from the tablet
• I stopped AGH, had a look to the logfile. Noticed I forgot to set verbose. Set verbose, restarted
• tried to start kodi on the tablet -> worked

But this is something I am discovering rom time to time when I want to play around with the settings to fix the problem: sometimes it suddenly starts to work for a while but short time later it doesn't work again. So no clear repeatable behaviour what is an indiciation for a software bug for me.

I am still trying to get a log of that behaviour and I will post it as soon as I got it.

[chriskloe]

OK, this time it worked.
When I am interpreting the log in the right ways this is the section showing a failed attempt:

2022/04/10 22:14:38.521227 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.178.51:6827
2022/04/10 22:14:38.528072 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 24976
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.fritz.box. IN A

2022/04/10 22:14:38.528380 14821#509 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked
2022/04/10 22:14:38.528516 14821#509 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(*DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms
2022/04/10 22:14:38.528680 14821#509 [debug] 192.168.178.1:53: sending request A server.fritz.box.
2022/04/10 22:14:38.531326 14821#509 [debug] 192.168.178.1:53: response: ok
2022/04/10 22:14:38.531477 14821#509 [debug] github.com/AdguardTeam/dnsproxy/upstream.exchange(): upstream 192.168.178.1:53 successfully finished exchange of ;server.fritz.box. IN A. Elapsed 2.812636ms.
2022/04/10 22:14:38.531557 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).replyFromUpstream(): RTT: 2.933282ms
2022/04/10 22:14:38.531656 14821#509 [debug] client ip: 192.168.178.51
2022/04/10 22:14:38.531761 14821#509 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 24976
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;server.fritz.box. IN A

;; AUTHORITY SECTION:
fritz.box. 9 IN SOA fritz.box. admin.fritz.box. 1649621678 21600 1800 43200 10

This is another query from another client in the same timeframe that passed (in fact it's the laptop I used to access the log):

2022/04/10 22:14:45.551252 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.178.55:63858
2022/04/10 22:14:45.558060 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 17080
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.fritz.box. IN A

2022/04/10 22:14:45.558167 14821#411 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked
2022/04/10 22:14:45.558298 14821#410 [debug] SafeBrowsing: found in cache: server.fritz.box: not blocked
2022/04/10 22:14:45.558360 14821#411 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(*DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms
2022/04/10 22:14:45.558406 14821#410 [debug] github.com/AdguardTeam/AdGuardHome/internal/filtering.(*DNSFilter).checkSafeBrowsing(): SafeBrowsing lookup for server.fritz.box; Elapsed time: 0ms
2022/04/10 22:14:45.558521 14821#410 [debug] serving response from general cache
2022/04/10 22:14:45.558536 14821#411 [debug] 192.168.178.1:53: sending request AAAA server.fritz.box.
2022/04/10 22:14:45.558595 14821#410 [debug] client ip: 192.168.178.55
2022/04/10 22:14:45.558695 14821#410 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 17080
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;server.fritz.box. IN A

;; AUTHORITY SECTION:
fritz.box. 2 IN SOA fritz.box. admin.fritz.box. 1649621678 21600 1800 43200 10

2022/04/10 22:14:45.561969 14821#411 [debug] 192.168.178.1:53: response: ok

Is there any information to read from that? I just see "NXDOMAIN" another time but no reason, no failure, no error code...

[chriskloe]

FYI: I am usually working with the first two entries on the general settings page enabled (this translates to something like "Block domains by filters and host-files" and "use AdGuard webservice for internet safety" from the German UI.
For a test I deactivated both entries and it immediately started to work, even after a restart of AdGuardHome. I'll wait a while, see if it keeps working tomorrow and keep you updated.

Stopped working again.
After enabling both filters it works again (not for long I guess).
There's definitely something buggy!

[chriskloe]

To convince you it's not a kodi related issue: the same happens when I want access the AdGuardHome webpage on the server from the tablet.
FYI: no change with the latest update.

[ainar-g]

Apologies, this issue seems to have slipped through the cracks.

I assume that server.fritz.box is a domain name that is dynamically allocated by the router? The logs don't show anything unusual, so my first assumption is that perhaps the router “forgets” that domain every once in a while?

[chriskloe]

Hupps, there is still an open topic.
Some updates later it is still not working.
What I am reading from the logs cited above:
tablet is asking for the ip-adress of server.fritz.box
AGH is forwarding the request to the router
Router is answering properly with an ip
AGH is not forwarding the ip but responding with NXDOMAIN. It would be great to have a reason for that conversion in the log!
The problem repeatedly disappears as soon as I let the router set the DNS address to it's own one instead of AGH (using DHCP/DDNS),