Unable to use local dnsmasq as upstream dns for local domain

deekerman commented

2026-03-04 01:21:29 -05:00

Owner

Originally created by @s3frank on GitHub (Apr 28, 2020).

Originally assigned to: @szolin on GitHub.

Issue Details

I am trying to run the following setup:
AGH as main DNS server for all my machines to point to. No others.
Behind it I have DNSMasq only to serve my local DHCP and DNS needs.
Both are running on the same machine with DNSMasq on port 5053 for DNS.
My local domain is called berth.net so machines are hostx.berth.net etc etc.

If I turn AGH off and switch dnsmasq to port 53 my local dns resolution works as expected.

I turn AGH on, put dnsmasq on 5053 and in AGH config for upstream servers I have:
tls://1.1.1.1
tls://dns.quad9.net
[/berth.net/]10.0.0.4:5053

When I press the test button for upstream servers I get an error in the logs (verbose is on):
2020/04/29 00:16:15 308#516 [debug] Checking if DNS 10.0.0.4:5053 works...
2020/04/29 00:16:15 308#516 [info] DNS server 10.0.0.4:5053 returned wrong answer

I am running version:
AdGuardHome v0.101.0

Kernel details:
Linux adguard.berth.net 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

It is in a host only network setup on virtualbox, but I will be moving to a RPI4 setup once I get past this issue.

Originally created by @s3frank on GitHub (Apr 28, 2020). Originally assigned to: @szolin on GitHub. ### Issue Details  I am trying to run the following setup: AGH as main DNS server for all my machines to point to. No others. Behind it I have DNSMasq only to serve my local DHCP and DNS needs. Both are running on the same machine with DNSMasq on port 5053 for DNS. My local domain is called berth.net so machines are hostx.berth.net etc etc. If I turn AGH off and switch dnsmasq to port 53 my local dns resolution works as expected. I turn AGH on, put dnsmasq on 5053 and in AGH config for upstream servers I have: tls://1.1.1.1 tls://dns.quad9.net [/berth.net/]10.0.0.4:5053 When I press the test button for upstream servers I get an error in the logs (verbose is on): 2020/04/29 00:16:15 308#516 [debug] Checking if DNS 10.0.0.4:5053 works... 2020/04/29 00:16:15 308#516 [info] DNS server 10.0.0.4:5053 returned wrong answer I am running version: AdGuardHome v0.101.0 Kernel details: Linux adguard.berth.net 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux It is in a host only network setup on virtualbox, but I will be moving to a RPI4 setup once I get past this issue.

deekerman

2026-03-04 01:21:29 -05:00

closed this issue
added the
bug

P4: Low
labels

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@ameshkov commented on GitHub (Apr 28, 2020):

2020/04/29 00:16:15 308#516 [debug] Checking if DNS 10.0.0.4:5053 works...
2020/04/29 00:16:15 308#516 [info] DNS server 10.0.0.4:5053 returned wrong answer

Actually, the fact that it even tried to query that server is a mistake, I don't think we should do that with the servers that are limited to specific domains.

Anyways, do you see anything in dnsmasq logs? When AGH tests upstreams, it sends a test query.

@ameshkov commented on GitHub (Apr 28, 2020): > 2020/04/29 00:16:15 308#516 [debug] Checking if DNS 10.0.0.4:5053 works... > 2020/04/29 00:16:15 308#516 [info] DNS server 10.0.0.4:5053 returned wrong answer Actually, the fact that it even tried to query that server is a mistake, I don't think we should do that with the servers that are limited to specific domains. Anyways, do you see anything in dnsmasq logs? When AGH tests upstreams, it sends a test query.

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@szolin commented on GitHub (Apr 29, 2020):

This test is trying to resolve google-public-dns-a.google.com domain and expects exactly 1 entry in Answer section in DNS response.
I guess the local dnsmasq is configured so it doesn't resolve public domains - that's why it's returning 0 entries.

Actually, the fact that it even tried to query that server is a mistake, I don't think we should do that with the servers that are limited to specific domains.

I agree. Or we could try to resolve those specific domains, instead of public google domain.

@szolin commented on GitHub (Apr 29, 2020): This test is trying to resolve `google-public-dns-a.google.com` domain and expects exactly 1 entry in Answer section in DNS response. I guess the local dnsmasq is configured so it doesn't resolve public domains - that's why it's returning 0 entries. > Actually, the fact that it even tried to query that server is a mistake, I don't think we should do that with the servers that are limited to specific domains. I agree. Or we could try to resolve those specific domains, instead of public google domain.

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@ameshkov commented on GitHub (Apr 29, 2020):

Or we could try to resolve those specific domains, instead of public google domain.

This may also fail because people usually specify tld like [/local/]192.168.0.1

@ameshkov commented on GitHub (Apr 29, 2020): > Or we could try to resolve those specific domains, instead of public google domain. This may also fail because people usually specify tld like `[/local/]192.168.0.1`

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@s3frank commented on GitHub (Apr 29, 2020):

So will it save and work as intended ?

I can test more tonight but yes the dnsmasq server refuses

-FF

Sent from my mobile, powered by Frank's thumbs!

On Wed, Apr 29, 2020, 15:35 Simon Zolin notifications@github.com wrote:

This test is trying to resolve google-public-dns-a.google.com domain and
expects exactly 1 entry in Answer section in DNS response.
I guess the local dnsmasq is configured so it doesn't resolve public
domains - that's why it's returning 0 entries.

Actually, the fact that it even tried to query that server is a mistake, I
don't think we should do that with the servers that are limited to specific
domains.

I agree. Or we could try to resolve those specific domains, instead of
public google domain.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621038056,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAQW7CTGJKJOVOSQ2OEDCXLRO7KCPANCNFSM4MS7F3BQ
.

@s3frank commented on GitHub (Apr 29, 2020): So will it save and work as intended ? I can test more tonight but yes the dnsmasq server refuses -FF Sent from my mobile, powered by Frank's thumbs! On Wed, Apr 29, 2020, 15:35 Simon Zolin <notifications@github.com> wrote: > This test is trying to resolve google-public-dns-a.google.com domain and > expects exactly 1 entry in Answer section in DNS response. > I guess the local dnsmasq is configured so it doesn't resolve public > domains - that's why it's returning 0 entries. > > Actually, the fact that it even tried to query that server is a mistake, I > don't think we should do that with the servers that are limited to specific > domains. > > I agree. Or we could try to resolve those specific domains, instead of > public google domain. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621038056>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAQW7CTGJKJOVOSQ2OEDCXLRO7KCPANCNFSM4MS7F3BQ> > . >

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@s3frank commented on GitHub (Apr 29, 2020):

I don't follow you here.
Isn't the string between.the splashes what is treated as the domain name?

-FF

Sent from my mobile, powered by Frank's thumbs!

On Wed, Apr 29, 2020, 16:19 Andrey Meshkov notifications@github.com wrote:

Or we could try to resolve those specific domains, instead of public
google domain.

This may also fail because people usually specify tld like
[/local/]192.168.0.1

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621058460,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAQW7CTG5CGCBC6CGILD643RO7PI7ANCNFSM4MS7F3BQ
.

@s3frank commented on GitHub (Apr 29, 2020): I don't follow you here. Isn't the string between.the splashes what is treated as the domain name? -FF Sent from my mobile, powered by Frank's thumbs! On Wed, Apr 29, 2020, 16:19 Andrey Meshkov <notifications@github.com> wrote: > Or we could try to resolve those specific domains, instead of public > google domain. > > This may also fail because people usually specify tld like > [/local/]192.168.0.1 > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621058460>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAQW7CTG5CGCBC6CGILD643RO7PI7ANCNFSM4MS7F3BQ> > . >

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@ameshkov commented on GitHub (Apr 29, 2020):

So will it save and work as intended ?

It'd be better to check the dnsmasq logs first, but generally, yes, it should work even though the test fails.

@ameshkov commented on GitHub (Apr 29, 2020): > So will it save and work as intended ? It'd be better to check the dnsmasq logs first, but generally, yes, it should work even though the test fails.

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@ameshkov commented on GitHub (Apr 29, 2020):

Isn't the string between.the splashes what is treated as the domain name?

I was talking about the test DNS query we send when you click "test upstreams". Trying to resolve local in my example may not work, but it does not mean that the upstream is actually dead.

@ameshkov commented on GitHub (Apr 29, 2020): > Isn't the string between.the splashes what is treated as the domain name? I was talking about the test DNS query we send when you click "test upstreams". Trying to resolve `local` in my example may not work, but it does not mean that the upstream is actually dead.

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@s3frank commented on GitHub (Apr 29, 2020):

Log for test shows:

dnsmasq: query[A] google-public-dns-a.google.com from 10.0.0.4
dnsmasq: config error is REFUSED

On Wed, Apr 29, 2020 at 4:26 PM Andrey Meshkov notifications@github.com
wrote:

So will it save and work as intended ?

It'd be better to check the dnsmasq logs first, but generally, yes, it
should work even though the test fails.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621061834,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAQW7CUNGCPLEHVLB6STHVDRO7QDZANCNFSM4MS7F3BQ
.

--
Best regards,

-FF

@s3frank commented on GitHub (Apr 29, 2020): Log for test shows: dnsmasq: query[A] google-public-dns-a.google.com from 10.0.0.4 dnsmasq: config error is REFUSED On Wed, Apr 29, 2020 at 4:26 PM Andrey Meshkov <notifications@github.com> wrote: > So will it save and work as intended ? > > It'd be better to check the dnsmasq logs first, but generally, yes, it > should work even though the test fails. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621061834>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAQW7CUNGCPLEHVLB6STHVDRO7QDZANCNFSM4MS7F3BQ> > . > -- Best regards, -FF

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@ameshkov commented on GitHub (Apr 29, 2020):

Yeah, that's it, so it simply does not respond to the test query, the resolution of your local domains should work just okay. If it does not, please check what's in the dnsmasq logs?

@ameshkov commented on GitHub (Apr 29, 2020): Yeah, that's it, so it simply does not respond to the test query, the resolution of your local domains should work just okay. If it does not, please check what's in the dnsmasq logs?

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@s3frank commented on GitHub (Apr 29, 2020):

ok thanks. I will do some more testing and will let you know if this really
is an issue.
Based on what you said so far I would agree that the test should either be
not done or it should be done for a specific host which is of course a bit
harder to do in this case as you would need user input for the host to
target the query for.

On Wed, Apr 29, 2020 at 5:51 PM Andrey Meshkov notifications@github.com
wrote:

Yeah, that's it, so it simply does not respond to the test query, the
resolution of your local domains should work just okay. If it does not,
please check what's in the dnsmasq logs?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621100149,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAQW7CSSAKB75DZFPLN4RXLRO72A3ANCNFSM4MS7F3BQ
.

--
Best regards,

-FF

@s3frank commented on GitHub (Apr 29, 2020): ok thanks. I will do some more testing and will let you know if this really is an issue. Based on what you said so far I would agree that the test should either be not done or it should be done for a specific host which is of course a bit harder to do in this case as you would need user input for the host to target the query for. On Wed, Apr 29, 2020 at 5:51 PM Andrey Meshkov <notifications@github.com> wrote: > Yeah, that's it, so it simply does not respond to the test query, the > resolution of your local domains should work just okay. If it does not, > please check what's in the dnsmasq logs? > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/AdguardTeam/AdGuardHome/issues/1632#issuecomment-621100149>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAQW7CSSAKB75DZFPLN4RXLRO72A3ANCNFSM4MS7F3BQ> > . > -- Best regards, -FF

deekerman commented

2026-03-04 01:21:36 -05:00

Author

Owner

@s3frank commented on GitHub (May 1, 2020):

Hi all,

I have finished my setup and I can confirm that this is working like a charm.
I actually think that this is the perfect setup for a nice home local DNS + Ad filtering and Parental controls. It's super fast on RPi4 as well, running DietPi.

The only bug here is that what @ameshkov already stated, the test query is wrong for the local dns server. It's non blocking and things work as expected regardless.

Thanks very much!

Frank

@s3frank commented on GitHub (May 1, 2020): Hi all, I have finished my setup and I can confirm that this is working like a charm. I actually think that this is the perfect setup for a nice home local DNS + Ad filtering and Parental controls. It's super fast on RPi4 as well, running DietPi. The only bug here is that what @ameshkov already stated, the test query is wrong for the local dns server. It's non blocking and things work as expected regardless. Thanks very much! Frank

Rows
Columns

Unable to use local dnsmasq as upstream dns for local domain #1524

Issue Details