Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet) #2321

New issue

Open

opened 2026-03-04 01:56:15 -05:00 by deekerman · 9 comments

deekerman commented 2026-03-04 01:56:15 -05:00

Owner

Copy link

Originally created by @rampageX on GitHub (Jan 2, 2021).

Originally assigned to: @EugeneOne1 on GitHub.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Problem Description

I set dnsmasq with my main DNS server on router because i need some complex ipset rules support, and AdguardHome is the only upsteam server. But now on AGH dashboard, i can only see the router ip but not the others real client ip.

Proposed Solution

Add add-mac and add-subnet to dnsmasq, then AGH can get the real client ip from every requery.

Additional Information

Pi-hole: Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)

Originally created by @rampageX on GitHub (Jan 2, 2021). Originally assigned to: @EugeneOne1 on GitHub. <!-- As an open-source project with a dedicated but small maintainer team, it can sometimes take a long time for issues to be addressed so please be patient and we will get back to you as soon as we can. --> ### Prerequisites Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.** - [x] I am running the latest version - [x] I checked the documentation and found no answer - [x] I checked to make sure that this issue has not already been filed ### Problem Description I set dnsmasq with my main DNS server on router because i need some complex `ipset` rules support, and AdguardHome is the only upsteam server. But now on AGH dashboard, i can only see the router ip but not the others real client ip. ### Proposed Solution Add `add-mac` and `add-subnet` to dnsmasq, then AGH can get the real client ip from every requery. ### Additional Information [Pi-hole: Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)](https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940)

deekerman added the

enhancement

P3: Medium

external libs

labels 2026-03-04 01:56:15 -05:00

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@ameshkov commented on GitHub (Jan 4, 2021):

Am I right that you'd like AGH to be able to extract the client's IP and Mac addresses that dnsmasq adds to the outgoing DNS queries?

@ameshkov commented on GitHub (Jan 4, 2021): Am I right that you'd like AGH to be able to extract the client's IP and Mac addresses that dnsmasq adds to the outgoing DNS queries?

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@rampageX commented on GitHub (Jan 4, 2021):

@ameshkov Yes, so that I can see which device made the request on AGH instead of showing all the gateway’s IP.

@rampageX commented on GitHub (Jan 4, 2021): @ameshkov Yes, so that I can see which device made the request on AGH instead of showing all the gateway’s IP.

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@ianmacd commented on GitHub (Mar 18, 2021):

I would like to add my voice to this request.

This would make it a lot more practical to run AdGuard Home on a machine already resolving DNS for a local network, such as a home router.

@ianmacd commented on GitHub (Mar 18, 2021): I would like to add my voice to this request. This would make it a lot more practical to run AdGuard Home on a machine already resolving DNS for a local network, such as a home router.

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@ameshkov commented on GitHub (Mar 19, 2021):

Well, as I see it, this would be more useful to cloud installations of AGH - so that you could configure the router to pass clients info to AGH.

Anyways, it's planned on v0.106 so it's coming relatively soon.

@ameshkov commented on GitHub (Mar 19, 2021): Well, as I see it, this would be more useful to cloud installations of AGH - so that you could configure the router to pass clients info to AGH. Anyways, it's planned on v0.106 so it's coming relatively soon.

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@ptrsmk commented on GitHub (Jul 2, 2021):

v0.106 has shipped, obviously. Has this been implemented?

@ptrsmk commented on GitHub (Jul 2, 2021): v0.106 has shipped, obviously. Has this been implemented?

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@timkgh commented on GitHub (Jul 18, 2021):

@ameshkov

Interested in the dnsmasq-like add-subnet feature too where I can set a fixed IP or subnet:

--add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
Add a subnet address to the DNS queries which are forwarded upstream. If an address is specified in the flag, it will be used, otherwise, the address of the requestor will be used.
...

The way I use it in dnsmasq on my router: I set it to the IP of the first hop router from my ISP (which has an IP in a different range/subnet than my public IP and obviously used by many other households in my area), this way I still get some geo-locality for CDNs but also protect my public IP address from being passed to upstream DNS servers.

One can test it like this:
dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @8.8.8.8 (or @9.9.9.11)
vs
dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @94.140.14.14
(you can replace @<ip> with the <ip> of your Adguard Home DNS server)

@timkgh commented on GitHub (Jul 18, 2021): @ameshkov Interested in the dnsmasq-like `add-subnet` feature too where I can set a **fixed IP or subnet**: ``` --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]] Add a subnet address to the DNS queries which are forwarded upstream. If an address is specified in the flag, it will be used, otherwise, the address of the requestor will be used. ... ``` The way I use it in dnsmasq on my router: I set it to the IP of the **first hop** router from my ISP (which has an IP in a different range/subnet than my public IP and obviously used by many other households in my area), this way I still get some geo-locality for CDNs but also protect my public IP address from being passed to upstream DNS servers. One can test it like this: `dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @8.8.8.8` (or `@9.9.9.11`) vs `dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @94.140.14.14` (you can replace `@<ip>` with the `<ip>` of your Adguard Home DNS server)

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@c2xusnpq6 commented on GitHub (Oct 19, 2021):

There seems to be no change in Adguard DNS' response content when different http parameter edns_client_subnet values are received.

To enhance privacy, some people may want to pretend that they are in a country where privacy laws are strong. People in Southeast Asia, China, Hong Kong, and Macau may be willing to trade a little network delay in exchange for enhanced privacy.

@c2xusnpq6 commented on GitHub (Oct 19, 2021): There seems to be no change in `Adguard DNS`' response content when different http parameter `edns_client_subnet` values are received. To enhance privacy, some people may want to pretend that they are in a country where privacy laws are strong. People in `Southeast Asia`, `China`, `Hong Kong`, and `Macau` may be willing to trade a little network delay in exchange for enhanced privacy.

deekerman commented 2026-03-04 01:56:22 -05:00

Author

Owner

Copy link

@c2xusnpq6 commented on GitHub (Oct 19, 2021):

For further information, please see:

• https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=46.14.4.0/24

• https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=1.34.4.0/24

@c2xusnpq6 commented on GitHub (Oct 19, 2021): For further information, please see: - https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=46.14.4.0/24 - https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=1.34.4.0/24

deekerman commented 2026-03-04 01:56:23 -05:00

Author

Owner

Copy link

@c2xusnpq6 commented on GitHub (Oct 19, 2021):

EDNS Client Subnet (ECS) Guidelines: https://developers.google.com/speed/public-dns/docs/ecs

JSON API for DNS over HTTPS (DoH): https://developers.google.com/speed/public-dns/docs/doh/json#supported_parameters

@c2xusnpq6 commented on GitHub (Oct 19, 2021): EDNS Client Subnet (ECS) Guidelines: https://developers.google.com/speed/public-dns/docs/ecs JSON API for DNS over HTTPS (DoH): https://developers.google.com/speed/public-dns/docs/doh/json#supported_parameters

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

AGDNS-3523-upd-dnsproxy-middlewares

ADG-11407-add-docker-release

AGDNS-3535-upd-urlfilter

AGDNS-3684-fix-tls-status

beta-v0.107

release-v0.107.72

ADG-10306

beta-v0.108

ADG-10291

upd-url-filter

release-v0.107.71

release-v0.107.70

ADG-10301

ADG-8560-react-update

ADG-8560-graph-fix

release-v0.107.69

release-v0.107.68

release-v0.107.67

release-v0.107.66

ADG-10295

release-v0.107.65

release-v0.107.64

release-v0.107.63

release-v0.107.62

release-v0.107.61

release-v0.107.60

release-v0.107.59

release-v0.107.58

ADG-9783

ADG-1-utils-bundle-update

ADG-9415

release-v0.107.57

ADG-9565

release-v0.107.56

release-v0.107.55

release-v0.107.54

release-v0.107.53

infra-fix

upd-locales

release-v0.107.52

release-v0.107.51

AGDNS-2184-adguard-home

AG-32410-upd-dnsproxy

release-v0.107.50

release-v0.107.49

release-v0.107.48

release-v0.107.47

release-v0.107.46

release-v0.107.45

release-v0.107.44

release-v0.107.43

release-v0.107.42

6263-custom-ups-cache

release-v0.107.41

6399-fix-ups-check

release-v0.107.40

release-v0.107.39

release-v0.107.38

release-v0.107.37

6099-check-port-install

release-v0.107.36

release-v0.107.35

6006-refactor-client-lookup

release-v0.107.34

AG-23822

release-v0.107.33

3389-querylog-export

release-v0.107.32

fix-templates

release-v0.107.31

release-v0.107.30

5799-allowed-clients

5347-wildcard-interference

release-v0.107.29

AG-21485

release-v0.107.28

release-v0.107.27

release-v0.107.26

release-v0.107.25

release-v0.107.24

4728-cap-check

release-v0.107.23

release-v0.107.22

2499-rewrites-3

release-v0.107.21

release-v0.107.20

release-v0.107.19

4927-refactor-tls

release-v0.107.18

release-v0.107.17

release-v0.107.16

release-v0.107.15

websvc-confin-manager

release-v0.107.14

2926-lla-ipv6

4926-scroll

release-v0.107.13

release-v0.107.12

release-v0.107.11

release-v0.107.10

release-v0.107.9

WIP-upd-urls

release-v0.107.8

release-v0.107.7

release-v0.107.6

release-v0.107.5

release-v0.107.4

release-v0.107.3

release-v0.107.2

release-v0.107.1

release-v0.107.0

fix-stats-layout

beta-v0.106

release-v0.106.3

release-v0.106.2

release-v0.106.1

fix-client2-generator

dsheets-ipset-subs

fix-context

2044-gc

1691-clear-leases-v2

v0.107.72

v0.108.0-b.82

v0.108.0-b.81

v0.107.71

v0.108.0-b.80

v0.107.70

v0.108.0-b.79

v0.107.69

v0.108.0-b.78

v0.107.68

v0.108.0-b.77

v0.107.67

v0.108.0-b.76

v0.107.66

v0.108.0-b.75

v0.107.65

v0.108.0-b.74

v0.108.0-b.73

v0.107.64

v0.108.0-b.72

v0.107.63

v0.108.0-b.71

v0.107.62

v0.108.0-b.70

v0.108.0-b.69

v0.107.61

v0.108.0-b.68

v0.108.0-b.67

v0.107.60

v0.108.0-b.66

v0.107.59

v0.108.0-b.65

v0.107.58

v0.108.0-b.64

v0.107.57

v0.108.0-b.63

v0.107.56

v0.108.0-b.62

v0.107.55

v0.108.0-b.61

v0.108.0-b.60

v0.107.54

v0.108.0-b.59

v0.107.53

v0.108.0-b.58

v0.107.52

v0.108.0-b.57

v0.107.51

v0.108.0-b.56

v0.107.50

v0.107.49

v0.108.0-b.55

v0.107.48

v0.107.47

v0.107.46

v0.108.0-b.54

v0.107.45

v0.108.0-b.53

v0.107.44

v0.108.0-b.52

v0.107.43

v0.108.0-b.51

v0.107.42

v0.108.0-b.50

v0.108.0-b.49

v0.107.41

v0.107.40

v0.108.0-b.48

v0.108.0-b.47

v0.107.39

v0.108.0-b.46

v0.107.38

v0.108.0-b.45

v0.107.37

v0.108.0-b.44

v0.108.0-b.43

v0.107.36

v0.107.35

v0.108.0-b.42

v0.108.0-b.41

v0.107.34

v0.108.0-b.40

v0.108.0-b.39

v0.107.33

v0.108.0-b.38

v0.108.0-b.37

v0.107.32

v0.108.0-b.36

v0.107.31

v0.108.0-b.35

v0.107.30

v0.108.0-b.34

v0.107.29

v0.108.0-b.33

v0.107.28

v0.108.0-b.32

v0.107.27

v0.108.0-b.31

v0.108.0-b.30

v0.107.26

v0.108.0-b.29

v0.108.0-b.28

v0.107.25

v0.108.0-b.27

v0.107.24

v0.108.0-b.26

v0.107.23

v0.108.0-b.25

v0.107.22

v0.108.0-b.24

v0.107.21

v0.108.0-b.23

v0.107.20

v0.108.0-b.22

v0.107.19

v0.108.0-b.21

v0.107.18

v0.108.0-b.20

v0.107.17

v0.108.0-b.19

v0.108.0-b.18

v0.107.16

v0.108.0-b.17

v0.107.15

v0.108.0-b.16

v0.107.14

v0.108.0-b.15

v0.107.13

v0.108.0-b.14

v0.107.12

v0.108.0-b.13

v0.107.11

v0.108.0-b.12

v0.107.10

v0.108.0-b.11

v0.107.9

v0.108.0-b.10

v0.107.8

v0.107.7

v0.108.0-b.9

v0.108.0-b.8

v0.108.0-b.7

v0.108.0-b.6

v0.107.6

v0.108.0-b.5

v0.108.0-b.4

v0.107.5

v0.107.4

v0.108.0-b.3

v0.107.3

v0.108.0-b.2

v0.108.0-b.1

v0.107.2

v0.107.1

v0.107.0

v0.107.0-b.17

v0.107.0-b.16

v0.107.0-b.15

v0.107.0-b.14

v0.107.0-b.13

v0.107.0-b.12

v0.107.0-b.11

v0.107.0-b.10

v0.107.0-b.9

v0.107.0-b.8

v0.107.0-b.7

v0.107.0-b.6

v0.107.0-b.5

v0.107.0-b.4

v0.107.0-b.3

v0.107.0-b.2

v0.107.0-b.1

v0.106.3

v0.106.3-b.1

v0.106.2

v0.106.2-b.1

v0.106.1

v0.106.1-b.1

v0.106.0

v0.106.0-b.5

v0.106.0-b.4

v0.106.0-b.3

v0.106.0-b.2

v0.106.0-b.1

v0.105.2

v0.105.2-beta.1

v0.105.1

v0.105.1-beta.1

v0.105.0

v0.105.0-beta.5

v0.105.0-beta.4

v0.105.0-beta.3

v0.105.0-beta.2

v0.105.0-beta.1

v0.104.3

v0.104.2

v0.104.1

v0.104.0

v0.104.0-beta3

v0.104.0-beta2

v0.104.0-beta1

v0.103.3

v0.103.2

v0.103.1

v0.103.0

v0.103.0-beta3

v0.103.0-beta2

v0.103.0-beta1

v0.102.0

v0.101.0

v0.100.9

v0.100.8

v0.100.7

v0.100.6

v0.100.5

v0.100.4

v0.100.3

v0.100.2

v0.100.1

v0.100.0

v0.99.3

v0.99.2

v0.99.1

v0.99.0

v0.98.1

v0.98.0

v0.97.1

v0.97.0

v0.96-hotfix

v0.96

v0.95-hotfix

v0.95

v0.94

v0.93

v0.92-hotfix2

v0.92-hotfix1

v0.92

v0.91

v0.9-hotfix1

v0.9

v0.1

Labels

Clear labels   

P1: Critical

  

P2: High

  

P3: Medium

  

P4: Low

  

UI

  

bug

  

cannot reproduce

  

compatibility

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

external libs

  

feature request

  

good first issue

  

help wanted

  

infrastructure

  

invalid

  

localization

  

needs investigation

  

performance

  

potential-duplicate

  

question

  

recurrent

  

research

  

snap

  

waiting for data

  

wontfix

No labels

P1: Critical

P2: High

P3: Medium

P4: Low

UI

bug

cannot reproduce

compatibility

dependencies

docker

documentation

duplicate

enhancement

enhancement

external libs

feature request

good first issue

help wanted

infrastructure

invalid

localization

needs investigation

performance

potential-duplicate

question

recurrent

research

snap

waiting for data

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#2321

No description provided.