starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

DNS over HTTPS doesn't listen on dns->bind_hosts interfaces #3095

New issue

Closed

opened 2026-03-04 02:59:12 -05:00 by deekerman · 4 comments

deekerman commented

2026-03-04 02:59:12 -05:00

Owner

Originally created by @Habetdin on GitHub (Oct 1, 2021).

Prerequisites

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Issue Details

Version of AdGuard Home server:
- v0.106.3
How did you install AdGuard Home:
- via the automated install script
CPU architecture:
- AMD64
Operating system and version:
- Ubuntu 20.04.3 LTS

Expected Behavior

DNS over HTTPS to listen the same IPs as the regular DNS, DNS over TLS and DNS over QUIC, etc

Actual Behavior

DNS over HTTPS listens only on the Web interface IP address

Additional Information

AdGuardHome.yaml contains next configuration (I've replaced the real IPs with <stubs>:

bind_host: <first.ip.address>
bind_port: 80
dns:
  bind_hosts:
  - <second.ip.address>
  - <third.ip.address>
tls:
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784

The ss shows the next network interfaces state:

# HTTP Web interface
tcp    LISTEN  0       65535    <first.ip.address>:80

# HTTPS Web interface and/or DoH
tcp    LISTEN  0       65535    <first.ip.address>:443

# Regular DNS
tcp    LISTEN  0       65535   <second.ip.address>:53
udp    UNCONN  0       0       <second.ip.address>:53
tcp    LISTEN  0       65535    <third.ip.address>:53
udp    UNCONN  0       0        <third.ip.address>:53

# DoT
tcp    LISTEN  0       65535   <second.ip.address>:853
tcp    LISTEN  0       65535    <third.ip.address>:853

# DoQ
udp    UNCONN  0       0       <second.ip.address>:784
udp    UNCONN  0       0        <third.ip.address>:784

As seen in this output, regular DNS, DNS over TLS and DNS over QUIC all do listen on dns->bind_hosts IPs, while DNS over HTTPS is only available on the IP of Web interface.

I expect DNS over HTTPS to follow other DNS services' behavior and listen on <second.ip.address> and <third.ip.address>, but it does not. As a bonus, there's no way to separate DNS over HTTPS and Web interface except using reverse proxy.

May be there should be unified bind_hosts configuration, but for now there is generic bind_host along to the dns->bind_hosts.

Originally created by @Habetdin on GitHub (Oct 1, 2021). ### Prerequisites - [x] I am running the latest version - [x] I checked the documentation and found no answer - [x] I checked to make sure that this issue has not already been filed ### Issue Details * **Version of AdGuard Home server:** * v0.106.3 * **How did you install AdGuard Home:** * via the automated install script * **CPU architecture:** * AMD64 * **Operating system and version:** * Ubuntu 20.04.3 LTS ### Expected Behavior DNS over HTTPS to listen the same IPs as the regular DNS, DNS over TLS and DNS over QUIC, etc ### Actual Behavior DNS over HTTPS listens only on the Web interface IP address ### Additional Information `AdGuardHome.yaml` contains next configuration (I've replaced the real IPs with `<stubs>`: ```yaml bind_host: <first.ip.address> bind_port: 80 dns: bind_hosts: - <second.ip.address> - <third.ip.address> tls: force_https: false port_https: 443 port_dns_over_tls: 853 port_dns_over_quic: 784 ``` The `ss` shows the next network interfaces state: ``` # HTTP Web interface tcp LISTEN 0 65535 <first.ip.address>:80 # HTTPS Web interface and/or DoH tcp LISTEN 0 65535 <first.ip.address>:443 # Regular DNS tcp LISTEN 0 65535 <second.ip.address>:53 udp UNCONN 0 0 <second.ip.address>:53 tcp LISTEN 0 65535 <third.ip.address>:53 udp UNCONN 0 0 <third.ip.address>:53 # DoT tcp LISTEN 0 65535 <second.ip.address>:853 tcp LISTEN 0 65535 <third.ip.address>:853 # DoQ udp UNCONN 0 0 <second.ip.address>:784 udp UNCONN 0 0 <third.ip.address>:784 ``` As seen in this output, regular DNS, DNS over TLS and DNS over QUIC all do listen on `dns->bind_hosts` IPs, while DNS over HTTPS is only available on the IP of Web interface. I expect DNS over HTTPS to follow other DNS services' behavior and listen on `<second.ip.address>` and `<third.ip.address>`, but it does not. As a bonus, there's no way to separate DNS over HTTPS and Web interface except using reverse proxy. May be there should be unified `bind_hosts` configuration, but for now there is generic `bind_host` along to the `dns->bind_hosts`.

deekerman

2026-03-04 02:59:12 -05:00

closed this issue
added the
duplicate
label

deekerman commented

2026-03-04 02:59:36 -05:00

Author

Owner

@timkgh commented on GitHub (Oct 2, 2021):

See #741. In general there should be individual options which protocols to enable, what interfaces/ports to listen on, certificates (because different host names may be used depending on interface). The admin interface should have its own settings. This will require a re-design at some point.

@timkgh commented on GitHub (Oct 2, 2021): See #741. In general there should be individual options which protocols to enable, what interfaces/ports to listen on, certificates (because different host names may be used depending on interface). The admin interface should have its own settings. This will require a re-design at some point.

deekerman commented

2026-03-04 02:59:36 -05:00

Author

Owner

@Habetdin commented on GitHub (Oct 2, 2021):

See #741. In general there should be individual options which protocols to enable, what interfaces/ports to listen on, certificates (because different host names may be used depending on interface). The admin interface should have its own settings. This will require a re-design at some point.

Yeah, I agree, this issue is related to #741. Sadly, nothing changed in last 2 years.

As a workaround I have set up reverse proxy from <second.ip.address> and <third.ip.address> to <first.ip.address> to make the DoH available on the same IPs as other DNS implementations.

@Habetdin commented on GitHub (Oct 2, 2021): > See #741. In general there should be individual options which protocols to enable, what interfaces/ports to listen on, certificates (because different host names may be used depending on interface). The admin interface should have its own settings. This will require a re-design at some point. Yeah, I agree, this issue is related to #741. Sadly, nothing changed in last 2 years. As a workaround I have set up reverse proxy from `<second.ip.address>` and `<third.ip.address>` to `<first.ip.address>` to make the DoH available on the same IPs as other DNS implementations.

deekerman commented

2026-03-04 02:59:36 -05:00

Author

Owner

@timkgh commented on GitHub (Oct 2, 2021):

You may also be able to play some games with iptables on Linux to achieve the same, either to do forwarding between IP addresses or have the admin interface listen on all interfaces and block it on some with iptables.

@timkgh commented on GitHub (Oct 2, 2021): You may also be able to play some games with iptables on Linux to achieve the same, either to do forwarding between IP addresses or have the admin interface listen on all interfaces and block it on some with iptables.

deekerman commented

2026-03-04 02:59:36 -05:00

Author

Owner

@EugeneOne1 commented on GitHub (Oct 4, 2021):

Merging into https://github.com/AdguardTeam/AdGuardHome/issues/741#issuecomment-759330329 since it looks like a duplicate.

Please upvote that task to increase its priority.

@EugeneOne1 commented on GitHub (Oct 4, 2021): Merging into https://github.com/AdguardTeam/AdGuardHome/issues/741#issuecomment-759330329 since it looks like a duplicate. Please upvote that task to increase its priority.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#3095

No description provided.

Rows
Columns