DNS rewrites BROKEN since months #3617

New issue

Open

opened 2026-03-04 03:58:34 -05:00 by deekerman · 24 comments

deekerman commented 2026-03-04 03:58:34 -05:00

Owner

Copy link

Originally created by @Lovely-Maisonette on GitHub (Apr 12, 2022).

Rewrites are ignored and queries are sent upstream instead:

DNS Query (CLI) [FAILS]

DNS rewrite config and version (docker) [OK]

Adguard log entry [Answer from upstream!!!)]

Testing from within the GUI [OK!!!]

Something in the logic got broken around v107

Originally created by @Lovely-Maisonette on GitHub (Apr 12, 2022). Rewrites are ignored and queries are sent upstream instead: DNS Query (CLI) [FAILS]  DNS rewrite config and version (docker) [OK]  Adguard log entry [Answer from upstream!!!)]  Testing from within the GUI [OK!!!]  Something in the logic got broken around v107

deekerman added the

cannot reproduce

label 2026-03-04 03:58:34 -05:00

deekerman commented 2026-03-04 03:58:42 -05:00

Author

Owner

Copy link

@fernvenue commented on GitHub (Apr 12, 2022):

Maybe you can turn on verbose log and try delete this rewrite then add it again to see what's happen.

@fernvenue commented on GitHub (Apr 12, 2022): Maybe you can turn on [verbose log](https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#verboselog) and try delete this rewrite then add it again to see what's happen.

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@agneevX commented on GitHub (Apr 13, 2022):

Cannot reproduce this on v0.107.5.

@agneevX commented on GitHub (Apr 13, 2022): Cannot reproduce this on v0.107.5.

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@Lovely-Maisonette commented on GitHub (Apr 13, 2022):

Maybe you can turn on verbose log and try delete this rewrite then add it again to see what's happen.

stopped, deleted all rewrites, set verbose, restarted, added just one rewrite
my.test 1.2.3.4

This is the nslookup from client 192.168.1.191 (added the DOT to prevent expansion of localdomain)

PS C:\> nslookup.exe my.test. dns.casa
Server:  DNS.casa
Address:  192.168.1.10

*** DNS.casa can't find my.test.: Non-existent domain

This is the verbose log

Adguard    | 2022/04/13 10:34:37.802695 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51817
Adguard    | 2022/04/13 10:34:37.802797 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 1
Adguard    | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;10.1.168.192.in-addr.arpa.        IN       PTR
Adguard    |
Adguard    | 2022/04/13 10:34:37.803099 21#167 [debug] 192.168.1.1:53: sending request PTR 10.1.168.192.in-addr.arpa.
Adguard    | 2022/04/13 10:34:37.804852 21#167 [debug] 192.168.1.1:53: response: ok
Adguard    | 2022/04/13 10:34:37.805007 21#167 [debug] time.Duration.Milliseconds(): upstream 192.168.1.1:53 successfully finished exchange of ;10.1.168.192.in-addr.arpa.      IN       PTR. Elapsed 1.934675ms.
Adguard    | 2022/04/13 10:34:37.805118 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).replyFromUpstream(): RTT: 2.085088ms
Adguard    | 2022/04/13 10:34:37.805200 21#167 [debug] client ip: 192.168.1.191
Adguard    | 2022/04/13 10:34:37.805304 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 1
Adguard    | ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;10.1.168.192.in-addr.arpa.        IN       PTR
Adguard    |
Adguard    | ;; ANSWER SECTION:
Adguard    | 10.1.168.192.in-addr.arpa. 43200   IN      PTR     DNS.casa.
Adguard    |
Adguard    | 2022/04/13 10:34:37.810543 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51818
Adguard    | 2022/04/13 10:34:37.810635 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 2
Adguard    | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;my.test.  IN       A
Adguard    |
Adguard    | 2022/04/13 10:34:37.810895 21#168 [debug] serving response from general cache
Adguard    | 2022/04/13 10:34:37.810968 21#168 [debug] client ip: 192.168.1.191
Adguard    | 2022/04/13 10:34:37.811099 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 2
Adguard    | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;my.test.  IN       A
Adguard    |
Adguard    | ;; AUTHORITY SECTION:
Adguard    | .  86371   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2022041300 1800 900 604800 86400
Adguard    |
Adguard    | 2022/04/13 10:34:37.816465 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51819
Adguard    | 2022/04/13 10:34:37.816654 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3
Adguard    | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;my.test.  IN       AAAA
Adguard    |
Adguard    | 2022/04/13 10:34:37.816758 21#169 [debug] IPv6 is disabled. Reply with NoError to my.test. AAAA request
Adguard    | 2022/04/13 10:34:37.816837 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 3
Adguard    | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Adguard    |
Adguard    | ;; QUESTION SECTION:
Adguard    | ;my.test.  IN       AAAA
Adguard    |
Adguard    | ;; AUTHORITY SECTION:
Adguard    | my.test.   10      IN      SOA     fake-for-negative-caching.adguard.com. hostmaster.my.test. 100500 1800 60 604800 86400
Adguard    |

And this from the GUI

And this from the GUI filter test, which works as expected

There must be something taking precedence before the filter is applied, when the queries come from port 53
I remember something "rewrite" code being introduced around v106->v107, and then rolled back due to problems, and that rollback never fixed my issues.

I never changed my installation, only pulling regularly the latest version from < v106 times from
https://hub.docker.com/r/adguard/adguardhome

@Lovely-Maisonette commented on GitHub (Apr 13, 2022): > Maybe you can turn on [verbose log](https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#verboselog) and try delete this rewrite then add it again to see what's happen. stopped, deleted all rewrites, set verbose, restarted, added just one rewrite my.test 1.2.3.4 This is the nslookup from client 192.168.1.191 (added the DOT to prevent expansion of localdomain) ``` PS C:\> nslookup.exe my.test. dns.casa Server: DNS.casa Address: 192.168.1.10 *** DNS.casa can't find my.test.: Non-existent domain ``` This is the verbose log ``` Adguard | 2022/04/13 10:34:37.802695 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51817 Adguard | 2022/04/13 10:34:37.802797 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 1 Adguard | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;10.1.168.192.in-addr.arpa. IN PTR Adguard | Adguard | 2022/04/13 10:34:37.803099 21#167 [debug] 192.168.1.1:53: sending request PTR 10.1.168.192.in-addr.arpa. Adguard | 2022/04/13 10:34:37.804852 21#167 [debug] 192.168.1.1:53: response: ok Adguard | 2022/04/13 10:34:37.805007 21#167 [debug] time.Duration.Milliseconds(): upstream 192.168.1.1:53 successfully finished exchange of ;10.1.168.192.in-addr.arpa. IN PTR. Elapsed 1.934675ms. Adguard | 2022/04/13 10:34:37.805118 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).replyFromUpstream(): RTT: 2.085088ms Adguard | 2022/04/13 10:34:37.805200 21#167 [debug] client ip: 192.168.1.191 Adguard | 2022/04/13 10:34:37.805304 21#167 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 1 Adguard | ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;10.1.168.192.in-addr.arpa. IN PTR Adguard | Adguard | ;; ANSWER SECTION: Adguard | 10.1.168.192.in-addr.arpa. 43200 IN PTR DNS.casa. Adguard | Adguard | 2022/04/13 10:34:37.810543 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51818 Adguard | 2022/04/13 10:34:37.810635 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 2 Adguard | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;my.test. IN A Adguard | Adguard | 2022/04/13 10:34:37.810895 21#168 [debug] serving response from general cache Adguard | 2022/04/13 10:34:37.810968 21#168 [debug] client ip: 192.168.1.191 Adguard | 2022/04/13 10:34:37.811099 21#168 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NXDOMAIN, id: 2 Adguard | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;my.test. IN A Adguard | Adguard | ;; AUTHORITY SECTION: Adguard | . 86371 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022041300 1800 900 604800 86400 Adguard | Adguard | 2022/04/13 10:34:37.816465 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.1.191:51819 Adguard | 2022/04/13 10:34:37.816654 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3 Adguard | ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;my.test. IN AAAA Adguard | Adguard | 2022/04/13 10:34:37.816758 21#169 [debug] IPv6 is disabled. Reply with NoError to my.test. AAAA request Adguard | 2022/04/13 10:34:37.816837 21#169 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 3 Adguard | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 Adguard | Adguard | ;; QUESTION SECTION: Adguard | ;my.test. IN AAAA Adguard | Adguard | ;; AUTHORITY SECTION: Adguard | my.test. 10 IN SOA fake-for-negative-caching.adguard.com. hostmaster.my.test. 100500 1800 60 604800 86400 Adguard | ``` And this from the GUI  And this from the GUI filter test, which works as expected  There must be something taking precedence before the filter is applied, when the queries come from port 53 I remember something "rewrite" code being introduced around v106->v107, and then rolled back due to problems, and that rollback never fixed my issues. I never changed my installation, only pulling regularly the latest version from < v106 times from https://hub.docker.com/r/adguard/adguardhome

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@fernvenue commented on GitHub (Apr 13, 2022):

@Lovely-Maisonette Does this client use the global settings and upstream?

@fernvenue commented on GitHub (Apr 13, 2022): @Lovely-Maisonette Does this client use the global settings and upstream?

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@Lovely-Maisonette commented on GitHub (Apr 13, 2022):

I use my router as upstream for internal name resolution (is not enough, an therefore I need the rewrite to add CNAMES.
What is not internal should go outside. This is relevant config:

upstream_dns:
  - '[/casa/]192.168.1.1'
  - '[/168.192.in-addr.arpa/]192.168.1.1'
  - https://dns.cloudflare.com/dns-query
  - 1.1.1.1
  upstream_dns_file: ""
  bootstrap_dns:
  - 9.9.9.10
  - 149.112.112.10
  - 2620:fe::10
  - 2620:fe::fe:10

But the rewrite should bypass any upstreams.

I am not sure what you mean by "global settings"

You think there is a missconfiguration?
The rewrites stopped working after an update around one year ago I would say, and without changing the configuration.

@Lovely-Maisonette commented on GitHub (Apr 13, 2022): I use my router as upstream for internal name resolution (is not enough, an therefore I need the rewrite to add CNAMES. What is not internal should go outside. This is relevant config: ``` upstream_dns: - '[/casa/]192.168.1.1' - '[/168.192.in-addr.arpa/]192.168.1.1' - https://dns.cloudflare.com/dns-query - 1.1.1.1 upstream_dns_file: "" bootstrap_dns: - 9.9.9.10 - 149.112.112.10 - 2620:fe::10 - 2620:fe::fe:10 ``` But the rewrite should bypass any upstreams. I am not sure what you mean by "global settings" You think there is a missconfiguration? The rewrites stopped working after an update around one year ago I would say, and without changing the configuration.

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@fernvenue commented on GitHub (Apr 13, 2022):

the rewrite should precede any upstreams.

Of course :)

I am not sure what you mean by "global settings"

Settings - Client settings

@fernvenue commented on GitHub (Apr 13, 2022): > the rewrite should precede any upstreams. Of course :) > I am not sure what you mean by "global settings" **Settings - Client settings**

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@Lovely-Maisonette commented on GitHub (Apr 13, 2022):

yes, global settings. I have not defined any specific client settings for this or any other ip.
I moved to adguard/adguardhome:edge long ago, in the hope a fix would roll in.

@Lovely-Maisonette commented on GitHub (Apr 13, 2022): yes, global settings. I have not defined any specific client settings for this or any other ip. I moved to adguard/adguardhome:edge long ago, in the hope a fix would roll in.

deekerman commented 2026-03-04 03:58:46 -05:00

Author

Owner

Copy link

@ainar-g commented on GitHub (Apr 13, 2022):

@Lovely-Maisonette, we cannot reproduce that, but we've had several similar issues. A few questions that would help us diagnose the issue:

1. Do you have the “Block domains using filters and hosts files” checkmark checked on the Settings → General settings page?
2. I've noticed that you're using Windows. Have you tried the same nslookup but with a dot at the end of the hostname? E.g. nslookup my.test..
3. Does your router send DHCP Option 119 aka Domain Suffix Search?
4. If you're using AdGuard Home as your DHCP server, what's the value of the local_domain_name parameter?

Thanks.

@ainar-g commented on GitHub (Apr 13, 2022): @Lovely-Maisonette, we cannot reproduce that, but we've had several similar issues. A few questions that would help us diagnose the issue: 1. Do you have the “Block domains using filters and hosts files” checkmark checked on the Settings → General settings page? 2. I've noticed that you're using Windows. Have you tried the same `nslookup` but with a dot at the end of the hostname? E.g. `nslookup my.test.`. 3. Does your router send DHCP Option 119 aka Domain Suffix Search? 4. If you're using AdGuard Home as your DHCP server, what's the value of the `local_domain_name` parameter? Thanks.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@Lovely-Maisonette commented on GitHub (Apr 13, 2022):

Hi @ainar-g,

I will speak in the past, because I changed some things drastically in the last couple of hours.

1. Yes, I used the blocking lists as provided by Adward out of-the-box.
2. Normally I am on Linux (so did not work there), but to build the report today I was on windows. Yes, I did both, with (second post) and without dot (first post) to minimize having a transient localdoman expansion.

My router is my DHCP server and main name resolution for local hosts.
The DHCP server tells the clients to use the domain casa (it is now a TLD, but it was not when I started using it. I use it for my 192.168. and 10. networks.
Adguard is my main DNS server (router the secondary/fallback)
Adguard retrievs external names from outside servers, and internal names from the DNS/DHCP router.

I have internal services that should be isolated from each other, those get their own networks and the router does not know about them. Some of them are reachable through a reverse proxy (frontend endpoints only). The reverse proxy needs to be reached by it's own name and a multitude of CNAMES, to route requests to those internal services. I used the rewrites to provide those aliases. I do not know if there is a way to automate that the same way I did with the other servers on 192.168.
but did not care, they are in the dozens, so I could maintain them by hand in the rewrite page (that page is missing some EDIT button).

Today I could not wait any longer and started looking for a fix or an alternative. At the end I deleted everything and started over. In parallel I learned from something you wrote elsewhere about dnsrewrite and made it work using the "Custom filtering rules" (that name fooled me, never looked in there before) instead of the "rewrites" (intuitively, the right place to look for creating CNAMES).

Now I have:

elastic.casa^$dnsrewrite=NOERROR;CNAME;web.casa
portainer.casa^$dnsrewrite=NOERROR;CNAME;web.casa
foo.casa^$dnsrewrite=NOERROR;CNAME;web.casa
bar.casa^$dnsrewrite=NOERROR;CNAME;web.casa
...

This works and is good enough for my needs. Unfortunately, trying to make it work, I did not think about keeping the old instance and config to help you debug this further, sorry for my shortsightedness.

I was not able to remove the .casa from there (changing the domain on the router will break it up) but as long as |I do not need to scale into the hundreds of server, I do not mind, though all I need is a simple
elastic, portainer, foo, bar -> web

The rewrite bug is still there, but maybe we need to close this ticket as "cannot reproduce" until further notice.

@Lovely-Maisonette commented on GitHub (Apr 13, 2022): Hi @ainar-g, I will speak in the past, because I changed some things drastically in the last couple of hours. 1) Yes, I used the blocking lists as provided by Adward out of-the-box. 2) Normally I am on Linux (so did not work there), but to build the report today I was on windows. Yes, I did both, with (second post) and without dot (first post) to minimize having a transient localdoman expansion. 3) My router is my DHCP server and main name resolution for local hosts. The DHCP server tells the clients to use the domain casa (it is now a TLD, but it was not when I started using it. I use it for my 192.168. and 10. networks. Adguard is my main DNS server (router the secondary/fallback) Adguard retrievs external names from outside servers, and internal names from the DNS/DHCP router. I have internal services that should be isolated from each other, those get their own networks and the router does not know about them. Some of them are reachable through a reverse proxy (frontend endpoints only). The reverse proxy needs to be reached by it's own name and a multitude of CNAMES, to route requests to those internal services. I used the rewrites to provide those aliases. I do not know if there is a way to automate that the same way I did with the other servers on 192.168. but did not care, they are in the dozens, so I could maintain them by hand in the rewrite page (that page is missing some EDIT button). Today I could not wait any longer and started looking for a fix or an alternative. At the end I deleted everything and started over. In parallel I learned from something you wrote elsewhere about [dnsrewrite](https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite) and made it work using the "Custom filtering rules" (that name fooled me, never looked in there before) instead of the "rewrites" (intuitively, the right place to look for creating CNAMES). Now I have: elastic.casa^$dnsrewrite=NOERROR;CNAME;web.casa portainer.casa^$dnsrewrite=NOERROR;CNAME;web.casa foo.casa^$dnsrewrite=NOERROR;CNAME;web.casa bar.casa^$dnsrewrite=NOERROR;CNAME;web.casa ... This works and is good enough for my needs. Unfortunately, trying to make it work, I did not think about keeping the old instance and config to help you debug this further, sorry for my shortsightedness. I was not able to remove the .casa from there (changing the domain on the router will break it up) but as long as |I do not need to scale into the hundreds of server, I do not mind, though all I need is a simple elastic, portainer, foo, bar -> web The rewrite bug is still there, but maybe we need to close this ticket as "cannot reproduce" until further notice.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@ainar-g commented on GitHub (Apr 13, 2022):

I see, thanks for the feedback. We are actually planning to eventually remove the legacy DNS rewrites completely, and we've been recommending users to switch to dnsrewrite rules for a while now. Perhaps we should add a UI tip about that.

@ainar-g commented on GitHub (Apr 13, 2022): I see, thanks for the feedback. We are actually planning to eventually remove the legacy DNS rewrites completely, and we've been recommending users to switch to `dnsrewrite` rules for a while now. Perhaps we should add a UI tip about that.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@ElStupid commented on GitHub (Apr 19, 2022):

How to do dnsrewrite rules?

I'm experiencing the same kind of problems as mentioned here, although it did work for short time. I only have 1 DNS server defined, which is AdGuard Home. Now when I query for a DNS rewrite address (which is something like sub.domain.local) the logging show it's upstreamed and NXDOMAIN. Even when caching is switched off by setting it to 0 size.
I'm running v0.107.5 on my NAS in a Docker container btw.

If exchanging the legacy DNS rewrite for dnsrewrite rules makes life easier then please do so. But the interface is quite intuitive and I would be sad to see it go...

@ElStupid commented on GitHub (Apr 19, 2022): How to do dnsrewrite rules? I'm experiencing the same kind of problems as mentioned here, although it did work for short time. I only have 1 DNS server defined, which is AdGuard Home. Now when I query for a DNS rewrite address (which is something like sub.domain.local) the logging show it's upstreamed and NXDOMAIN. Even when caching is switched off by setting it to 0 size. I'm running v0.107.5 on my NAS in a Docker container btw. If exchanging the legacy DNS rewrite for dnsrewrite rules makes life easier then please do so. But the interface is quite intuitive and I would be sad to see it go...

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@Lovely-Maisonette commented on GitHub (Apr 19, 2022):

I am not part of the team but,

How to do dnsrewrite rules?

What was not working (being set upstream, instead of resolving like in the internal "check filter") for me was the
Filters/DNS Rewrites.

If I understand correctly, that is what @ainar-g calls "legacy" and to be removed sooner or later (hopefully not the other way around, not clear to me. @ainar-g?)
I discovered a second way to make rewrites a few days ago (after years of using Adward, not intuitive). in the
Filters/Custom Filtering Rules
(With than name sounds like the exception, not the rule)
I would say, it needs better documentation. I stopped when this worked for me:

portainer.casa^$dnsrewrite=NOERROR;CNAME;web.casa

Do not ask me to document it, or to know what happens if I remove CNAME, NOERROR, or ^$ which looks like an empty regular expression. IT worked for me and I moved on. Hopefully someone can expand on this:
https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists

Still not clear why it is documented in the Blocklist. Probably GUI and Docs need revamping there.

@Lovely-Maisonette commented on GitHub (Apr 19, 2022): I am not part of the team but, > How to do dnsrewrite rules? What was not working (being set upstream, instead of resolving like in the internal "check filter") for me was the Filters/DNS Rewrites. If I understand correctly, that is what @ainar-g calls "legacy" and to be removed sooner or later (hopefully not the other way around, not clear to me. @ainar-g?) I discovered a second way to make rewrites a few days ago (after years of using Adward, not intuitive). in the Filters/Custom Filtering Rules (With than name sounds like the exception, not the rule) I would say, it needs better documentation. I stopped when this worked for me: portainer.casa^$dnsrewrite=NOERROR;CNAME;web.casa Do not ask me to document it, or to know what happens if I remove CNAME, NOERROR, or ^$ which looks like an empty regular expression. IT worked for me and I moved on. Hopefully someone can expand on this: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists Still not clear why it is documented in the Blocklist. Probably GUI and Docs need revamping there.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@ElStupid commented on GitHub (Apr 19, 2022):

Exactly. I guess your finding in the custom filtering rules is the "dnswrite" @ainar-g is talking about.
With some very good documentation that would be doable also (I don't make lots of them and they don't change often).
But it would be great to do it more intuitive through the current interface.

Thanks for pointing it out, I will give it a try.

@ElStupid commented on GitHub (Apr 19, 2022): Exactly. I guess your finding in the custom filtering rules is the "dnswrite" @ainar-g is talking about. With some very good documentation that would be doable also (I don't make lots of them and they don't change often). But it would be great to do it more intuitive through the current interface. Thanks for pointing it out, I will give it a try.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@RossComputerGuy commented on GitHub (Nov 28, 2022):

I think I'm having the same issue when doing DNS rewrites with Adguard. I get responses when I query a rewritten URL but when I use Tailscale, I get NXDOMAIN. Is this a known issue and is it related to this? I'm running Adguard Home off TrueNAS.

@RossComputerGuy commented on GitHub (Nov 28, 2022): I think I'm having the same issue when doing DNS rewrites with Adguard. I get responses when I query a rewritten URL but when I use Tailscale, I get `NXDOMAIN`. Is this a known issue and is it related to this? I'm running Adguard Home off TrueNAS.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@dnnspaul commented on GitHub (Nov 30, 2022):

It worked for several weeks after installation, but it "suddendly" stopped working for now multiple months. I read this whole thread and enabling the option for filtering the domains with filters and hosts-file made it working again:

(sorry, but I'm using the german version. It's the first setting at "Settings -> General".) I'm using the linuxserver adguard docker image.

@dnnspaul commented on GitHub (Nov 30, 2022): It worked for several weeks after installation, but it "suddendly" stopped working for now multiple months. I read this whole thread and enabling the option for filtering the domains with filters and hosts-file made it working again:  (sorry, but I'm using the german version. It's the first setting at "Settings -> General".) I'm using the linuxserver adguard docker image.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@RossComputerGuy commented on GitHub (Nov 30, 2022):

@dnnspaul I had the same problem where it just suddenly stopped working even without using Tailscale but your solution fixed it.

@RossComputerGuy commented on GitHub (Nov 30, 2022): @dnnspaul I had the same problem where it just suddenly stopped working even without using Tailscale but your solution fixed it.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@zfedoran commented on GitHub (Dec 7, 2022):

Same issue here, worked for a while, then stopped working for one rewrite after another. At this point half work and half do not. All work when tested through the adguard web GUI test but not when testing from the terminal or other device on the same network. These used to work but have stopped working.

@dnnspaul fix didn't work as I already had this setting enabled. Flipping it on and off doesn't do anything either.

@zfedoran commented on GitHub (Dec 7, 2022): Same issue here, worked for a while, then stopped working for one rewrite after another. At this point half work and half do not. All work when tested through the adguard web GUI test but not when testing from the terminal or other device on the same network. These used to work but have stopped working. @dnnspaul fix didn't work as I already had this setting enabled. Flipping it on and off doesn't do anything either.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@kvervo commented on GitHub (Jan 30, 2023):

I was about to write a comment for this issue with details and steps to reproduce it :)
And then I found that in my network I had the AdBlock feature from the router vendor enabled on the router. This caused the issue and although all clients reported that DNS server was configured properly from DHCP, still the router somehow override that and forced it's own instance of DNS to take over for all client requests.

Once the feature was disable everything got back to normal.

@kvervo commented on GitHub (Jan 30, 2023): I was about to write a comment for this issue with details and steps to reproduce it :) And then I found that in my network I had the AdBlock feature from the router vendor enabled on the router. This caused the issue and although all clients reported that DNS server was configured properly from DHCP, still the router somehow override that and forced it's own instance of DNS to take over for all client requests. Once the feature was disable everything got back to normal.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@zfedoran commented on GitHub (Jan 30, 2023):

@kvervo which type of router are you using? I think it would be helpful to share in case anyone else has that issue

@zfedoran commented on GitHub (Jan 30, 2023): @kvervo which type of router are you using? I think it would be helpful to share in case anyone else has that issue

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@dominikhoebert commented on GitHub (Feb 18, 2023):

Same for me, it worked fine until a few days ago and now most of them don't work anymore. All of them work through the AG web gui test. Did somebody find a solution in the meantime?

@dominikhoebert commented on GitHub (Feb 18, 2023): Same for me, it worked fine until a few days ago and now most of them don't work anymore. All of them work through the AG web gui test. Did somebody find a solution in the meantime?

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@wehrstedt commented on GitHub (Mar 16, 2023):

Got the same problem today. Im running adguard in a docker container. Today, dns rewrite stopped working and a lot of my local domains could not be resolved. I did not changed anything.

I opened the adguard dashboard to debug this issue. First thing i noticed was that the query log were disabled. 2 days ago the query log were enabled. I did not disabled it by myself. After enabling the query log i could see my local dns queries were forwarded to my upstream dns servers even dns rewrites were active and well configured.

After a while i diceded to launch a new, fresh docker container. DNS rewrite was working again. I relaunched my old container and noticed that dns blocking also does not work. I than rechecked the configuration and noticed that the option "Block domains using filters and host files" were disabled. After reactivating this option everything worked again.

I dont know what happened to the configuration. I did not changed anything at all.

@wehrstedt commented on GitHub (Mar 16, 2023): Got the same problem today. Im running adguard in a docker container. Today, dns rewrite stopped working and a lot of my local domains could not be resolved. I did not changed anything. I opened the adguard dashboard to debug this issue. First thing i noticed was that the query log were disabled. 2 days ago the query log were enabled. I did not disabled it by myself. After enabling the query log i could see my local dns queries were forwarded to my upstream dns servers even dns rewrites were active and well configured. After a while i diceded to launch a new, fresh docker container. DNS rewrite was working again. I relaunched my old container and noticed that dns blocking also does not work. I than rechecked the configuration and noticed that the option "Block domains using filters and host files" were disabled. After reactivating this option everything worked again. I dont know what happened to the configuration. I did not changed anything at all.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@wehrstedt commented on GitHub (Mar 16, 2023):

In the adguard logs:

2023/03/16 22:49:04.687319 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.

Maybe there is a memory leak which causes this issue?

@wehrstedt commented on GitHub (Mar 16, 2023): In the adguard logs: ``` 2023/03/16 22:49:04.687319 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details. ``` Maybe there is a memory leak which causes this issue?

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@Cybolic commented on GitHub (Sep 20, 2023):

I was having the same problem: DNS rewrites worked fine on the local network (i.e. nslookup myhost.local.net 192.168.x.x worked), but failed whenever I used Tailscale (i.e. nslookup myhost.local.net 100.x.x.x => NXDOMAIN).

What finally made it work was adding Tailscale's network to the dns.private_networks config setting:

dns:
  private_networks:
    # RFC 1918
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    # Tailscale
    - 100.64.0.0/10

For reference, I saw no difference between using DNS rewrites vs custom filtering rules and the "Block domains using filters and hosts files" setting didn't have any effect either.

@Cybolic commented on GitHub (Sep 20, 2023): I was having the same problem: DNS rewrites worked fine on the local network (i.e. `nslookup myhost.local.net 192.168.x.x` worked), but failed whenever I used Tailscale (i.e. `nslookup myhost.local.net 100.x.x.x` => `NXDOMAIN`). What finally made it work was adding Tailscale's network to the `dns.private_networks` config setting: ```yaml dns: private_networks: # RFC 1918 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 # Tailscale - 100.64.0.0/10 ``` For reference, I saw no difference between using DNS rewrites vs custom filtering rules and the "Block domains using filters and hosts files" setting didn't have any effect either.

deekerman commented 2026-03-04 03:58:47 -05:00

Author

Owner

Copy link

@Wetzel402 commented on GitHub (Feb 22, 2024):

It worked for several weeks after installation, but it "suddendly" stopped working for now multiple months. I read this whole thread and enabling the option for filtering the domains with filters and hosts-file made it working again:

(sorry, but I'm using the german version. It's the first setting at "Settings -> General".) I'm using the linuxserver adguard docker image.

This was my problem! Thanks!

@Wetzel402 commented on GitHub (Feb 22, 2024): > It worked for several weeks after installation, but it "suddendly" stopped working for now multiple months. I read this whole thread and enabling the option for filtering the domains with filters and hosts-file made it working again: > >  (sorry, but I'm using the german version. It's the first setting at "Settings -> General".) I'm using the linuxserver adguard docker image. This was my problem! Thanks!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

AGDNS-3523-upd-dnsproxy-middlewares

ADG-11407-add-docker-release

AGDNS-3535-upd-urlfilter

AGDNS-3684-fix-tls-status

beta-v0.107

release-v0.107.72

ADG-10306

beta-v0.108

ADG-10291

upd-url-filter

release-v0.107.71

release-v0.107.70

ADG-10301

ADG-8560-react-update

ADG-8560-graph-fix

release-v0.107.69

release-v0.107.68

release-v0.107.67

release-v0.107.66

ADG-10295

release-v0.107.65

release-v0.107.64

release-v0.107.63

release-v0.107.62

release-v0.107.61

release-v0.107.60

release-v0.107.59

release-v0.107.58

ADG-9783

ADG-1-utils-bundle-update

ADG-9415

release-v0.107.57

ADG-9565

release-v0.107.56

release-v0.107.55

release-v0.107.54

release-v0.107.53

infra-fix

upd-locales

release-v0.107.52

release-v0.107.51

AGDNS-2184-adguard-home

AG-32410-upd-dnsproxy

release-v0.107.50

release-v0.107.49

release-v0.107.48

release-v0.107.47

release-v0.107.46

release-v0.107.45

release-v0.107.44

release-v0.107.43

release-v0.107.42

6263-custom-ups-cache

release-v0.107.41

6399-fix-ups-check

release-v0.107.40

release-v0.107.39

release-v0.107.38

release-v0.107.37

6099-check-port-install

release-v0.107.36

release-v0.107.35

6006-refactor-client-lookup

release-v0.107.34

AG-23822

release-v0.107.33

3389-querylog-export

release-v0.107.32

fix-templates

release-v0.107.31

release-v0.107.30

5799-allowed-clients

5347-wildcard-interference

release-v0.107.29

AG-21485

release-v0.107.28

release-v0.107.27

release-v0.107.26

release-v0.107.25

release-v0.107.24

4728-cap-check

release-v0.107.23

release-v0.107.22

2499-rewrites-3

release-v0.107.21

release-v0.107.20

release-v0.107.19

4927-refactor-tls

release-v0.107.18

release-v0.107.17

release-v0.107.16

release-v0.107.15

websvc-confin-manager

release-v0.107.14

2926-lla-ipv6

4926-scroll

release-v0.107.13

release-v0.107.12

release-v0.107.11

release-v0.107.10

release-v0.107.9

WIP-upd-urls

release-v0.107.8

release-v0.107.7

release-v0.107.6

release-v0.107.5

release-v0.107.4

release-v0.107.3

release-v0.107.2

release-v0.107.1

release-v0.107.0

fix-stats-layout

beta-v0.106

release-v0.106.3

release-v0.106.2

release-v0.106.1

fix-client2-generator

dsheets-ipset-subs

fix-context

2044-gc

1691-clear-leases-v2

v0.107.72

v0.108.0-b.82

v0.108.0-b.81

v0.107.71

v0.108.0-b.80

v0.107.70

v0.108.0-b.79

v0.107.69

v0.108.0-b.78

v0.107.68

v0.108.0-b.77

v0.107.67

v0.108.0-b.76

v0.107.66

v0.108.0-b.75

v0.107.65

v0.108.0-b.74

v0.108.0-b.73

v0.107.64

v0.108.0-b.72

v0.107.63

v0.108.0-b.71

v0.107.62

v0.108.0-b.70

v0.108.0-b.69

v0.107.61

v0.108.0-b.68

v0.108.0-b.67

v0.107.60

v0.108.0-b.66

v0.107.59

v0.108.0-b.65

v0.107.58

v0.108.0-b.64

v0.107.57

v0.108.0-b.63

v0.107.56

v0.108.0-b.62

v0.107.55

v0.108.0-b.61

v0.108.0-b.60

v0.107.54

v0.108.0-b.59

v0.107.53

v0.108.0-b.58

v0.107.52

v0.108.0-b.57

v0.107.51

v0.108.0-b.56

v0.107.50

v0.107.49

v0.108.0-b.55

v0.107.48

v0.107.47

v0.107.46

v0.108.0-b.54

v0.107.45

v0.108.0-b.53

v0.107.44

v0.108.0-b.52

v0.107.43

v0.108.0-b.51

v0.107.42

v0.108.0-b.50

v0.108.0-b.49

v0.107.41

v0.107.40

v0.108.0-b.48

v0.108.0-b.47

v0.107.39

v0.108.0-b.46

v0.107.38

v0.108.0-b.45

v0.107.37

v0.108.0-b.44

v0.108.0-b.43

v0.107.36

v0.107.35

v0.108.0-b.42

v0.108.0-b.41

v0.107.34

v0.108.0-b.40

v0.108.0-b.39

v0.107.33

v0.108.0-b.38

v0.108.0-b.37

v0.107.32

v0.108.0-b.36

v0.107.31

v0.108.0-b.35

v0.107.30

v0.108.0-b.34

v0.107.29

v0.108.0-b.33

v0.107.28

v0.108.0-b.32

v0.107.27

v0.108.0-b.31

v0.108.0-b.30

v0.107.26

v0.108.0-b.29

v0.108.0-b.28

v0.107.25

v0.108.0-b.27

v0.107.24

v0.108.0-b.26

v0.107.23

v0.108.0-b.25

v0.107.22

v0.108.0-b.24

v0.107.21

v0.108.0-b.23

v0.107.20

v0.108.0-b.22

v0.107.19

v0.108.0-b.21

v0.107.18

v0.108.0-b.20

v0.107.17

v0.108.0-b.19

v0.108.0-b.18

v0.107.16

v0.108.0-b.17

v0.107.15

v0.108.0-b.16

v0.107.14

v0.108.0-b.15

v0.107.13

v0.108.0-b.14

v0.107.12

v0.108.0-b.13

v0.107.11

v0.108.0-b.12

v0.107.10

v0.108.0-b.11

v0.107.9

v0.108.0-b.10

v0.107.8

v0.107.7

v0.108.0-b.9

v0.108.0-b.8

v0.108.0-b.7

v0.108.0-b.6

v0.107.6

v0.108.0-b.5

v0.108.0-b.4

v0.107.5

v0.107.4

v0.108.0-b.3

v0.107.3

v0.108.0-b.2

v0.108.0-b.1

v0.107.2

v0.107.1

v0.107.0

v0.107.0-b.17

v0.107.0-b.16

v0.107.0-b.15

v0.107.0-b.14

v0.107.0-b.13

v0.107.0-b.12

v0.107.0-b.11

v0.107.0-b.10

v0.107.0-b.9

v0.107.0-b.8

v0.107.0-b.7

v0.107.0-b.6

v0.107.0-b.5

v0.107.0-b.4

v0.107.0-b.3

v0.107.0-b.2

v0.107.0-b.1

v0.106.3

v0.106.3-b.1

v0.106.2

v0.106.2-b.1

v0.106.1

v0.106.1-b.1

v0.106.0

v0.106.0-b.5

v0.106.0-b.4

v0.106.0-b.3

v0.106.0-b.2

v0.106.0-b.1

v0.105.2

v0.105.2-beta.1

v0.105.1

v0.105.1-beta.1

v0.105.0

v0.105.0-beta.5

v0.105.0-beta.4

v0.105.0-beta.3

v0.105.0-beta.2

v0.105.0-beta.1

v0.104.3

v0.104.2

v0.104.1

v0.104.0

v0.104.0-beta3

v0.104.0-beta2

v0.104.0-beta1

v0.103.3

v0.103.2

v0.103.1

v0.103.0

v0.103.0-beta3

v0.103.0-beta2

v0.103.0-beta1

v0.102.0

v0.101.0

v0.100.9

v0.100.8

v0.100.7

v0.100.6

v0.100.5

v0.100.4

v0.100.3

v0.100.2

v0.100.1

v0.100.0

v0.99.3

v0.99.2

v0.99.1

v0.99.0

v0.98.1

v0.98.0

v0.97.1

v0.97.0

v0.96-hotfix

v0.96

v0.95-hotfix

v0.95

v0.94

v0.93

v0.92-hotfix2

v0.92-hotfix1

v0.92

v0.91

v0.9-hotfix1

v0.9

v0.1

Labels

Clear labels   

P1: Critical

  

P2: High

  

P3: Medium

  

P4: Low

  

UI

  

bug

  

cannot reproduce

  

compatibility

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

external libs

  

feature request

  

good first issue

  

help wanted

  

infrastructure

  

invalid

  

localization

  

needs investigation

  

performance

  

potential-duplicate

  

question

  

recurrent

  

research

  

snap

  

waiting for data

  

wontfix

No labels

P1: Critical

P2: High

P3: Medium

P4: Low

UI

bug

cannot reproduce

compatibility

dependencies

docker

documentation

duplicate

enhancement

enhancement

external libs

feature request

good first issue

help wanted

infrastructure

invalid

localization

needs investigation

performance

potential-duplicate

question

recurrent

research

snap

waiting for data

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#3617

No description provided.