Some IPv6-DNS/HTTPS-type lookups are not being altered by "Override minimum TTL" #3763

New issue

Open

opened 2026-03-04 04:15:48 -05:00 by deekerman · 2 comments

deekerman commented 2026-03-04 04:15:48 -05:00

Owner

Copy link

Originally created by @donald2612 on GitHub (Jun 28, 2022).

Originally assigned to: @ainar-g on GitHub.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Issue Details

AdGuard Home
Version: v0.107.7
Channel: release
Go version: go1.17.9
Commit time: 2022-06-06 17:10:40 +0200 CEST
GOOS: linux
GOARCH: amd64
Race: false

• Version of AdGuard Home server:
  *0v.107.7
• How did you install AdGuard Home:
  • Github release
• How did you setup DNS configuration:
  • Upstream TLS lookups
• If it's a router or IoT, please write device model:
  *AMD64 or Raspberry 3
• CPU architecture:
  *AMD64, ARMv71
• Operating system and version:
  *Ubuntu 22.04 LTS / Raspberry Bullseye

Expected Behavior

I would like to maximize the cache-usage of AdGuard and minimize upstream lookups through tweaking "Override minimum TTL". Using Ipv4/Ipv6-dualstack lookups are done with a override value of "7200", leading to the result, that one domain should be only found once in the upstream logs every 2 hours (7200), reducing upstream usage to a minimum.

Actual Behavior

First behaviour

I can observe several AAAA-lookups not being altered by AdGuards mincache when 'digging' them (while their A-lookups do):

GoogleDNS returns:

; <<>> DiG 9.16.1-Ubuntu <<>> pop3.web.de AAAA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59129
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pop3.web.de. IN AAAA

;; AUTHORITY SECTION:
web.de. 600 IN SOA ns-webde.ui-dns.de. dnsadmin.1und1.de. 2005099693 28800 7200 604800 600

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)

AdGuard returns:

; <<>> DiG 9.16.1-Ubuntu <<>> pop3.web.de AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18891
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pop3.web.de. IN AAAA

;; AUTHORITY SECTION:
web.de. 533 IN SOA ns-webde.ui-dns.de. dnsadmin.1und1.de. 2005099693 28800 7200 604800 600

;; Query time: 51 msec

The difference in A-lookups with this domain seems to be, that its TTL is following the "authority section" TTL, which is always 600. This doesn't get altered by AdGuard.

Second example

Google returns

; <<>> DiG 9.16.1-Ubuntu <<>> teams.events.data.microsoft.com AAAA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3616
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;teams.events.data.microsoft.com. IN AAAA

;; ANSWER SECTION:
teams.events.data.microsoft.com. 24 IN CNAME teams-events-data.trafficmanager.net.
teams-events-data.trafficmanager.net. 35 IN CNAME onedscolprdwus09.westus.cloudapp.azure.com.

;; AUTHORITY SECTION:
westus.cloudapp.azure.com. 35 IN SOA ns1-02.azure-dns.com. msnhst.microsoft.com. 10001 900 300 604800 60

AdGuard returns

; <<>> DiG 9.16.1-Ubuntu <<>> teams.events.data.microsoft.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1870
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;teams.events.data.microsoft.com. IN AAAA

;; AUTHORITY SECTION:
eastus.cloudapp.azure.com. 39 IN SOA ns1-201.azure-dns.com. msnhst.microsoft.com. 10001 900 300 604800 60

This is the same behaviour with a 60 second TTL not getting altered.

**Second behaviour **

I can observe many lookups of HTTPS-type originating from Apple-devices to "gateway.icloud.com"
I haven't found out yet how to 'dig' those type of records, but TTL seems also to be roughly 60 seconds, which obviously don't get cached either for longer.

If this type of record cannot be cached, could there be a way to block this type of record??

Thanks for your good work on the product!!

See you,
Don

Originally created by @donald2612 on GitHub (Jun 28, 2022). Originally assigned to: @ainar-g on GitHub. - [x] I am running the latest version - [x] I checked the documentation and found no answer - [x] I checked to make sure that this issue has not already been filed ### Issue Details <!-- Please include all relevant details about the environment you experienced the bug in. If possible, include the result of running `./AdGuardHome -v --version` from the installation directory. --> AdGuard Home Version: v0.107.7 Channel: release Go version: go1.17.9 Commit time: 2022-06-06 17:10:40 +0200 CEST GOOS: linux GOARCH: amd64 Race: false * **Version of AdGuard Home server:** *0v.107.7 * **How did you install AdGuard Home:** * Github release * **How did you setup DNS configuration:** * Upstream TLS lookups * **If it's a router or IoT, please write device model:** *AMD64 or Raspberry 3 * **CPU architecture:** *AMD64, ARMv71 * **Operating system and version:** *Ubuntu 22.04 LTS / Raspberry Bullseye ### Expected Behavior <!-- A clear and concise description of what you expected to happen. --> I would like to maximize the cache-usage of AdGuard and minimize upstream lookups through tweaking "Override minimum TTL". Using Ipv4/Ipv6-dualstack lookups are done with a override value of "7200", leading to the result, that one domain should be only found once in the upstream logs every 2 hours (7200), reducing upstream usage to a minimum. ### Actual Behavior **First behaviour** I can observe several AAAA-lookups not being altered by AdGuards mincache when 'digging' them (while their A-lookups do): **GoogleDNS returns:** ; <<>> DiG 9.16.1-Ubuntu <<>> pop3.web.de AAAA @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59129 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;pop3.web.de. IN AAAA ;; AUTHORITY SECTION: web.de. 600 IN SOA ns-webde.ui-dns.de. dnsadmin.1und1.de. 2005099693 28800 7200 604800 600 ;; Query time: 23 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) **AdGuard returns:** ; <<>> DiG 9.16.1-Ubuntu <<>> pop3.web.de AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18891 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pop3.web.de. IN AAAA ;; AUTHORITY SECTION: web.de. 533 IN SOA ns-webde.ui-dns.de. dnsadmin.1und1.de. 2005099693 28800 7200 604800 600 ;; Query time: 51 msec The difference in A-lookups with this domain seems to be, that its TTL is following the "authority section" TTL, which is always 600. This doesn't get altered by AdGuard. **Second example** **Google returns** ; <<>> DiG 9.16.1-Ubuntu <<>> teams.events.data.microsoft.com AAAA @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3616 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;teams.events.data.microsoft.com. IN AAAA ;; ANSWER SECTION: teams.events.data.microsoft.com. 24 IN CNAME teams-events-data.trafficmanager.net. teams-events-data.trafficmanager.net. 35 IN CNAME onedscolprdwus09.westus.cloudapp.azure.com. ;; AUTHORITY SECTION: westus.cloudapp.azure.com. 35 IN SOA ns1-02.azure-dns.com. msnhst.microsoft.com. 10001 900 300 604800 60 **AdGuard returns** ; <<>> DiG 9.16.1-Ubuntu <<>> teams.events.data.microsoft.com AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1870 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;teams.events.data.microsoft.com. IN AAAA ;; AUTHORITY SECTION: eastus.cloudapp.azure.com. 39 IN SOA ns1-201.azure-dns.com. msnhst.microsoft.com. 10001 900 300 604800 60 This is the same behaviour with a 60 second TTL not getting altered. **Second behaviour ** I can observe many lookups of HTTPS-type originating from Apple-devices to "gateway.icloud.com" I haven't found out yet how to 'dig' those type of records, but TTL seems also to be roughly 60 seconds, which obviously don't get cached either for longer. If this type of record cannot be cached, could there be a way to block this type of record?? Thanks for your good work on the product!! See you, Don

deekerman added the

enhancement

external libs

labels 2026-03-04 04:15:48 -05:00

deekerman commented 2026-03-04 04:16:05 -05:00

Author

Owner

Copy link

@ainar-g commented on GitHub (Sep 16, 2022):

Sincere apologies for the very belated response.

The TTL override feature the way it is implemented today overrides only the TTLs of the RRs in the Answer section, not touching the Authority section. @ameshkov, I think, this should be changed in the dnsproxy module, what do you think? After all, the Authority section is taken into account when a NODATA response is cached.

Re. the HTTPS type, if your version of dig is recent enough, you can simply do dig IN HTTPS 'domain.example'. If it isn't, you can either use the TYPE65 alias (dig IN TYPE65 'domain.example') or use our dnslookup tool (env RRTYPE=HTTPS dnslookup 'domain.example').

@ainar-g commented on GitHub (Sep 16, 2022): Sincere apologies for the very belated response. The TTL override feature the way it is implemented today overrides only the TTLs of the RRs in the Answer section, not touching the Authority section. @ameshkov, I think, this should be changed in the `dnsproxy` module, what do you think? After all, the Authority section is taken into account when a `NODATA` response is cached. Re. the `HTTPS` type, if your version of `dig` is recent enough, you can simply do `dig IN HTTPS 'domain.example'`. If it isn't, you can either use the `TYPE65` alias (`dig IN TYPE65 'domain.example'`) or use our [`dnslookup`][1] tool (`env RRTYPE=HTTPS dnslookup 'domain.example'`). [1]: https://github.com/ameshkov/dnslookup

deekerman commented 2026-03-04 04:16:05 -05:00

Author

Owner

Copy link

@donald2612 commented on GitHub (Oct 17, 2022):

Most welcome and thank you for your response - currently I block those emerging-domains per dnstype rule, if a change a in dnsproxy could manage that, I'd be very happy ;)

@donald2612 commented on GitHub (Oct 17, 2022): Most welcome and thank you for your response - currently I block those emerging-domains per dnstype rule, if a change a in dnsproxy could manage that, I'd be very happy ;)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

AGDNS-3523-upd-dnsproxy-middlewares

ADG-11407-add-docker-release

AGDNS-3535-upd-urlfilter

AGDNS-3684-fix-tls-status

beta-v0.107

release-v0.107.72

ADG-10306

beta-v0.108

ADG-10291

upd-url-filter

release-v0.107.71

release-v0.107.70

ADG-10301

ADG-8560-react-update

ADG-8560-graph-fix

release-v0.107.69

release-v0.107.68

release-v0.107.67

release-v0.107.66

ADG-10295

release-v0.107.65

release-v0.107.64

release-v0.107.63

release-v0.107.62

release-v0.107.61

release-v0.107.60

release-v0.107.59

release-v0.107.58

ADG-9783

ADG-1-utils-bundle-update

ADG-9415

release-v0.107.57

ADG-9565

release-v0.107.56

release-v0.107.55

release-v0.107.54

release-v0.107.53

infra-fix

upd-locales

release-v0.107.52

release-v0.107.51

AGDNS-2184-adguard-home

AG-32410-upd-dnsproxy

release-v0.107.50

release-v0.107.49

release-v0.107.48

release-v0.107.47

release-v0.107.46

release-v0.107.45

release-v0.107.44

release-v0.107.43

release-v0.107.42

6263-custom-ups-cache

release-v0.107.41

6399-fix-ups-check

release-v0.107.40

release-v0.107.39

release-v0.107.38

release-v0.107.37

6099-check-port-install

release-v0.107.36

release-v0.107.35

6006-refactor-client-lookup

release-v0.107.34

AG-23822

release-v0.107.33

3389-querylog-export

release-v0.107.32

fix-templates

release-v0.107.31

release-v0.107.30

5799-allowed-clients

5347-wildcard-interference

release-v0.107.29

AG-21485

release-v0.107.28

release-v0.107.27

release-v0.107.26

release-v0.107.25

release-v0.107.24

4728-cap-check

release-v0.107.23

release-v0.107.22

2499-rewrites-3

release-v0.107.21

release-v0.107.20

release-v0.107.19

4927-refactor-tls

release-v0.107.18

release-v0.107.17

release-v0.107.16

release-v0.107.15

websvc-confin-manager

release-v0.107.14

2926-lla-ipv6

4926-scroll

release-v0.107.13

release-v0.107.12

release-v0.107.11

release-v0.107.10

release-v0.107.9

WIP-upd-urls

release-v0.107.8

release-v0.107.7

release-v0.107.6

release-v0.107.5

release-v0.107.4

release-v0.107.3

release-v0.107.2

release-v0.107.1

release-v0.107.0

fix-stats-layout

beta-v0.106

release-v0.106.3

release-v0.106.2

release-v0.106.1

fix-client2-generator

dsheets-ipset-subs

fix-context

2044-gc

1691-clear-leases-v2

v0.107.72

v0.108.0-b.82

v0.108.0-b.81

v0.107.71

v0.108.0-b.80

v0.107.70

v0.108.0-b.79

v0.107.69

v0.108.0-b.78

v0.107.68

v0.108.0-b.77

v0.107.67

v0.108.0-b.76

v0.107.66

v0.108.0-b.75

v0.107.65

v0.108.0-b.74

v0.108.0-b.73

v0.107.64

v0.108.0-b.72

v0.107.63

v0.108.0-b.71

v0.107.62

v0.108.0-b.70

v0.108.0-b.69

v0.107.61

v0.108.0-b.68

v0.108.0-b.67

v0.107.60

v0.108.0-b.66

v0.107.59

v0.108.0-b.65

v0.107.58

v0.108.0-b.64

v0.107.57

v0.108.0-b.63

v0.107.56

v0.108.0-b.62

v0.107.55

v0.108.0-b.61

v0.108.0-b.60

v0.107.54

v0.108.0-b.59

v0.107.53

v0.108.0-b.58

v0.107.52

v0.108.0-b.57

v0.107.51

v0.108.0-b.56

v0.107.50

v0.107.49

v0.108.0-b.55

v0.107.48

v0.107.47

v0.107.46

v0.108.0-b.54

v0.107.45

v0.108.0-b.53

v0.107.44

v0.108.0-b.52

v0.107.43

v0.108.0-b.51

v0.107.42

v0.108.0-b.50

v0.108.0-b.49

v0.107.41

v0.107.40

v0.108.0-b.48

v0.108.0-b.47

v0.107.39

v0.108.0-b.46

v0.107.38

v0.108.0-b.45

v0.107.37

v0.108.0-b.44

v0.108.0-b.43

v0.107.36

v0.107.35

v0.108.0-b.42

v0.108.0-b.41

v0.107.34

v0.108.0-b.40

v0.108.0-b.39

v0.107.33

v0.108.0-b.38

v0.108.0-b.37

v0.107.32

v0.108.0-b.36

v0.107.31

v0.108.0-b.35

v0.107.30

v0.108.0-b.34

v0.107.29

v0.108.0-b.33

v0.107.28

v0.108.0-b.32

v0.107.27

v0.108.0-b.31

v0.108.0-b.30

v0.107.26

v0.108.0-b.29

v0.108.0-b.28

v0.107.25

v0.108.0-b.27

v0.107.24

v0.108.0-b.26

v0.107.23

v0.108.0-b.25

v0.107.22

v0.108.0-b.24

v0.107.21

v0.108.0-b.23

v0.107.20

v0.108.0-b.22

v0.107.19

v0.108.0-b.21

v0.107.18

v0.108.0-b.20

v0.107.17

v0.108.0-b.19

v0.108.0-b.18

v0.107.16

v0.108.0-b.17

v0.107.15

v0.108.0-b.16

v0.107.14

v0.108.0-b.15

v0.107.13

v0.108.0-b.14

v0.107.12

v0.108.0-b.13

v0.107.11

v0.108.0-b.12

v0.107.10

v0.108.0-b.11

v0.107.9

v0.108.0-b.10

v0.107.8

v0.107.7

v0.108.0-b.9

v0.108.0-b.8

v0.108.0-b.7

v0.108.0-b.6

v0.107.6

v0.108.0-b.5

v0.108.0-b.4

v0.107.5

v0.107.4

v0.108.0-b.3

v0.107.3

v0.108.0-b.2

v0.108.0-b.1

v0.107.2

v0.107.1

v0.107.0

v0.107.0-b.17

v0.107.0-b.16

v0.107.0-b.15

v0.107.0-b.14

v0.107.0-b.13

v0.107.0-b.12

v0.107.0-b.11

v0.107.0-b.10

v0.107.0-b.9

v0.107.0-b.8

v0.107.0-b.7

v0.107.0-b.6

v0.107.0-b.5

v0.107.0-b.4

v0.107.0-b.3

v0.107.0-b.2

v0.107.0-b.1

v0.106.3

v0.106.3-b.1

v0.106.2

v0.106.2-b.1

v0.106.1

v0.106.1-b.1

v0.106.0

v0.106.0-b.5

v0.106.0-b.4

v0.106.0-b.3

v0.106.0-b.2

v0.106.0-b.1

v0.105.2

v0.105.2-beta.1

v0.105.1

v0.105.1-beta.1

v0.105.0

v0.105.0-beta.5

v0.105.0-beta.4

v0.105.0-beta.3

v0.105.0-beta.2

v0.105.0-beta.1

v0.104.3

v0.104.2

v0.104.1

v0.104.0

v0.104.0-beta3

v0.104.0-beta2

v0.104.0-beta1

v0.103.3

v0.103.2

v0.103.1

v0.103.0

v0.103.0-beta3

v0.103.0-beta2

v0.103.0-beta1

v0.102.0

v0.101.0

v0.100.9

v0.100.8

v0.100.7

v0.100.6

v0.100.5

v0.100.4

v0.100.3

v0.100.2

v0.100.1

v0.100.0

v0.99.3

v0.99.2

v0.99.1

v0.99.0

v0.98.1

v0.98.0

v0.97.1

v0.97.0

v0.96-hotfix

v0.96

v0.95-hotfix

v0.95

v0.94

v0.93

v0.92-hotfix2

v0.92-hotfix1

v0.92

v0.91

v0.9-hotfix1

v0.9

v0.1

Labels

Clear labels   

P1: Critical

  

P2: High

  

P3: Medium

  

P4: Low

  

UI

  

bug

  

cannot reproduce

  

compatibility

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

external libs

  

feature request

  

good first issue

  

help wanted

  

infrastructure

  

invalid

  

localization

  

needs investigation

  

performance

  

potential-duplicate

  

question

  

recurrent

  

research

  

snap

  

waiting for data

  

wontfix

No labels

P1: Critical

P2: High

P3: Medium

P4: Low

UI

bug

cannot reproduce

compatibility

dependencies

docker

documentation

duplicate

enhancement

enhancement

external libs

feature request

good first issue

help wanted

infrastructure

invalid

localization

needs investigation

performance

potential-duplicate

question

recurrent

research

snap

waiting for data

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#3763

No description provided.