starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

DNS Rewrites are ignored/disabled when a persistent client has protection disabled #5642

New issue

Closed

opened 2026-03-04 06:22:48 -05:00 by deekerman · 3 comments

deekerman commented

2026-03-04 06:22:48 -05:00

Owner

Originally created by @rubin110 on GitHub (May 1, 2025).

Prerequisites

I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question or ask for help
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

Docker

Setup

On a router, DHCP is handled by AdGuard Home

AdGuard Home version

0.107.61

Action

On the client machine at 10.10.10.2 run dig example.com and observe output
In AdGuard add a DNS rewrite for example.com to 10.10.10.99
On the client machine at 10.10.10.2 run dig example.com and observe output
Globally disable protection in ADGuard
On the client machine at 10.10.10.2 run dig example.com and observe output
Globally enable protection in ADGuard
In AdGuard add a Persistent client for a local machine at 10.10.10.2, unchecking "Use global settings"
On the client machine at 10.10.10.2 run dig example.com and observe output

Expected result

Expected results per step:
1 - dig returns 96.7.128.198
3 - dig returns 10.10.10.99
5 - dig returns 96.7.128.198
6 - dig returns 10.10.10.99

Expectation should match up with #1558, which defines "Disable Protection" as keeping DNS rewrites still active. The difference with the bug I'm writing here is that this behavior doesn't match up with disabling protection per client.

Actual result

Actual results per step:
1 - dig returns 96.7.128.198
3 - dig returns 10.10.10.99
5 - dig returns 96.7.128.198
6 - dig returns 96.7.128.198

Additional information and/or screenshots

No response

Originally created by @rubin110 on GitHub (May 1, 2025). ### Prerequisites - [x] I have checked the [Wiki](https://github.com/AdguardTeam/AdGuardHome/wiki) and [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) and found no answer - [x] I have searched other issues and found no duplicates - [x] I want to report a bug and not [ask a question or ask for help](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) - [x] I have set up AdGuard Home correctly and [configured clients to use it](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients). (Use the [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) for help with installing and configuring clients.) ### Platform (OS and CPU architecture) Linux, AMD64 (aka x86_64) ### Installation Docker ### Setup On a router, DHCP is handled by AdGuard Home ### AdGuard Home version 0.107.61 ### Action 1. On the client machine at `10.10.10.2` run `dig example.com` and observe output 2. In AdGuard add a DNS rewrite for `example.com` to `10.10.10.99` 3. On the client machine at `10.10.10.2` run `dig example.com` and observe output 4. Globally disable protection in ADGuard 5. On the client machine at `10.10.10.2` run `dig example.com` and observe output 6. Globally enable protection in ADGuard 7. In AdGuard add a Persistent client for a local machine at `10.10.10.2`, unchecking "Use global settings" 8. On the client machine at `10.10.10.2` run `dig example.com` and observe output ### Expected result Expected results per step: 1 - `dig` returns `96.7.128.198` 3 - `dig` returns `10.10.10.99` 5 - `dig` returns `96.7.128.198` 6 - **`dig` returns `10.10.10.99`** Expectation should match up with #1558, which defines "Disable Protection" as keeping DNS rewrites still active. The difference with the bug I'm writing here is that this behavior doesn't match up with disabling protection per client. ### Actual result Actual results per step: 1 - `dig` returns `96.7.128.198` 3 - `dig` returns `10.10.10.99` 5 - `dig` returns `96.7.128.198` 6 - **`dig` returns `96.7.128.198`** ### Additional information and/or screenshots _No response_

deekerman closed this issue

2026-03-04 06:23:00 -05:00

deekerman commented

2026-03-04 06:23:04 -05:00

Author

Owner

@EugeneOne1 commented on GitHub (May 6, 2025):

@rubin110, hello. In order for DNS rewrites to be applied, the "Block domains using filters and hosts files" checkbox should be selected in either the "General settings" (common for all clients) or client's settings (for a single persistent client). It's expected behavior not to apply DNS rewrites when this setting is disabled.

@EugeneOne1 commented on GitHub (May 6, 2025): @rubin110, hello. In order for DNS rewrites to be applied, the "Block domains using filters and hosts files" checkbox should be selected in either the "General settings" (common for all clients) or client's settings (for a single persistent client). It's expected behavior not to apply DNS rewrites when this setting is disabled.

deekerman commented

2026-03-04 06:23:04 -05:00

Author

Owner

@rubin110 commented on GitHub (May 6, 2025):

@EugeneOne1 Thanks for the clarification. Can you please explain the behavior that was discussed in #1558, you closed it out Oct 2021? It sounds like from that issue that the expected behavior for the global option to "Disable Protection" should not impact DNS Rewrites, which outlined in my repro steps is how things currently work right now.

If the expectation is that DNS Rewrites should not work for both global protection being disabled, or per client being disabled. I can write a bug for global since that functionality is currently the opposite of what you're describing.

I would like to also open a UI/UX bug regarding not enough information being provided to the user that DNS Rewrites is part of "Protection" and thus will be disabled if protection is disabled either globally or per client.

@rubin110 commented on GitHub (May 6, 2025): @EugeneOne1 Thanks for the clarification. Can you please explain the behavior that was discussed in #1558, [you closed it out Oct 2021](https://github.com/AdguardTeam/AdGuardHome/issues/1558#issuecomment-952755685)? It sounds like from that issue that the expected behavior for the global option to "Disable Protection" should not impact DNS Rewrites, which outlined in my repro steps is how things currently work right now. If the expectation is that DNS Rewrites should not work for both global protection being disabled, or per client being disabled. I can write a bug for global since that functionality is currently the opposite of what you're describing. I would like to also open a UI/UX bug regarding not enough information being provided to the user that DNS Rewrites is part of "Protection" and thus will be disabled if protection is disabled either globally or per client.

deekerman commented

2026-03-04 06:23:04 -05:00

Author

Owner

@TheCataliasTNT2k commented on GitHub (Oct 12, 2025):

I have the same problem:

I have a client, which should not be filtered.
I want to keep safebrowsing / internet security active.
I want the client to use my rewrites.

I use the rewrites for local DNS resolution.
Be cause we have multiple devices in our local network (and no one wants to remember IP addresses), I need a way to give them domains.

I found three solutions:

Use the rewrite feature, which does not work, if a client is excluded from the blacklists.
Use the hosts file, which does not support wildcards.
Use a second DNS server locally hosted, which is the upstream for AGH. This is the only "viable" solution, but it just does not make sense, to put a DNS server in front of a DNS server.

So please provide a way, to map wildcard DNS entries to IP addresses, without needing a second DNS server while some clients should not be filtered.

As stated by @rubin110 this should be the current behaviour (according to the documentation / other issues), but it isn't. Or not?

@EugeneOne1

@TheCataliasTNT2k commented on GitHub (Oct 12, 2025): I have the same problem: - I have a client, which should not be filtered. - I want to keep safebrowsing / internet security active. - I want the client to use my rewrites. I use the rewrites for local DNS resolution. Be cause we have multiple devices in our local network (and no one wants to remember IP addresses), I need a way to give them domains. I found three solutions: - Use the rewrite feature, which does not work, if a client is excluded from the blacklists. - Use the hosts file, which does not support wildcards. - Use a second DNS server locally hosted, which is the upstream for AGH. This is the only "viable" solution, but it just does not make sense, to put a DNS server in front of a DNS server. So please provide a way, to map wildcard DNS entries to IP addresses, without needing a second DNS server while some clients should not be filtered. As stated by @rubin110 this should be the current behaviour (according to the documentation / other issues), but it isn't. Or not? @EugeneOne1

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#5642

No description provided.

Rows
Columns