starred/AdGuardHome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

Filtered requests do not include an EDNS response - breaks "systemd-resolved" #5870

New issue
Open
opened 2026-03-04 06:41:17 -05:00 by deekerman · 0 comments
deekerman commented 2026-03-04 06:41:17 -05:00
Owner
Copy link

Originally created by @bpkroth on GitHub (Dec 31, 2025).

Prerequisites

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

Docker

Setup

On one machine

AdGuard Home version

v0.107.65

Action

Replace the following command with the one you're calling or a
description of the failing action:

dig +edns +tls @my.server.fqdn ad.doubleclick.net

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn ad.doubleclick.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31753
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ad.doubleclick.net.		IN	A

;; ANSWER SECTION:
ad.doubleclick.net.	30	IN	A	0.0.0.0

;; Query time: 54 msec
;; SERVER: (my.server.fqdn) (TLS)
;; WHEN: Wed Dec 31 18:01:32 CST 2025
;; MSG SIZE  rcvd: 52

Expected result

Something with the EDNS option in the response:


; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		55	IN	A	142.250.191.206

;; Query time: 57 msec
;; SERVER: (my.server.fqdn) (TLS)
;; WHEN: Wed Dec 31 18:03:47 CST 2025
;; MSG SIZE  rcvd: 55

Actual result

As seen above no EDNS option in the blocked response, but there is in the unfiltered response.

When hooked up to systemd-resolved this leads to an error that prevents using the resolver:

# Route most queries over TLS to my filtering server.
# Other ones can fallback to local DHCP assigned DNS.
[Resolve]
DNS=1.2.3.4#my.server.fqdn
FallbackDNS=
Domains=~.
DNSOverTLS=opportunistic

resolvectl log-level debug

resolvectl query ad.doubleclick.net
ad.doubleclick.net: resolve call failed: Received invalid reply

In the logs we see that systemd-resolved disables this resolver since it "doesn't support EDNS". It then attempts to fallback to UDP instead of TLS, which isn't available on this particular host and hence fails.

Cache miss for ad.doubleclick.net IN A
Firing regular transaction 56801 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes).
Using feature level TLS+EDNS0 for transaction 56801.
Using DNS server my.server.fqdn for transaction 56801.
Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
Using feature level TLS+EDNS0 for transaction 56801.
Announcing packet size 1452 in egress EDNS(0) packet.
Cache miss for ad.doubleclick.net IN AAAA
Firing regular transaction 32201 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes).
Using feature level TLS+EDNS0 for transaction 32201.
Using DNS server my.server.fqdn for transaction 32201.
Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
Using feature level TLS+EDNS0 for transaction 32201.
Announcing packet size 1452 in egress EDNS(0) packet.
Processing incoming packet of size 52 on transaction 56801 (rcode=SUCCESS).
Server doesn't support EDNS(0) properly, downgrading feature level...
Using degraded feature set UDP instead of TLS+EDNS0 for DNS server my.server.fqdn.
Server feature level is now lower than when we began our transaction. Restarting with new ID.
Cache miss for ad.doubleclick.net IN A
Firing regular transaction 43548 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes).
Using feature level UDP for transaction 43548.
Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60
Sending query packet with id 43548 of size 36.
Regular transaction 43548 for <ad.doubleclick.net IN A> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential).
Processing incoming packet of size 64 on transaction 32201 (rcode=SUCCESS).
Server feature level is now lower than when we began our transaction. Restarting with new ID.
Cache miss for ad.doubleclick.net IN AAAA
Firing regular transaction 17798 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes).
Using feature level UDP for transaction 17798.
Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60
Sending query packet with id 17798 of size 36.
Regular transaction 17798 for <ad.doubleclick.net IN AAAA> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential).

Additional information and/or screenshots

When querying the upstream dns.adguard.com servers, they always include an EDNS opt field response, even for the blocks. I think adguard home should be fixed to do that too:

dig +edns +tls @dns.adguard.com ad.doubleclick.net

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @dns.adguard.com ad.doubleclick.net
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19198
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;ad.doubleclick.net.            IN      A

;; ANSWER SECTION:
ad.doubleclick.net.     3600    IN      A       0.0.0.0

;; Query time: 96 msec
;; SERVER: 2a10:50c0::ad1:ff#853(dns.adguard.com) (TLS)
;; WHEN: Wed Dec 31 18:26:33 CST 2025
;; MSG SIZE  rcvd: 69
Originally created by @bpkroth on GitHub (Dec 31, 2025). ### Prerequisites - [x] I have checked the [Wiki](https://github.com/AdguardTeam/AdGuardHome/wiki) and [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) and found no answer - [x] I have searched other issues and found no duplicates - [x] I want to report a bug and not [ask a question or ask for help](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) - [x] I have set up AdGuard Home correctly and [configured clients to use it](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients). (Use the [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a) for help with installing and configuring clients.) ### Platform (OS and CPU architecture) Linux, AMD64 (aka x86_64) ### Installation Docker ### Setup On one machine ### AdGuard Home version v0.107.65 ### Action Replace the following command with the one you're calling or a description of the failing action: ```sh dig +edns +tls @my.server.fqdn ad.doubleclick.net ; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn ad.doubleclick.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31753 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ad.doubleclick.net. IN A ;; ANSWER SECTION: ad.doubleclick.net. 30 IN A 0.0.0.0 ;; Query time: 54 msec ;; SERVER: (my.server.fqdn) (TLS) ;; WHEN: Wed Dec 31 18:01:32 CST 2025 ;; MSG SIZE rcvd: 52 ``` ### Expected result Something with the EDNS option in the response: ``` ; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn google.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14522 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 55 IN A 142.250.191.206 ;; Query time: 57 msec ;; SERVER: (my.server.fqdn) (TLS) ;; WHEN: Wed Dec 31 18:03:47 CST 2025 ;; MSG SIZE rcvd: 55 ``` ### Actual result As seen above no EDNS option in the blocked response, but there is in the unfiltered response. When hooked up to `systemd-resolved` this leads to an error that prevents using the resolver: ``` # Route most queries over TLS to my filtering server. # Other ones can fallback to local DHCP assigned DNS. [Resolve] DNS=1.2.3.4#my.server.fqdn FallbackDNS= Domains=~. DNSOverTLS=opportunistic ``` ``` resolvectl log-level debug ``` ``` resolvectl query ad.doubleclick.net ad.doubleclick.net: resolve call failed: Received invalid reply ``` In the logs we see that systemd-resolved disables this resolver since it "doesn't support EDNS". It then attempts to fallback to UDP instead of TLS, which isn't available on this particular host and hence fails. ``` Cache miss for ad.doubleclick.net IN A Firing regular transaction 56801 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes). Using feature level TLS+EDNS0 for transaction 56801. Using DNS server my.server.fqdn for transaction 56801. Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected. Using feature level TLS+EDNS0 for transaction 56801. Announcing packet size 1452 in egress EDNS(0) packet. Cache miss for ad.doubleclick.net IN AAAA Firing regular transaction 32201 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes). Using feature level TLS+EDNS0 for transaction 32201. Using DNS server my.server.fqdn for transaction 32201. Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected. Using feature level TLS+EDNS0 for transaction 32201. Announcing packet size 1452 in egress EDNS(0) packet. Processing incoming packet of size 52 on transaction 56801 (rcode=SUCCESS). Server doesn't support EDNS(0) properly, downgrading feature level... Using degraded feature set UDP instead of TLS+EDNS0 for DNS server my.server.fqdn. Server feature level is now lower than when we began our transaction. Restarting with new ID. Cache miss for ad.doubleclick.net IN A Firing regular transaction 43548 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes). Using feature level UDP for transaction 43548. Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60 Sending query packet with id 43548 of size 36. Regular transaction 43548 for <ad.doubleclick.net IN A> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential). Processing incoming packet of size 64 on transaction 32201 (rcode=SUCCESS). Server feature level is now lower than when we began our transaction. Restarting with new ID. Cache miss for ad.doubleclick.net IN AAAA Firing regular transaction 17798 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes). Using feature level UDP for transaction 17798. Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60 Sending query packet with id 17798 of size 36. Regular transaction 17798 for <ad.doubleclick.net IN AAAA> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential). ``` ### Additional information and/or screenshots When querying the upstream `dns.adguard.com` servers, they always include an EDNS opt field response, even for the blocks. I think adguard home should be fixed to do that too: ``` dig +edns +tls @dns.adguard.com ad.doubleclick.net ; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @dns.adguard.com ad.doubleclick.net ; (4 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 17 (Filtered) ;; QUESTION SECTION: ;ad.doubleclick.net. IN A ;; ANSWER SECTION: ad.doubleclick.net. 3600 IN A 0.0.0.0 ;; Query time: 96 msec ;; SERVER: 2a10:50c0::ad1:ff#853(dns.adguard.com) (TLS) ;; WHEN: Wed Dec 31 18:26:33 CST 2025 ;; MSG SIZE rcvd: 69 ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
AGDNS-3523-upd-dnsproxy-middlewares
ADG-11407-add-docker-release
AGDNS-3535-upd-urlfilter
AGDNS-3684-fix-tls-status
beta-v0.107
release-v0.107.72
ADG-10306
beta-v0.108
ADG-10291
upd-url-filter
release-v0.107.71
release-v0.107.70
ADG-10301
ADG-8560-react-update
ADG-8560-graph-fix
release-v0.107.69
release-v0.107.68
release-v0.107.67
release-v0.107.66
ADG-10295
release-v0.107.65
release-v0.107.64
release-v0.107.63
release-v0.107.62
release-v0.107.61
release-v0.107.60
release-v0.107.59
release-v0.107.58
ADG-9783
ADG-1-utils-bundle-update
ADG-9415
release-v0.107.57
ADG-9565
release-v0.107.56
release-v0.107.55
release-v0.107.54
release-v0.107.53
infra-fix
upd-locales
release-v0.107.52
release-v0.107.51
AGDNS-2184-adguard-home
AG-32410-upd-dnsproxy
release-v0.107.50
release-v0.107.49
release-v0.107.48
release-v0.107.47
release-v0.107.46
release-v0.107.45
release-v0.107.44
release-v0.107.43
release-v0.107.42
6263-custom-ups-cache
release-v0.107.41
6399-fix-ups-check
release-v0.107.40
release-v0.107.39
release-v0.107.38
release-v0.107.37
6099-check-port-install
release-v0.107.36
release-v0.107.35
6006-refactor-client-lookup
release-v0.107.34
AG-23822
release-v0.107.33
3389-querylog-export
release-v0.107.32
fix-templates
release-v0.107.31
release-v0.107.30
5799-allowed-clients
5347-wildcard-interference
release-v0.107.29
AG-21485
release-v0.107.28
release-v0.107.27
release-v0.107.26
release-v0.107.25
release-v0.107.24
4728-cap-check
release-v0.107.23
release-v0.107.22
2499-rewrites-3
release-v0.107.21
release-v0.107.20
release-v0.107.19
4927-refactor-tls
release-v0.107.18
release-v0.107.17
release-v0.107.16
release-v0.107.15
websvc-confin-manager
release-v0.107.14
2926-lla-ipv6
4926-scroll
release-v0.107.13
release-v0.107.12
release-v0.107.11
release-v0.107.10
release-v0.107.9
WIP-upd-urls
release-v0.107.8
release-v0.107.7
release-v0.107.6
release-v0.107.5
release-v0.107.4
release-v0.107.3
release-v0.107.2
release-v0.107.1
release-v0.107.0
fix-stats-layout
beta-v0.106
release-v0.106.3
release-v0.106.2
release-v0.106.1
fix-client2-generator
dsheets-ipset-subs
fix-context
2044-gc
1691-clear-leases-v2
v0.107.72
v0.108.0-b.82
v0.108.0-b.81
v0.107.71
v0.108.0-b.80
v0.107.70
v0.108.0-b.79
v0.107.69
v0.108.0-b.78
v0.107.68
v0.108.0-b.77
v0.107.67
v0.108.0-b.76
v0.107.66
v0.108.0-b.75
v0.107.65
v0.108.0-b.74
v0.108.0-b.73
v0.107.64
v0.108.0-b.72
v0.107.63
v0.108.0-b.71
v0.107.62
v0.108.0-b.70
v0.108.0-b.69
v0.107.61
v0.108.0-b.68
v0.108.0-b.67
v0.107.60
v0.108.0-b.66
v0.107.59
v0.108.0-b.65
v0.107.58
v0.108.0-b.64
v0.107.57
v0.108.0-b.63
v0.107.56
v0.108.0-b.62
v0.107.55
v0.108.0-b.61
v0.108.0-b.60
v0.107.54
v0.108.0-b.59
v0.107.53
v0.108.0-b.58
v0.107.52
v0.108.0-b.57
v0.107.51
v0.108.0-b.56
v0.107.50
v0.107.49
v0.108.0-b.55
v0.107.48
v0.107.47
v0.107.46
v0.108.0-b.54
v0.107.45
v0.108.0-b.53
v0.107.44
v0.108.0-b.52
v0.107.43
v0.108.0-b.51
v0.107.42
v0.108.0-b.50
v0.108.0-b.49
v0.107.41
v0.107.40
v0.108.0-b.48
v0.108.0-b.47
v0.107.39
v0.108.0-b.46
v0.107.38
v0.108.0-b.45
v0.107.37
v0.108.0-b.44
v0.108.0-b.43
v0.107.36
v0.107.35
v0.108.0-b.42
v0.108.0-b.41
v0.107.34
v0.108.0-b.40
v0.108.0-b.39
v0.107.33
v0.108.0-b.38
v0.108.0-b.37
v0.107.32
v0.108.0-b.36
v0.107.31
v0.108.0-b.35
v0.107.30
v0.108.0-b.34
v0.107.29
v0.108.0-b.33
v0.107.28
v0.108.0-b.32
v0.107.27
v0.108.0-b.31
v0.108.0-b.30
v0.107.26
v0.108.0-b.29
v0.108.0-b.28
v0.107.25
v0.108.0-b.27
v0.107.24
v0.108.0-b.26
v0.107.23
v0.108.0-b.25
v0.107.22
v0.108.0-b.24
v0.107.21
v0.108.0-b.23
v0.107.20
v0.108.0-b.22
v0.107.19
v0.108.0-b.21
v0.107.18
v0.108.0-b.20
v0.107.17
v0.108.0-b.19
v0.108.0-b.18
v0.107.16
v0.108.0-b.17
v0.107.15
v0.108.0-b.16
v0.107.14
v0.108.0-b.15
v0.107.13
v0.108.0-b.14
v0.107.12
v0.108.0-b.13
v0.107.11
v0.108.0-b.12
v0.107.10
v0.108.0-b.11
v0.107.9
v0.108.0-b.10
v0.107.8
v0.107.7
v0.108.0-b.9
v0.108.0-b.8
v0.108.0-b.7
v0.108.0-b.6
v0.107.6
v0.108.0-b.5
v0.108.0-b.4
v0.107.5
v0.107.4
v0.108.0-b.3
v0.107.3
v0.108.0-b.2
v0.108.0-b.1
v0.107.2
v0.107.1
v0.107.0
v0.107.0-b.17
v0.107.0-b.16
v0.107.0-b.15
v0.107.0-b.14
v0.107.0-b.13
v0.107.0-b.12
v0.107.0-b.11
v0.107.0-b.10
v0.107.0-b.9
v0.107.0-b.8
v0.107.0-b.7
v0.107.0-b.6
v0.107.0-b.5
v0.107.0-b.4
v0.107.0-b.3
v0.107.0-b.2
v0.107.0-b.1
v0.106.3
v0.106.3-b.1
v0.106.2
v0.106.2-b.1
v0.106.1
v0.106.1-b.1
v0.106.0
v0.106.0-b.5
v0.106.0-b.4
v0.106.0-b.3
v0.106.0-b.2
v0.106.0-b.1
v0.105.2
v0.105.2-beta.1
v0.105.1
v0.105.1-beta.1
v0.105.0
v0.105.0-beta.5
v0.105.0-beta.4
v0.105.0-beta.3
v0.105.0-beta.2
v0.105.0-beta.1
v0.104.3
v0.104.2
v0.104.1
v0.104.0
v0.104.0-beta3
v0.104.0-beta2
v0.104.0-beta1
v0.103.3
v0.103.2
v0.103.1
v0.103.0
v0.103.0-beta3
v0.103.0-beta2
v0.103.0-beta1
v0.102.0
v0.101.0
v0.100.9
v0.100.8
v0.100.7
v0.100.6
v0.100.5
v0.100.4
v0.100.3
v0.100.2
v0.100.1
v0.100.0
v0.99.3
v0.99.2
v0.99.1
v0.99.0
v0.98.1
v0.98.0
v0.97.1
v0.97.0
v0.96-hotfix
v0.96
v0.95-hotfix
v0.95
v0.94
v0.93
v0.92-hotfix2
v0.92-hotfix1
v0.92
v0.91
v0.9-hotfix1
v0.9
v0.1
Labels
Clear labels   
P1: Critical

   
P2: High

   
P3: Medium

   
P4: Low

   
UI

   
bug

   
cannot reproduce

   
compatibility

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
external libs

   
feature request

   
good first issue

   
help wanted

   
infrastructure

   
invalid

   
localization

   
needs investigation

   
performance

   
potential-duplicate

   
question

   
recurrent

   
research

   
snap

   
waiting for data

   
wontfix
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/AdGuardHome#5870
No description provided.