Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Jun 2020
    Posts
    9

    Default AdGuard and DNS, what is the right sequence?

    Hi All,

    I use AdGuard Home (similar to PiHole, but better).
    What is the best way to use this, and still use Untangle to its full potential?

    Situation at this moment:
    DHCP of every network says Untangle is the (only) DNS server.
    WAN of Untangle uses 10.8.1.10 (AdGuard) as DNS server.
    AdGuard uses a few Upstream DNS servers (quad9, cloudflare) with DNSSec, DNS-over-TLS.

    Is this the correct way?

    At first, I had DHCP say 10.8.1.10 is the DNS server and lets AdGuard use Untangle as upstream DNS. But... then I don't have DNSSec and DNS-over-TLS.

    Last method I see, but don't know if Untangle can than use all its filtering and prioritizing....
    Let DHCP tell to use 10.8.1.10 as the DNS, and configure the WAN to use 10.8.1.10.
    And let AdGuard use the quad9 and cloudflare as upstream (I think that there would be no DNS traffic over the Untangle than, so does that limit some functions?)

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,444

    Default

    Quote Originally Posted by HellStorm666 View Post
    Situation at this moment:
    DHCP of every network says Untangle is the (only) DNS server.
    WAN of Untangle uses 10.8.1.10 (AdGuard) as DNS server.
    AdGuard uses a few Upstream DNS servers (quad9, cloudflare) with DNSSec, DNS-over-TLS.

    Is this the correct way?
    without doing a deep dive, I like that.
    If you think I got Grumpy

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,954

    Default

    I'm not a fan of that configuration, it creates a loop in your DNS. A circular dependence where your Untangle server is reliant on a device it's protecting for critical resolution. The Pihole can't work without Untangle, and the Untangle can't work without the Pihole.

    Stuff like that creates inconsistent nightmares that make my hair fall out.

    It's far cleaner, to have Untangle utilize unfiltered DNS, which is actually rather important for Web Filter and other modules to work correctly. Then have rules that force the clients behind Untangle to use the AdGuard server. This would be DHCP configuration adjustments along with some work with the firewall. In the end, clients behind Untangle simply never use Untangle for DNS.
    soldier likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Jun 2020
    Posts
    9

    Default

    Quote Originally Posted by sky-knight View Post
    I'm not a fan of that configuration, it creates a loop in your DNS. A circular dependence where your Untangle server is reliant on a device it's protecting for critical resolution. The Pihole can't work without Untangle, and the Untangle can't work without the Pihole.

    Stuff like that creates inconsistent nightmares that make my hair fall out.

    It's far cleaner, to have Untangle utilize unfiltered DNS, which is actually rather important for Web Filter and other modules to work correctly. Then have rules that force the clients behind Untangle to use the AdGuard server. This would be DHCP configuration adjustments along with some work with the firewall. In the end, clients behind Untangle simply never use Untangle for DNS.
    So, If I understand Correctly:
    WAN of Untangle uses 1.1.1.1 and 9.9.9.9
    LAN DHCP's tells the clients to use 10.8.1.10 (AdGuard)
    AdGuard uses the cloudflare and quad9 DNSSec as upstream?

    If so, questions:
    Can Untangle still detect and filter all its stuff?
    So does webfilter, Intrusion Prevention, Bandwidth Control and so on still work?
    And can I still see that client x visits test1.xyz (that has the same IP as test2.xyz)?

    EDIT:
    and...
    Do my Static DNS Entries at Untangle still work for my clients?
    And how dows the reverse-lookup work?

    UPDATE:
    To make sure my reverse-lookup still works I added the following to AdGuard:
    [/xyz.org/]192.168.2.1
    [/srv.xyz.org/]10.8.1.1
    [/2.168.192.in-addr.arpa/]192.168.2.1
    [/1.8.10.in-addr.arpa/]10.8.1.1
    Last edited by HellStorm666; 06-11-2020 at 06:24 AM.
    soldier likes this.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,954

    Default

    Yes, Untangle's filters use DNS to work... BUT they do not use it to actually filter. What matters are the HTTP/HTTPs sessions are passing through Untangle.

    This change doesn't impact your modules and now they work at all, it just eliminates a potentially catastrophic DNS loop. Your static DNS entries on Untangle will NOT work after this change. If you want them to work, configure AdGuard to use Untangle for DNS. Though that will cost you your DNS over HTTPs functionality, but it is easy to do.

    If you want forward and reverse custom lookups to work while preserving DNS over HTTPs, you need to configure AdGuard to do all that, presumably defining a zone for this stuff and putting rules in there. Also assuming that zone is consistent, you can configure Untangle via DNS's Domain's to forward requests for those zones to the AdGuard as well, which allows Untangle to use AdGuard for those specific zones. Forward or reverse doesn't matter, you're building a DNS server to service them and then configuring Untangle to use AdGuard for those specific zones.

    This configuration you're approaching, is identical to how Microsoft Domains need to be supported.
    Last edited by sky-knight; 06-11-2020 at 07:15 AM.
    soldier likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2