While testing an AdGuard Home (ADH) container in a HAP AX3, I was unable to use TLS upstream domains.
When I try to use a TLS server, ADH fails to test the upstream DNS or respond to a client request.
Test upstream DNS Servers
Using default bootstrap DNS servers:
When I test the DNS server, ADH displays an error like this:![Image]()
However, when I try an HTTPS server, the connection is successful (https://94.140.14.140/dns-query).![Image]()
What bugs me more is that I have two other ADH setups with TLS servers and the tests are all successful, with no problems.
Only this instance running on Mikrotik fails with TLS servers.
I haven't configured much of anything yet. Everything is running with the default configuration.
I thought this was a firewall issue, but could not find any rule that would drop AdGuard DNS requests.
This is my current firewall ruleset.
This is the current container setup:
---
So, I'm lost. Why would only TLS servers fail to query in this Mikrotik container?
Can you guys help me diagnose this problem?
When I try to use a TLS server, ADH fails to test the upstream DNS or respond to a client request.
Test upstream DNS Servers
Code:
tls://94.140.14.140tls://dns.adguard-dns.comUsing default bootstrap DNS servers:
Code:
9.9.9.10149.112.112.102620:fe::102620:fe::fe:10When I test the DNS server, ADH displays an error like this:
Server "tls://94.140.14.140": could not be used, please check that you've written it correctly
tls_test_error
However, when I try an HTTPS server, the connection is successful (https://94.140.14.140/dns-query).
Specified DNS servers are working correctly
https_test_success
What bugs me more is that I have two other ADH setups with TLS servers and the tests are all successful, with no problems.
Only this instance running on Mikrotik fails with TLS servers.
I haven't configured much of anything yet. Everything is running with the default configuration.
I thought this was a firewall issue, but could not find any rule that would drop AdGuard DNS requests.
This is my current firewall ruleset.
Code:
[MikroTik] > ip firewall/filter/printFlags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 2 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid log=no log-prefix="" 3 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp in-interface=ether1 log=no log-prefix="" 4 ;;; allow SSH connection from WAN chain=input action=accept protocol=tcp in-interface=ether1 port=1622 log=no log-prefix="" 5 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 6 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 7 ;;; defconf: accept in ipsec policy chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 8 ;;; defconf: accept out ipsec policy chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 9 ;;; defconf: fasttrack for established and related chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""10 ;;; defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""11 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid log=no log-prefix=""12 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""This is the current container setup:
Code:
[@MikroTik] > container/print 0 name="becac96f-607b-4c47-babe-0c41fc33a192" tag="adguard/adguardhome:latest" os="linux" arch="arm64" interface=veth1 root-dir=usb1/adguard mounts=adguard_workdir,adguard_confdir dns="" workdir="/opt/adguardhome/work" start-on-boot=yes status=runningCode:
[@MikroTik] > container/mounts/print 0 ;;; AdGuard Home working directory name="adguard_workdir" src="/usb1/adguard/workdir" dst="/opt/adguardhome/work" 1 ;;; Adguard Home configuration directory name="adguard_confdir" src="/usb1/adguard/confdir" dst="/opt/adguardhome/conf"So, I'm lost. Why would only TLS servers fail to query in this Mikrotik container?
Can you guys help me diagnose this problem?
Statistics: Posted by diasdm — Fri Mar 08, 2024 2:37 am