#AdGuard addon isn't listening to my devices - it is listening to my router instead

So as I was installing HA, I decided to get rid of Pi-Hole on a separate Raspberry Pi and just try and integrate AdGuard on Home Assistant instead. I followed the instructions and used the Home Assistant IP adress as the DNS adress in my router, but then this problem showed up. I don't really know how to fix it but I know for sure this shouldn't be happening.

I have no idea what your title is supposed to mean. Can you elaborate and show what you see?

Instead of seeing the local addresses of my devices such as my PC, TV etcetera I see some MAC addresses (presumably from my router) and only one local IP address

But aren't they supposed to be the local ip addresses of my devices?

Your question is still unclear. That's a screenshot of the addresses AdGuard is listening on, which you presumably updated your router to serve as a DNS server via DHCP (keep in mind there IS a difference between the DNS servers your router uses and the ones it serves via DHCP, and are typically 2 separate settings).

If you updated the router's DNS servers and not the DHCP served ones, it'd look like all traffic is coming from your router.

Are you saying you're not observing your devices use it?

If you go to "Query Log" in AdGuard, you can see all of the requests made to it, along w/ the client IP

Yeah, my devices don't use it at the moment. The Query log is empty as a result.

You'll likely need to restart (easiest approach) your devices to get the new values from DHCP

So I'm a bit confused then... what do I need to do with DHCP?

I changed my primary DNS server in my router to be the local IP of HA (192.168.x.x). I didn't change the secondary DNS server in my router though. That's the only thing I changed within my router as I thought that was the thing you're supposed to do.

So, if you just changed your router's DNS server, then DNS requests that are pointed to your router will primarily use AdGuard

DHCP is one way to hand out DNS servers to your clients, if you use DHCP to assign IPs to your network

Are you using DHCP? If so, you likely want to specify your AdGuard IP for DHCP's DNS servers

If not, you'll need to configure your clients to hit AdGuard

I see my HA listed within my router here. That means it uses DHCP right?

Secondary DNS server doesn't necessarily mean that it will not be used if the first one works.

(i am a bit of a noob)

I also see that DHCP is set to on within my home network

I recommend switching the order around. Make Adguard ask your router and give the Adguard server via DHCP from your router. The router iself uses a public DNS for its upstream.

Note that your devices are able to circumvent your adguard: https://labzilla.io/blog/force-dns-pihole

If I switch it around does that mean go to DHCP settings and create a static lease?

Within AdGuard on HA

This has nothing to do with leases.

Okay

The way you do it right now is client > router > adguard > public DNS. Adguard will only see the router asking it.
You also won't be able to resolve hostnames of your DHCP clients in your router's DHCP table like this.

Which client?

Router or HA?

I might need a screen for this, sorry 🥲

When a device (client) asks for a DHCP lease from the router the router stores it in its DHCP table. Its own DNS server can usually resolve these client names to their ips.

Hmm. Actually it might still work. Still. You want the client to ask adguard themselves if possible.

How would this "normally" be configured?

In your router you make the upsteadm 1.1.1.1 or something. In the DHCP setting you make the DNS Sserver the ip of your adguard.
In adguard you make the upstream the ip of your router.

When a device requests a DCCP lease from your router it gets the adguard ip as DNS. When it asks adguard, adguard asks your router and it asks 1.1.1.1.

But as I said, some devices don't use the DNS server you give it. SOme browser use piravaty DNS and stuff like this. You can only really fix this with a proper router than can do firewalling such as pfSense/opnSense.

Also if a HAOS update fails you will have a bad time so you want redundancy for your adguard.

I think I might've missed configuring the upstream part... but I'm struggling with the verbs being used on a dutch router

It's unlikely to be called upstream in your router. I just don't know what else to call it.

Would it matter if this was configured on a modem rather than a router or does that not make any difference?

Maybe.

Where I'm from when people say router they usually refer to a router modem combination.

In that case I might try later when I migrated everything to a router. (not that I just found out that I connected every to a modem but it was more of a lazy factor when I moved in here)

My modem doesnt seem to have anything related to an upstream setting after I set the language to english

Feel free to share some screenshots. It will likely be a matter of enabling advanced mode and spelunging in the interface though.

Where should the upstream setting be located? Within DHCP settings?

Depends on the router. No. Probably not.

DNS?

I can't really tell you. I don't even know your modem model.

It's a KPN Experia Box 12b

They don't see to have a extensive manual for it.

This seems to be the right place: https://uploads-eu-west-1.insided.com/kpn-nl/attachment/10544a1a-edfe-46b8-b7d3-fc45a8e61841.png
I can't tell if this is what the modem uses itself or what it gives out though.

"Use other DNSv4 device" is what it says on the panel

So the modem uses it

Since this looks like the DHCP DNS settings I presume it's the upstream: https://uploads-eu-west-1.insided.com/kpn-nl/attachment/5cc5ffb1-c10f-49ee-b042-bab081cad938.png

So that's where I put the 1.1.1.1?

So in first picture use 1.1.1.1 or something and in second picture se the adguard ip.

Alright, checking

Does it need a restart or would it work right away?

I just opened some sites and it doesn't seem to log queries still

Your client has to ask for a new DHCP lease.

So I restart my device?

Which OS?

Windows 11

ipconfig /release and then ipconfig /renew in the terminal might work.

ipconfig /all should tell your the DNS server.

So the DNS looks correct, but there doesn't seem to be query logging still after surfing to youtube.com

No that is not correct. It should only be the adguard ip, NOT 1.1.1.1.

Hmm.

You might have to set both primary and secondary to the same ip.

Alright now it is only the IP of HA

It disconnected me from the internet

What does nslookup google.com say now?

By the way according to your picture that is not the adguard ip

I changed the DNS server back 1.1.1.1 after internet disconnection

.>

Okay I will change it to that instead

Alright try this then

nslookup google.com 192.168.2.102
nslookup google.com 192.168.2.17

Both of them time out

Hmm. Can you try to reboot HAOS and then try it with the ip of the HAOS device again?

Would it matter if I reserved an ipv4 address for the HA device?

Because that's currently the case

Depends if HAOS uses DHCP and if the ip is different than what we tested with above.

The reserved address is x.x.2.102 which is still the current address according to my modem

(also after restart)

Reboot so everything is restarted.

My HAOS doesn't use DHCP

Also I restarted my modem

Then that lease isn't really helpful here to ascertain which ip it uses.

Please check ha network info.

What we do here isn't related to your modem's DNS setting as we directly ask a specific nameserver.

Should be .102 then.

So set primary and secondary DNS back to .102 on my modem? Do I just need to wait longer?

My suspicion right now is that it is because I am configuring this on my modem than a router after all

Let's ignore the modem for now. Adguard needs to work and respond first.

So replace the 1.1.1.1 in my modem?

Or within HA

Ignore the modem. Make sure the adguard addon is running and check what it says on its Setup Guide tab.

(Still very grateful for your help, sorry for keeping you here this long 🥲 )

It is running and this is currently the setup guide tab

I wonder where the 2.17 comes from.

According to your network info the ip is 2.102.

It could be my router. Basically everything is connected to my modem, but I have a router that I use for guests

.17 would be a weird ip for a router and the process cannot listen on a ip that isn't locally available.

It's not a connected device on my modem either

My HAOS has issues at the moment so I can't really test this myself.

It feels a bit confusing but I guess I don't have the luck for this to work as it should have

(because I'm pretty sure this can work really well 😛 )

But my current logic for this problem is that if I configure the DNS on my modem towards the HAOS, then it will no longer use the connection to the internet and rather just search for domains on my HAOS server - which there aren't any. Which is why I might need a router inbetween my modem and the HAOS server

Would that make sense?

Adguard will defer to its upstream if it can't answer the query.

The issue at hand is that none of the ips respond to DNS queries though.

Can you restart Adguard via the GUI and see if the setup guide still shows the .17 ip?

I'd also like to take a look at the addon logs.

Just for confirmation, which of these can you reach?

• http://192.168.2.102:8123
• http://192.168.2.17:8123

I can reach the first one only

Can you share ip a?

I dont know if there is any sensitive info in here

I'm thoroughly confused. There's no 192.168.2.17 and the local ip of the container should be in a different subnet.

You can also check this

apk add iproute2-ss
ss -lntp | grep 53

fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
(1/2) Installing libmnl (1.0.5-r2)
(2/2) Installing iproute2-ss (6.15.0-r0)
Executing busybox-1.37.0-r19.trigger
OK: 261 MiB in 247 packages
LISTEN 0      0                                     0.0.0.0:5355       0.0.0.0:*                                  
LISTEN 0      0                                   127.0.0.1:53         0.0.0.0:*                                  
LISTEN 0      0                                192.168.2.17:53         0.0.0.0:*                                  
LISTEN 0      0                                 172.30.32.1:53         0.0.0.0:*                                  
LISTEN 0      0      [fd4e:3732:3232:0:f85f:7d56:41b5:26de]:53               *:*                                  
LISTEN 0      0                                           *:5355             *:*                                  
LISTEN 0      0      [2a02:a44e:da53:0:2660:8c89:296d:2f81]:53               *:*                                  
LISTEN 0      0                 [fe80::9fd4:6ceb:528a:1578]:53               *:*                                  
LISTEN 0      0                                       [::1]:53               *:*  

So it definitely listens there but I don't understand why.

It should be .102 instead right?

Yep.

I'd consider a uninstall and reinstall of AGH.

Alright. I will try this tomorrow as I am running out of time. Thanks a lot for your help 🙏 very appreciated

Well after some little tinkering I got it fixed! I reserved the ipv4 address to be .17 instead and rebooted HAOS.

I'd love to understand why it used that ip though.

I have one theory but I don't know if it's the correct one. When I restarted HA before, I didn't fully restart the system in advanced options which might've caused the behaviour with the IP to use the IP before I reserved the local IP to HA

I kind of just discovered that option today

At first I though restarting HA would restart the system but those are separate things

Yeah restart only restarts the HA core (homeassistant) container. This might help to shine some light onto how that works

• https://gist.github.com/Impact123/fb086b391f7d14cb3515144fcbe4785e#background
• https://gist.github.com/Impact123/e9a4a07b184eb393d2ff762e3b1b0a05#run-commands-in-a-containeraddon
  What confused me is that the ip wasn't in ip a and addon was completely re-installed too.

Thanks, that looks really useful