-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use EDNS as client IP in statistics and forward it to the upstream #1727
Comments
Merging #3360 (comment) here |
Could we please bump up the priority? I think ECS forwarding to upstream is pretty important for CDN performance. Thank you. |
@timkgh v0.108 is the closest we can get, v0.107 is sealed, we can't add anything there (only remove something from it:)). |
sgtm |
It seems that ECS passthrough is working as expected as of 0.107.2. I tested it using the following command:
In Adguard Home ( Result:
Toggling |
I would love if ECS is also used for the query log, so that you can filter on the ECS value, similar to client IP. Another place it should probably be used is in "Client settings", so that you can use it to block only for clients with the specific ECS value. Reasoning: I use CoreDNS as my first line DNS proxy, and I use the config |
I have the same issue / request as Robin above -- I have dnsmasq running as my network-internal DHCP + DNS server, and AdGuard is upstream of the dnsmasq (so that internal lookups 'just work' due to the link to dhcp). Tcpdump confirms that the ECS is correctly passed to adguard (using |
Add me to the list of folks looking for this as well. Would like to use dnsdist as my all up dns proxy and only route external / internet requests through AdguardHome. |
i also say that would be good to add it... I use DNSmasq ( |
I am definitely wanting support for this. --add-mac[=base64|text] |
Any progress in this theme? it planned on 0.108 version? |
Will be following along to see if this is implemented. Otherwise I think might need to switch to pi-hole which does this. |
Not implemented yet? EDIT Did my own dirty hack to have this locally while waiting official implementation: Published in dockerhub as |
@felipejfc Great! Are you able to add a test for that code as well, and you might have a chance of it actually being accepted. Even better if you try to provide it as a pull request. |
Doing it "the right way" will take a little more effort. If the maintainers signal they would be willing to accept a PR I can make it. The complexity is the following: |
@EugeneOne1 any thoughts on @felipejfc's approach? |
I am also waiting for the implementation of the Proxy Protocol or EDNS Client Subnet (ECS). As long as there is no implementation, maybe my workaround is helpful. Some information about ProxyProtocol or ECS: Passing the source address to the backend My environment: The DNS proxy dnsdist is running on my OpenWRT router and a AdGuardHome docker container is running on my Intel Nuc. All public DNS requests should be forwarded to AdGuardHome via dnsdist, but I would like to see the client IP address in the AdGuardHome log.
Source: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration In the config file AdGuardHome.yaml you have to add the IP address of the OpenWRT router and doh must be activated under the “Encryption settings”. In the dnsdist configuration, the decisive parameter is “addXForwardedHeaders=true,” example: The correct client IP address (ipv4 or ipv6) is now displayed in the log. full dnsdist config:
|
@christianbur,you don't need to change any config about adguard, to accomplish your goal, just add "setECSSourcePrefixV4(32)" below adguard pool inside dnsdist.conf. No need for DoH. EDITED, example below: -- udp/tcp dns listening
setLocal("0.0.0.0:53", {})
-- disable security status polling via DNS
setSecurityPollSuffix("")
-- Local Adguard
newServer({
address = "192.168.10.11",
pool = "adguard",
healthCheckMode = "lazy",
checkInterval = 1800,
lazyHealthCheckFailedInterval = 30,
rise = 2,
maxCheckFailures = 3,
lazyHealthCheckThreshold = 30,
lazyHealthCheckSampleSize = 100,
lazyHealthCheckMinSampleCount = 10,
lazyHealthCheckMode = 'TimeoutOnly',
useClientSubnet = true
})
-- Adblocker will be given requester IP
setECSSourcePrefixV4(32) |
@christianbur It work with dnscrypt-proxy? I use OPNsense and it only support this. |
When AdGuard Home runs behind proxy ( ex: dnsdist ) , the statistics will show the proxy’s IP as the source IP instead of client’s IP
It would be great if the statistics source IP is based on EDNS client subnet when possible
The text was updated successfully, but these errors were encountered: