Question: how do conditionally rewrite based on ctag group

[devinslick]

• Version of AdGuard Home server:
  v0.103.3
• How did you setup DNS configuration:
  AGH DHCP points the client to AGH DNS

What's my use case?

I'd like to return internal IP addresses for a subset of clients based on ctag modifiers. Other clients shouldn't be blocked from reaching those addresses, but they should get public IP addresses.

The only workaround I can think of is to have a second DNS server that provides these internal addresses and use it as the upstream resolver for clients needing these internal addresses. I don't believe I could use ctag rules to set that up though.

admins get public, others get internal (WORKING)

192.168.1.10 test1.domain.com
@@test1.domain.com^$ctag=user_admin

this is an example of the opposite of what I'm trying to do. The catch-all address should be public.

admins get public, others get blocked (WORKING)

0.0.0.0 test2.domain.com
@@test2.domain.com^$ctag=user_admin

admins get an internal address, others get public (NOT WORKING)

192.168.1.10 test3.domain.com
||test3.domain.com^$ctag~user_admin

Related page:
https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#ctag

What is the recommended way of handling this?

[ameshkov]

Hmm, I guess this is not possible with how it's currently implemented.

One possible solution would be to introduce a new $dnsrewrite modifier that would work the same way as DNS rewrites work.

Something like this: example.org$dnsrewrite= 192.168.1.10

In this case, you will be able to use other modifiers like $ctag or $client as well and make this rewrite conditional.

[devinslick]

Thanks @ameshkov ,
I was hoping there was something I missed in the docs.

In case anyone else runs into this thread looking for a solution, here's how you can add a second dns server the way I did:

1. create folder for your new docker container conf file
   mkdir -p /docker/dnsmasq/conf

2. add a line to return 192.168.1.10 for *.mydomain.suffix.
   echo 'address=/.mydomain.suffix/192.168.1.10' > /docker/dnsmasq/conf/dnsmasq.conf
   Replace mydomain.suffix with your domain. Replace 192.168.1.10 with the IP you want for those records.
   If the IPs are different just edit this file and create lines for each record.

3. run a docker container of dnsmasq using that config file. It will need to listen on a port you aren't already using on this host
   docker run --name dnsmasq -d --health-cmd="nc localhost:53 -znv || exit 1" --cap-add=NET_ADMIN -p 55:53/tcp -p 55:53/udp -v /docker/dnsmasq/conf/dnsmasq.conf:/etc/dnsmasq.conf --restart always anzevalher/dnsmasq:latest

4. Point the clients needing these records to use dnsmasq as the upstream server for your mydomain.suffix records.
   
   Replace mydomain.suffix with your domain. Replace 192.168.1.2 with the IP where you're running dnsmasq

[ameshkov]

If you think that this $dnsrewrite solution could be useful, let me know, we'll consider implementing it.

[devinslick]

If you think that this $dnsrewrite solution could be useful, let me know, we'll consider implementing it.

Yes, definitely. $dnsrewrite with $ctag would be really powerful!
My solution is just a workaround in case others run into this issue in the meantime. Thank you!