Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)

[rampageX]

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Problem Description

I set dnsmasq with my main DNS server on router because i need some complex ipset rules support, and AdguardHome is the only upsteam server. But now on AGH dashboard, i can only see the router ip but not the others real client ip.

Proposed Solution

Add add-mac and add-subnet to dnsmasq, then AGH can get the real client ip from every requery.

Additional Information

Pi-hole: Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)

[ameshkov]

Am I right that you'd like AGH to be able to extract the client's IP and Mac addresses that dnsmasq adds to the outgoing DNS queries?

[rampageX]

@ameshkov Yes, so that I can see which device made the request on AGH instead of showing all the gateway’s IP.

[ianmacd]

I would like to add my voice to this request.

This would make it a lot more practical to run AdGuard Home on a machine already resolving DNS for a local network, such as a home router.

[ameshkov]

Well, as I see it, this would be more useful to cloud installations of AGH - so that you could configure the router to pass clients info to AGH.

Anyways, it's planned on v0.106 so it's coming relatively soon.

[ptrsmk]

v0.106 has shipped, obviously. Has this been implemented?

[timkgh]

@ameshkov

Interested in the dnsmasq-like add-subnet feature too where I can set a fixed IP or subnet:

--add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
Add a subnet address to the DNS queries which are forwarded upstream. If an address is specified in the flag, it will be used, otherwise, the address of the requestor will be used.
...

The way I use it in dnsmasq on my router: I set it to the IP of the first hop router from my ISP (which has an IP in a different range/subnet than my public IP and obviously used by many other households in my area), this way I still get some geo-locality for CDNs but also protect my public IP address from being passed to upstream DNS servers.

One can test it like this:
dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @8.8.8.8 (or @9.9.9.11)
vs
dig o-o.myaddr.google.com txt +subnet='1.2.3.0/24' @94.140.14.14
(you can replace @<ip> with the <ip> of your Adguard Home DNS server)

[c2xusnpq6]

There seems to be no change in Adguard DNS' response content when different http parameter edns_client_subnet values are received.

To enhance privacy, some people may want to pretend that they are in a country where privacy laws are strong. People in Southeast Asia, China, Hong Kong, and Macau may be willing to trade a little network delay in exchange for enhanced privacy.

[c2xusnpq6]

For further information, please see:

• https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=46.14.4.0/24

• https://dns.google/resolve?name=google.com&ct=application/dns-json&edns_client_subnet=1.34.4.0/24

[c2xusnpq6]

EDNS Client Subnet (ECS) Guidelines: https://developers.google.com/speed/public-dns/docs/ecs

JSON API for DNS over HTTPS (DoH): https://developers.google.com/speed/public-dns/docs/doh/json#supported_parameters