AdGuardHome dropping requests when using client is using unbound with TLS

[TommyKing]

as the title said, in the recent Update. i notice my Unbound TLS can't communicate with newest AGH in VPS., turn back to 0.104.3, the issue resolved by itself.

wierdly when using DNS feature in adguard Adblocker, it resolve well. i don't know what i should give you as i checked logs on vps, there's no important log regarding this. i checked /var/log

[ameshkov]

To troubleshoot this issue we need to see AdGuard Home logs.

1. Configure AdGuard Home to collect logs:
   • Specify log_file
   • Set verbose to True
2. Restart AdGuard Home and reproduce the issue
3. Post the log file here.

[TommyKing]

Adg.log

here's the log. see the most recent one. it failed to resolve.

i can't test this on production server. i'll spin another server if you need some data

[ameshkov]

@ainar-g

2021/02/11 09:15:01 6961#1199 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleTCPConnection(): error handling DNS (tls) request: talking to dnsUpstream failed, cause: client id check: client server name "" doesn't match host server name "xxxx"

[ameshkov]

@ainar-g note that in unbound it is configured without any domain name:
forward-addr: "xxxxx@853"

Not sure how it worked before, does unbound verify the server cert?

[ainar-g]

@ameshkov, that's client ID validation, and client IDs only appeared in v0.105.0. The assumption there is that valid clients always set server name in their requests. Apparently this assumption is too restrictive?

[ameshkov]

Tbh, I don't think it's too restrictive, AGH works as expected. The only thing I don't like is the log message, it does not explain the problem (invalid SNI sent by the client).

[ameshkov]

On the other hand, it's up to the client to verify the certificate, and we have StrictSNI setting to enable this behavior.

[ainar-g]

Should be fixed as of snapshot 7e08565. Can you please check if our solution fixes the issue for you?

[TommyKing]

yes fixed. thank you