AdGuardHome Opnsense Plugin 1.7 Stops Internet After Selecting Parental Control and Browsing Security

[mushtash]

I'm running AdGuardHome Plugin 1.7 for Opnsense by m.a.x. it / mimugmail.
In Opnsense
AGH is listening on port 53
Unbound is listening on port 5353

In AGH Added DNS Upstream Servers
tls://family-filter-dns.cleanbrowsing.org
tls://dns-family.adguard.com

Bootstrap and Private rDNS resolver
Opnsense LAN IP address over 5353

Encryption Enabled with All Certs status valid

In AGH under general settings, if either one or both Parental Control and Browsing Security selected internet stops working.
With unchecked no issues.
Attached screen highlighted options causing internet issue. Host see DNS request Timed Out for nslookup

[mushtash]

Any help would be appreciated to posted issue.

[ainar-g]

Hello and thank you for the report! Can you enable verbose logging and look, what kind of logs are printed when this happens? Thanks!

[mushtash]

I have the verbose log while recreating the issue.
Do i need to anonymize any data from log file before sharing or there is no need to do so.

Few lines from log file
2022/01/21 22:28:05.287174 78519#99 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): error handling DNS (udp) request: talking to dns upstream: failed to check host "catalog.gamepass.com": safe browsing: requesting https://dns-family.adguard.com:443/dns-query: Get "https://dns-family.adguard.com:443/dns-query?dns=JvcBAAABAAAAAAAABDBiZWUENjA2NgJzYgNkbnMHYWRndWFyZANjb20AABAAAQ": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

2022/01/21 22:28:05.468466 78519#31 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): error handling DNS (udp) request: talking to dns upstream: failed to check host "catalog.gamepass.com": safe browsing: requesting https://dns-family.adguard.com:443/dns-query: Get "https://dns-family.adguard.com:443/dns-query?dns=9K8BAAABAAAAAAAABDYwNjYEMGJlZQJzYgNkbnMHYWRndWFyZANjb20AABAAAQ": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

2022/01/21 22:28:14.088751 78519#88 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): error handling DNS (udp) request: talking to dns upstream: failed to check host "firebaseremoteconfig.googleapis.com": safe browsing: requesting https://dns-family.adguard.com:443/dns-query: Get "https://dns-family.adguard.com:443/dns-query?dns=uTABAAABAAAAAAAABDcxYjQENGU0YgQ1MTlkAnNiA2RucwdhZGd1YXJkA2NvbQAAEAAB": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

2022/01/21 22:28:14.088875 78519#91 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): error handling DNS (udp) request: talking to dns upstream: failed to check host "firebaseremoteconfig.googleapis.com": safe browsing: requesting https://dns-family.adguard.com:443/dns-query: Get "https://dns-family.adguard.com:443/dns-query?dns=KjgBAAABAAAAAAAABDcxYjQENGU0YgQ1MTlkAnNiA2RucwdhZGd1YXJkA2NvbQAAEAAB": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

2022/01/21 22:28:14.711635 78519#33 [error] shutting down http server "0.0.0.0:443": context deadline exceeded
2022/01/21 22:28:14.711940 78519#33 [error] shutting down http server "0.0.0.0:8443": context deadline exceeded

[EugeneOne1]

@mushtash, this may be due to AdGuard's security services (i.e. parental control and safe browsing) appearing unreachable from your location. Could you please check it with the dnslookup utility like that:

dnslookup <some-adult-site> https://dns-family.adguard.com:443/dns-query

Unsuccesful result signs that these services indeed unreachable. In this case see the issue comment.

[mushtash]

Bad Site NSlookup
PS C:\Users\user1> nslookup pornhub.com https://dns-family.adguard.com:443/dns-query
*** Can't find server address for 'https://dns-family.adguard.com:443/dns-query':
Server: fw.mydomain.com
Address: 192.168.10.254

*** fw.mydomain.com can't find pornhub.com: Non-existent domain

PS C:\Users\user1> nslookup sex.com https://dns-family.adguard.com:443/dns-query
*** Can't find server address for 'https://dns-family.adguard.com:443/dns-query':
Server: fw.mydomain.com
Address: 192.168.10.254

*** fw.mydomain.com can't find sex.com: Non-existent domain

Good Site
PS C:\Users\user1> nslookup xe.com https://dns-family.adguard.com:443/dns-query
*** Can't find server address for 'https://dns-family.adguard.com:443/dns-query':
Server: fw.mydomain.com
Address: 192.168.10.254

Non-authoritative answer:
Name: xe.com
Addresses: 65.9.61.34
65.9.61.128
65.9.61.4
65.9.61.98

What is expected when badsite lookup is queried. It should show AG DNS Servers or else what?

[mushtash]

From Opnsense, I don't have dnslookup utility. Is it required to test or just nslookup is fine.
root@fw:~ # nslookup

pornhub.com https://dns-family.adguard.com:443/dns-query
Server: ::1
Address: ::1#53

** server can't find pornhub.com: NXDOMAIN

[EugeneOne1]

@mushtash, nslookup is not able to use encrypted DNS. So yes, the dnslookup is required, you may download it from the releases page. The information collected with it is important for troubleshooting the issue.

[mushtash]

From Windows Host dnslookup for badsite
dnslookup.exe pornhub.com https://dns-family.adguard.com:443/dns-query
dnslookup v. v1.5.1
dnslookup result:
;; opcode: QUERY, status: NOERROR, id: 4353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pornhub.com. IN A

;; ANSWER SECTION:
pornhub.com. 3600 IN A 94.140.14.35

[mushtash]

any updates on this issue. I have provided dnslookup results.

[EugeneOne1]

@mushtash, hello again. The dnslookup result looks OK actually. Is it performed from the host machine of AGH?

Could you please also clarify what does "internet stops working" means? Does the issue reproduces in another browser?

Finally, we'd like to look at the full verbose log. Could you please send it to devteam@adguard.com? Thanks.

[mushtash]

Yes dnslookup was done from windows host behind AGH.
Internet Stops working means no website is reachable from any browser.
nslookup during internet issue shows DNS request timed out.
Also i have disabled DOH in browser Edge and Firefox
What is the exact issue. Should i get involve ISP, i'm not sure if ISP is blocking?
I will share the logs to the email.

[mushtash]

I have already sent email with required verbose log file.
Any clue what's going on?

[EugeneOne1]

@mushtash, judging from the log, the domains are properly resolved with safe browsing and parental control services enabled. Are you sure AGH is the only DNS server in your network?

Also, are you able to follow the plain IP address resolved with one of the services? For example, 216.239.38.119 for YouTube (it should open the Google's main page).

[mushtash]

Thanks for the updates.
As I mentioned in my first post, I've installed AGH in Opnsense with Unbound.
For internal network its only AGH is listening on 53 as DNS and no other DNS server.
I have entered the IP you provided in browser i got the main page of Google.
Similarly if i enter 176.103.130.135 and 176.103.130.133 in browser i see can't reach this page.
Further i did nslookup from windows behind AGH, earlier it was resolving to above IP addresses
Anything to check in yaml file i could send this to dev email to verify if the settings are correct.
Any remote connection troubleshooting is available?

PS C:\Users\user1> nslookup
Default Server: fw.mydomain.com
Address: 192.168.10.254

family-block.dns.adguard.com
Server: fw.mydomain.com
Address: 192.168.10.254

*** fw.mydomain.com can't find family-block.dns.adguard.com: Non-existent domain

standard-block.dns.adguard.com
Server: fw.mydomain.com
Address: 192.168.10.254

*** fw.mydomain.com can't find standard-block.dns.adguard.com: Non-existent domain

[EugeneOne1]

@mushtash, sorry, I've just noticed the timeouts on requesting the safe browsing service in logs. These are probably mean that AGH can't actually reach the safe browsing servers. To confirm, could you please try to reach the security services from AGH's host machine with ping:

ping 94.140.14.15
ping 94.140.15.16

[mushtash]

I'm suspecting Unbound is causing some issue here.
Is AGH along with Unbound works fine?
Is AGH is resolver too.
I'm trying to test by disabling Unbound, but then who will be resolver for Opnsense.
Please share setting to try only with Opnsense +AGH

[mushtash]

Any further help on this issue

[EugeneOne1]

@mushtash, have you performed ping? If it succeeded?

[mushtash]

Please find the ping results from windows machine behind AGH

PS C:\Users\user1> ping 94.140.14.15

Pinging 94.140.14.15 with 32 bytes of data:
Reply from 94.140.14.15: bytes=32 time=233ms TTL=52
Reply from 94.140.14.15: bytes=32 time=236ms TTL=52
Reply from 94.140.14.15: bytes=32 time=242ms TTL=52
Reply from 94.140.14.15: bytes=32 time=250ms TTL=52

Ping statistics for 94.140.14.15:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 233ms, Maximum = 250ms, Average = 240ms
PS C:\Users\user1> ping 94.140.15.16

Pinging 94.140.15.16 with 32 bytes of data:
Reply from 94.140.15.16: bytes=32 time=170ms TTL=51
Reply from 94.140.15.16: bytes=32 time=171ms TTL=51
Reply from 94.140.15.16: bytes=32 time=181ms TTL=51
Reply from 94.140.15.16: bytes=32 time=189ms TTL=51

Ping statistics for 94.140.15.16:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 170ms, Maximum = 189ms, Average = 177ms

[mushtash]

any further updates on this issue

[mushtash]

No more updates. Any resolution?

[mushtash]

Is there any resolution to this issue?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Birbber]

@mushtash Sorry for the long silence! Is this issue still relevant in the latest version?

[mushtash]

I'm not sure which is new version of AGH in Opnsense or are you referring to OPN version 22.7?
With 22.1 till today i have the the issue.

[ainar-g]

We are not the ones who support the plugin, so you may need to consult those developers. But testing the issue on the latest version would probably provide the necessary information.