Root domain (".") query is forwarded to incorrect upstream (likely [//] upstream)

[mangkoran]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

OpenWrt, ARM64

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

On a router, DHCP is handled by the router

AdGuard Home version

0.107.48

Action

Replace the following command with the one you're calling or a
description of the failing action:

nslookup -debug -type=ns '.' 192.168.2.1

Expected result

Query forwarded to correct upstream server

Actual result

Root domain (only dot/".") query is forwarded to incorrect upstream which is likely the private reverse DNS server (127.0.0.1:54)

Additional information and/or screenshots

AGH config:

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.2.1:3000
  session_ttl: 720h
users:
  - name: foo
    password: bar
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 192.168.2.1
    - 127.0.0.1
    - ::1
  port: 53
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - "[/lan/]127.0.0.1:54"
    - "[//]127.0.0.1:54"
    - "[/pool.ntp.org/]9.9.9.10:9953"
    - "[/pool.ntp.org/]149.112.112.10:9953"
    - "[/pool.ntp.org/][2620:fe::10]:9953"
    - "[/pool.ntp.org/][2620:fe::fe:10]:9953"
    - "[/pool.ntp.org/]1.1.1.1"
    - "[/pool.ntp.org/]1.0.0.1"
    - "[/pool.ntp.org/]2606:4700:4700::1111"
    - "[/pool.ntp.org/]2606:4700:4700::1001"
    - quic://dns.adguard-dns.com
    - https://dns.adguard-dns.com/dns-query
    - https://security.cloudflare-dns.com/dns-query
    - https://dns.quad9.net/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 94.140.14.14
    - 94.140.15.15
    - 2a10:50c0::ad1:ff
    - 2a10:50c0::ad2:ff
    - 1.1.1.1
    - 1.0.0.1
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001
    - 9.9.9.10:9953
    - 149.112.112.10:9953
    - "[2620:fe::10]:9953"
    - "[2620:fe::fe:10]:9953"
  fallback_dns: []
  upstream_mode: parallel
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 127.0.0.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: /mnt/sda1/adguardhome/querylog
  ignored: []
  interval: 168h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: /mnt/sda1/adguardhome/statistics
  ignored: []
  interval: 2160h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
    name: Peter Lowe's Blocklist
    id: 1715247057
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
    name: Steven Black's List
    id: 1715247058
whitelist_filters: []
user_rules:
  - "@@||t.co^$important"
  - "||wpad^$important"
  - "! ||wpad^$client='192.168.2.1'"
  - "||s2018^$important"
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  file: /mnt/sda1/adguardhome/syslog/adguardhome.log
  max_backups: 0
  max_size: 10
  max_age: 90
  compress: false
  local_time: true
  verbose: true
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 28

To test my assumption, I tried to change the [//] upstream to 8.8.8.8 (there is no 8.8.8.8 in my config so this should be a good indicator) and tried nslookup. As we can see the upstream now changes to 8.8.8.8.

Am I missing something here? Is the . query supposed to be included in [//]? Because I thought it's not. In the documentation it is said:

An empty domain specification, // has the special meaning of “unqualified names only”, i.e. names without any dots in them, like myhost or router

[Cebeerre]

You're indeed right. I can reproduce.

@ainar-g as explained by @mangkoran the empty domain specification also redirects to the specified upstream the root zone, which is obviusly not expected as it should be sending only unqualified names as per the wiki.

[mangkoran]

Thank you for your reply. I'm a bit curious and tried to add [/./]8.8.8.8 to "Upstream DNS servers" to see if I can override the upstream for .. However, I got the following error.

[mangkoran]

Apologize for asking this, but is the fix already planned? Currently due to incorrect upstream server, the root domain query took a long time to process (mostly around 10000ms) before it will get refused. This seems to bottleneck AGH resolving capability.