How does AGH determine the client identifier from the DoH hostname when AGH is behind a reverse proxy? #7414

gene1wood · 2024-11-07T04:14:10Z

gene1wood
Nov 7, 2024

I have v0.108.0-b.60 of AdGuardHome running which supports deriving the ClientID from the AGH hostname as of v0.108.0-b.18.

According to that wiki page, if a DoH request comes into AGH to a URL like https://my-client.example.org/dns-query, then AGH will identify my-client as the ClientID.

I'm running AGH behind a reverse proxy of SWAG which is just Nginx.

I've confirmed things are generally working because if I make a DoH request passing the ClientID in the URL (e.g. https://example.org/dns-query/my-client), SWAG proxies the call to AGH and AGH correctly identifies the client by that my-client ID and applies the right filters.

I trigger a URL path DoH call by running

curl -v --doh-url https://example.org/dns-query/abcdefghijklmnop https://www.reddit.com/

Log lines for successful URL Path DoH call

[debug] dnsproxy: incoming https request url=/dns-query/abcdefghijklmnop
[debug] dnsproxy: using ip address from http request addr=192.168.0.123
[debug] dnsproxy: request came from proxy server addr=172.21.0.5:56724
[debug] dnsproxy: in line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: in line_num=2 line=";; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsproxy: in line_num=3 line=""
[debug] dnsproxy: in line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: in line_num=5 line=";www.reddit.com.\tIN\t A"
[debug] dnsproxy: in line_num=6 line=""
[debug] dnsforward: started processing initial
[debug] applying filters: looking for client with ip 192.168.0.123 and clientid "abcdefghijklmnop"
[debug] applying filters: using settings for client "abc Example client" (192.168.0.123; "abcdefghijklmnop")
[debug] addrproc: processing rdns ip=192.168.0.123
[debug] applying filters: services for client "abc Example client" set: [imgur reddit]
[debug] dnsproxy: incoming https request url=/dns-query/abcdefghijklmnop
[debug] dnsforward: finished processing initial
[debug] dnsproxy: using ip address from http request addr=192.168.0.123
[debug] dnsproxy: request came from proxy server addr=172.21.0.5:56728
[debug] dnsproxy: in line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsforward: started processing ddr
[debug] dnsproxy: in line_num=2 line=";; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsproxy: in line_num=3 line=""
[debug] addrproc: finished processing rdns ip=192.168.0.123 host="" elapsed=375.047µs
[debug] dnsproxy: in line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: in line_num=5 line=";www.reddit.com.\tIN\t AAAA"
[debug] dnsproxy: in line_num=6 line=""
[debug] dnsforward: finished processing ddr
[debug] dnsforward: started processing initial
[debug] applying filters: looking for client with ip 192.168.0.123 and clientid "abcdefghijklmnop"
[debug] applying filters: using settings for client "abc Example client" (192.168.0.123; "abcdefghijklmnop")
[debug] applying filters: services for client "abc Example client" set: [imgur reddit]
[debug] addrproc: processing whois ip=192.168.0.123
[debug] dnsforward: finished processing initial
[debug] dnsforward: started processing ddr
[debug] dnsforward: finished processing ddr
[debug] dnsforward: started processing dhcp hosts
[debug] dnsforward: finished processing dhcp hosts
[debug] addrproc: finished processing whois ip=192.168.0.123 whois= elapsed=944.474µs
[debug] dnsforward: started processing dhcp addrs
[debug] dnsforward: finished processing dhcp addrs
[debug] dnsforward: started processing dhcp hosts
[debug] dnsforward: started processing filtering before req
[debug] addrproc: processing rdns ip=192.168.0.123
[debug] addrproc: finished processing rdns ip=192.168.0.123 host="" elapsed=308.589µs
[debug] addrproc: processing whois ip=192.168.0.123
[debug] blocked services: matched rule: ||reddit.com^  host: www.reddit.com  service: reddit
[debug] dnsforward: host "www.reddit.com" is filtered, reason: "FilteredBlockedService"
[debug] dnsforward: finished processing filtering before req
[debug] dnsforward: started processing upstream
[debug] dnsforward: finished processing upstream
[debug] dnsforward: started processing filtering after resp
[debug] addrproc: finished processing whois ip=192.168.0.123 whois= elapsed=125.344µs
[debug] dnsforward: finished processing filtering after resp
[debug] ipset: started processing
[debug] dnsforward: finished processing dhcp hosts
[debug] dnsforward: started processing dhcp addrs
[debug] dnsforward: finished processing dhcp addrs
[debug] dnsforward: started processing filtering before req
[debug] blocked services: matched rule: ||reddit.com^  host: www.reddit.com  service: reddit
[debug] ipset: finished processing
[debug] dnsforward: started processing querylog and stats
[debug] dnsforward: client ip for stats and querylog: 192.168.0.123
[debug] dnsforward: host "www.reddit.com" is filtered, reason: "FilteredBlockedService"
[debug] dnsforward: finished processing querylog and stats
[debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsforward: finished processing filtering before req
[debug] dnsproxy: out line_num=3 line=""
[debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: out line_num=5 line=";www.reddit.com.\tIN\t AAAA"
[debug] dnsforward: started processing upstream
[debug] dnsproxy: out line_num=6 line=""
[debug] dnsproxy: out line_num=7 line=";; ANSWER SECTION:"
[debug] dnsproxy: out line_num=8 line="www.reddit.com.\t10\tIN\tAAAA\t::"
[debug] dnsforward: finished processing upstream
[debug] dnsproxy: out line_num=9 line=""
[debug] dnsforward: started processing filtering after resp
[debug] dnsforward: finished processing filtering after resp
[debug] ipset: started processing
[debug] ipset: finished processing
[debug] dnsforward: started processing querylog and stats
[debug] dnsforward: client ip for stats and querylog: 192.168.0.123
[debug] dnsforward: finished processing querylog and stats
[debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsproxy: out line_num=3 line=""
[debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: out line_num=5 line=";www.reddit.com.\tIN\t A"
[debug] dnsproxy: out line_num=6 line=""
[debug] dnsproxy: out line_num=7 line=";; ANSWER SECTION:"
[debug] dnsproxy: out line_num=8 line="www.reddit.com.\t10\tIN\tA\t0.0.0.0"
[debug] dnsproxy: out line_num=9 line=""

But if I make the request, passing the ClientID in the hostname, AGH doesn't detect the ClientID from the hostname and falls back to determining the client from the IP address of the client.

I trigger a hostname DoH call by running

curl -v --doh-url https://abcdefghijklmnop.example.org/dns-query https://www.reddit.com/

Log lines for an unsuccessful hostname DoH call

[debug] dnsproxy: incoming https request url=/dns-query
[debug] dnsproxy: using ip address from http request addr=192.168.0.123
[debug] dnsproxy: request came from proxy server addr=172.21.0.5:46810
[debug] dnsproxy: in line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: in line_num=2 line=";; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsproxy: in line_num=3 line=""
[debug] dnsproxy: in line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: incoming https request url=/dns-query
[debug] dnsproxy: in line_num=5 line=";www.reddit.com.\tIN\t A"
[debug] dnsproxy: using ip address from http request addr=192.168.0.123
[debug] dnsproxy: in line_num=6 line=""
[debug] dnsforward: started processing initial
[debug] dnsproxy: request came from proxy server addr=172.21.0.5:46824
[debug] addrproc: processing rdns ip=192.168.0.123
[debug] addrproc: finished processing rdns ip=192.168.0.123 host="" elapsed=159.233µs
[debug] addrproc: processing whois ip=192.168.0.123
[debug] dnsproxy: in line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] addrproc: finished processing whois ip=192.168.0.123 whois= elapsed=202.88µs
[debug] applying filters: looking for client with ip 192.168.0.123 and clientid ""
[debug] dnsproxy: in line_num=2 line=";; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
[debug] applying filters: using settings for client "Example Client" (192.168.0.123; "")
[debug] dnsproxy: in line_num=3 line=""
[debug] dnsforward: finished processing initial
[debug] dnsproxy: in line_num=4 line=";; QUESTION SECTION:"
[debug] dnsforward: started processing ddr
[debug] dnsforward: finished processing ddr
[debug] dnsproxy: in line_num=5 line=";www.reddit.com.\tIN\t AAAA"
[debug] dnsforward: started processing dhcp hosts
[debug] dnsproxy: in line_num=6 line=""
[debug] dnsforward: finished processing dhcp hosts
[debug] dnsforward: started processing initial
[debug] addrproc: processing rdns ip=192.168.0.123
[debug] applying filters: looking for client with ip 192.168.0.123 and clientid ""
[debug] addrproc: finished processing rdns ip=192.168.0.123 host="" elapsed=263.305µs
[debug] dnsforward: started processing dhcp addrs
[debug] addrproc: processing whois ip=192.168.0.123
[debug] applying filters: using settings for client "Example Client" (192.168.0.123; "")
[debug] addrproc: finished processing whois ip=192.168.0.123 whois= elapsed=517.976µs
[debug] dnsforward: finished processing initial
[debug] dnsforward: started processing ddr
[debug] dnsforward: finished processing ddr
[debug] dnsforward: started processing dhcp hosts
[debug] dnsforward: finished processing dhcp hosts
[debug] dnsforward: started processing dhcp addrs
[debug] dnsforward: finished processing dhcp addrs
[debug] dnsforward: started processing filtering before req
[debug] dnsforward: finished processing filtering before req
[debug] dnsforward: started processing upstream
[debug] dnsforward: finished processing dhcp addrs
[debug] dnsforward: started processing filtering before req
[debug] dnsforward: finished processing filtering before req
[debug] dnsforward: started processing upstream
[debug] dnsproxy: exchange successfully finished upstream=https://dns10.quad9.net:443/dns-query question=";www.reddit.com.\tIN\t A" duration=148.239197ms
[debug] dnsproxy: resolved src=upstream rtt=148.676983ms
[debug] dnsforward: finished processing upstream
[debug] dnsforward: started processing filtering after resp
[debug] dnsproxy: exchange successfully finished upstream=https://dns10.quad9.net:443/dns-query question=";www.reddit.com.\tIN\t AAAA" duration=150.664419ms
[debug] dnsproxy: resolved src=upstream rtt=151.493294ms
[debug] dnsforward: checked CNAME reddit.map.fastly.net for www.reddit.com.
[debug] dnsforward: finished processing upstream
[debug] dnsforward: started processing filtering after resp
[debug] dnsforward: checked A 151.101.1.140 for reddit.map.fastly.net.
[debug] dnsforward: checked CNAME reddit.map.fastly.net for www.reddit.com.
[debug] dnsforward: checked A 151.101.65.140 for reddit.map.fastly.net.
[debug] dnsforward: finished processing filtering after resp
[debug] dnsforward: checked A 151.101.129.140 for reddit.map.fastly.net.
[debug] ipset: started processing
[debug] ipset: finished processing
[debug] dnsforward: started processing querylog and stats
[debug] dnsforward: client ip for stats and querylog: 192.168.0.123
[debug] dnsforward: checked A 151.101.193.140 for reddit.map.fastly.net.
[debug] dnsforward: finished processing filtering after resp
[debug] dnsforward: finished processing querylog and stats
[debug] ipset: started processing
[debug] ipset: finished processing
[debug] dnsforward: started processing querylog and stats
[debug] dnsforward: client ip for stats and querylog: 192.168.0.123
[debug] dnsforward: finished processing querylog and stats
[debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: out line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 0"
[debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0"
[debug] dnsproxy: out line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0"
[debug] dnsproxy: out line_num=3 line=""
[debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: out line_num=3 line=""
[debug] dnsproxy: out line_num=5 line=";www.reddit.com.\tIN\t A"
[debug] dnsproxy: out line_num=4 line=";; QUESTION SECTION:"
[debug] dnsproxy: out line_num=5 line=";www.reddit.com.\tIN\t AAAA"
[debug] dnsproxy: out line_num=6 line=""
[debug] dnsproxy: out line_num=7 line=";; ANSWER SECTION:"
[debug] dnsproxy: out line_num=8 line="www.reddit.com.\t1092\tIN\tCNAME\treddit.map.fastly.net."
[debug] dnsproxy: out line_num=9 line=""
[debug] dnsproxy: out line_num=10 line=";; AUTHORITY SECTION:"
[debug] dnsproxy: out line_num=11 line="fastly.net.\t30\tIN\tSOA\tns1.fastly.net. hostmaster.fastly.com. 2017052201 3600 600 604800 30"
[debug] dnsproxy: out line_num=6 line=""
[debug] dnsproxy: out line_num=12 line=""
[debug] dnsproxy: out line_num=7 line=";; ANSWER SECTION:"
[debug] dnsproxy: out line_num=8 line="www.reddit.com.\t7032\tIN\tCNAME\treddit.map.fastly.net."
[debug] dnsproxy: out line_num=9 line="reddit.map.fastly.net.\t14\tIN\tA\t151.101.1.140"
[debug] dnsproxy: out line_num=10 line="reddit.map.fastly.net.\t14\tIN\tA\t151.101.65.140"
[debug] dnsproxy: out line_num=11 line="reddit.map.fastly.net.\t14\tIN\tA\t151.101.129.140"
[debug] dnsproxy: out line_num=12 line="reddit.map.fastly.net.\t14\tIN\tA\t151.101.193.140"
[debug] dnsproxy: out line_num=13 line=""

The interesting line in there to me is

[debug] applying filters: looking for client with ip 192.168.0.123 and clientid ""

which shows it's not getting a clientid.

For context, I have the wildcard DNS working so that my-client.example.org points to the server with SWAG and AGH, and I have the wildcard certificate working on the SWAG (Nginx) reverse proxy where TLS is terminated.

I have allow_unencrypted_doh: true configured in AdGuardHome.yaml as well as putting 172.16.0.0/12, which includes the SWAG docker IP in it in the trusted_proxies list.

I can't tell from the logs and have not yet had luck determining from the AGH code, how AGH uses the hostname to determine the ClientID.

Does AGH determine the Client ID by

Looking at the Host header in the http header of the DoH call which contains the hostname?
Looking for some other http header which would need to be forwarded by the reverse proxy?
Doing something with SNI which wouldn't be possible with DoH going over http between the SWAG reverse proxy and the AGH listener?
Some other method I'm not thinking of

I think if I can figure out the method AGH uses to extract the ClientID from the hostname, I can figue out why it isn't working for me.

gene1wood · 2024-11-18T21:54:58Z

gene1wood
Nov 18, 2024
Author

The reason I'm trying to figure this out is that on Android clients, the Private DNS feature accepts only a hostname, not a URL. As a result the only way to get it working is using the AGH hostname as the client ID like I describe above.

Has anyone gotten the wildcard hostname feature released in v0.108.0-b.18 working? Even just an indicator that it's worked for anyone would be a good pointer here.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How does AGH determine the client identifier from the DoH hostname when AGH is behind a reverse proxy? #7414

{{title}}

Replies: 1 comment

{{title}}

Select a reply

How does AGH determine the client identifier from the DoH hostname when AGH is behind a reverse proxy? #7414

gene1wood Nov 7, 2024

Replies: 1 comment

gene1wood Nov 18, 2024 Author

gene1wood
Nov 7, 2024

gene1wood
Nov 18, 2024
Author