JoyousBudweiser

Level 9
Verified
I copy the more elegant explanation from @JoyousBudweiser
3. You can also use New desktop adguard (Version7.5) and use nextdns as a doh/Dot resolver. (Go to Settings> Dns> Add a custom dns "https://dns.nextdns.io/xxxxxx" Replace "xxxxxx" with your configuration id which you can find in your nextdns account).

For chosing the AdguardDNS I just had to select the AdguardDNS server (inside the Adguard Desktop APP) instead of the freshly created NextDNS Server. Thats the way I did my testing.
To be honest I forgot to flush the DNS cache as kindly pointed out. But even after doing it I get the same results.
Please set the dns in ipv4 setting ( in windows) to next dns and also set the dns in your router to nextdns, flush dns cache in windows and do a retest to see whether you get your desired results. If you get what you are looking for after using the above mentioned settings it would mean that the adguard in your system has some issues in using an external DOH server. you can then try uninstalling adguard completely and reinstall it to see whether the issue is solved or not.
 

Freki123

Level 8
Verified
@JoyousBudweiser I set the IP4 adresses in windows, (Router got no changeable settings), did a flushdns and a reboot.
1)NextDNS enabled (within Adguard) and the NextDNS IP4 inside windows> Working ok // NextDNS servers and cloudblock IP shown
Did a flushdns and a reboot
2)Only NextDNS enabled (within Adguard) > Not ok // NextDNS servers, cloudblock IP and ISP Server shown

So if I understand it right if after a new Adguard install the problems continous it's time to let them (Adguard) know something maybe wrong?
 
  • Like
Reactions: JoyousBudweiser

JoyousBudweiser

Level 9
Verified
@JoyousBudweiser I set the IP4 adresses in windows, (Router got no changeable settings), did a flushdns and a reboot.
1)NextDNS enabled (within Adguard) and the NextDNS IP4 inside windows> Working ok // NextDNS servers and cloudblock IP shown
Did a flushdns and a reboot
2)Only NextDNS enabled (within Adguard) > Not ok // NextDNS servers, cloudblock IP and ISP Server shown

So if I understand it right if after a new Adguard install the problems continous it's time to let them (Adguard) know something maybe wrong?
Reinstall Adguard and see if that resolves it. If not get in touch with Adguard.
 

valvaris

Level 4
Verified
Ohhh... now I get it.... so the Router can not be edited!

DNS is set at the Windows PC Client.

Then the issues starts:
- Windows 10 by default tries to go over IPv6 (That has been disabled.) = OK
- Windows 10 by default has mDNS enabled for Local Network hence LAN - Port 5353 - LeakPotential
- Application Controlled DNS over HTTPS / TLS is a Proxy on Windows Client that can.. Depends on config not work coz of Certificates.
- Windows 10 UWP Apps can have a Static DNS Entries...- Use Software Firewall to Block it!
- If a Switch is used in the Network for Example a "Cisco SG250" they can break DNS and Leak....

Now to the LeakTests:
- Take it with a grain of salt! -> Not all LeakTest are equal and are very Browser dependent! - Some Browsers use alternative DNS Address Settings others can forward the traffic to other DNS Servers if things are in use like DoH or DoT.

Known DNS Ports:
DNS Port 53 TCP/UDP - DoH (DNS over HTTPS)
DNS over TLS Port 853 TCP/UDP - DoH (DNS over HTTPS)
mDNS Port 5353 UDP

Known Browsers with build in DNS Services:
Firefox - DoH - Options/Preferences > General > Network Settings.
Edge Chromium - DoH - at edge://settings/privacy on feature versions current canary build.
Chromium = I don't know...

Sincerely
Val.
 
Last edited:

JoyousBudweiser

Level 9
Verified
Ohhh... now I get it.... so the Router can not be edited!

DNS is set at the Windows PC Client.

Then the issues starts:
- Windows 10 by default tries to go over IPv6 (That has been disabled.) = OK
- Windows 10 by default has mDNS enabled for Local Network hence LAN - Port 5353 - LeakPotential
- Application Controlled DNS over HTTPS / TLS is a Proxy on Windows Client that can.. Depends on config not work coz of Certificates.
- Windows 10 UWP Apps can have a Static DNS Entries...- Use Software Firewall to Block it!
- If a Switch is used in the Network for Example a "Cisco SG250" they can break DNS and Leak....

Now to the LeakTests:
- Take it with a grain of salt! -> Not all LeakTest are equal and are very Browser dependent! - Some Browsers use alternative DNS Address Settings others can forward the traffic to other DNS Servers if things are in use like DoH or DoT.

Known DNS Ports:
DNS Port 53 TCP/UDP - DoH (DNS over HTTPS)
DNS over TLS Port 853 TCP/UDP - DoH (DNS over HTTPS)
mDNS Port 5353 UDP

Known Browsers with build in DNS Services:
Firefox - DoH - Options/Preferences > General > Network Settings.
Edge Chromium - DoH - at edge://settings/privacy on feature versions current canary build.
Chromium = I don't know...

Sincerely
Val.
The only sureshot fix to all those dns leaks is to use doh or dot in router and crate a dst nat rule to forward all port 53 and 5353 traffic to router dns. For that you might need edge/ mikrotic/ pfsense ( or it's iterations)/ddwrt/open wrt routers where you can configure firewall rules and a proper dns leak test would be to sniff port53 traffic on wan port ( if you have enabled doh or dot, than wan port should not show port 53 traffic.) (Mikrotic routers have a tool called "torch" by which you can see the traffic going through its ports.)
 
Last edited:
  • Like
Reactions: Ville and valvaris
Top