Q&A Adguard vs NextDNS. Need help understanding the testresults.

JoyousBudweiser

Level 10
Verified
Aug 22, 2013
476
I copy the more elegant explanation from @JoyousBudweiser
3. You can also use New desktop adguard (Version7.5) and use nextdns as a doh/Dot resolver. (Go to Settings> Dns> Add a custom dns "https://dns.nextdns.io/xxxxxx" Replace "xxxxxx" with your configuration id which you can find in your nextdns account).

For chosing the AdguardDNS I just had to select the AdguardDNS server (inside the Adguard Desktop APP) instead of the freshly created NextDNS Server. Thats the way I did my testing.
To be honest I forgot to flush the DNS cache as kindly pointed out. But even after doing it I get the same results.
Please set the dns in ipv4 setting ( in windows) to next dns and also set the dns in your router to nextdns, flush dns cache in windows and do a retest to see whether you get your desired results. If you get what you are looking for after using the above mentioned settings it would mean that the adguard in your system has some issues in using an external DOH server. you can then try uninstalling adguard completely and reinstall it to see whether the issue is solved or not.
 

Freki123

Level 8
Verified
Aug 10, 2013
370
@JoyousBudweiser I set the IP4 adresses in windows, (Router got no changeable settings), did a flushdns and a reboot.
1)NextDNS enabled (within Adguard) and the NextDNS IP4 inside windows> Working ok // NextDNS servers and cloudblock IP shown
Did a flushdns and a reboot
2)Only NextDNS enabled (within Adguard) > Not ok // NextDNS servers, cloudblock IP and ISP Server shown

So if I understand it right if after a new Adguard install the problems continous it's time to let them (Adguard) know something maybe wrong?
 
  • Like
Reactions: JoyousBudweiser

JoyousBudweiser

Level 10
Verified
Aug 22, 2013
476
@JoyousBudweiser I set the IP4 adresses in windows, (Router got no changeable settings), did a flushdns and a reboot.
1)NextDNS enabled (within Adguard) and the NextDNS IP4 inside windows> Working ok // NextDNS servers and cloudblock IP shown
Did a flushdns and a reboot
2)Only NextDNS enabled (within Adguard) > Not ok // NextDNS servers, cloudblock IP and ISP Server shown

So if I understand it right if after a new Adguard install the problems continous it's time to let them (Adguard) know something maybe wrong?
Reinstall Adguard and see if that resolves it. If not get in touch with Adguard.
 

Freki123

Level 8
Verified
Aug 10, 2013
370
Reinstall Adguard and see if that resolves it. If not get in touch with Adguard.
Did a reinstall, same problem. So I will have to talk with the Adguard Team about it.
I would never have thought that Adguard could be the problem and not the DNS.

I wanted to say a big "Thank You" to all who helped me to find the problem and the good suggestions.
Thanks :)
 

valvaris

Level 4
Verified
Jul 26, 2015
184
Ohhh... now I get it.... so the Router can not be edited!

DNS is set at the Windows PC Client.

Then the issues starts:
- Windows 10 by default tries to go over IPv6 (That has been disabled.) = OK
- Windows 10 by default has mDNS enabled for Local Network hence LAN - Port 5353 - LeakPotential
- Application Controlled DNS over HTTPS / TLS is a Proxy on Windows Client that can.. Depends on config not work coz of Certificates.
- Windows 10 UWP Apps can have a Static DNS Entries...- Use Software Firewall to Block it!
- If a Switch is used in the Network for Example a "Cisco SG250" they can break DNS and Leak....

Now to the LeakTests:
- Take it with a grain of salt! -> Not all LeakTest are equal and are very Browser dependent! - Some Browsers use alternative DNS Address Settings others can forward the traffic to other DNS Servers if things are in use like DoH or DoT.

Known DNS Ports:
DNS Port 53 TCP/UDP - DoH (DNS over HTTPS)
DNS over TLS Port 853 TCP/UDP - DoH (DNS over HTTPS)
mDNS Port 5353 UDP

Known Browsers with build in DNS Services:
Firefox - DoH - Options/Preferences > General > Network Settings.
Edge Chromium - DoH - at edge://settings/privacy on feature versions current canary build.
Chromium = I don't know...

Sincerely
Val.
 
Last edited:

JoyousBudweiser

Level 10
Verified
Aug 22, 2013
476
Ohhh... now I get it.... so the Router can not be edited!

DNS is set at the Windows PC Client.

Then the issues starts:
- Windows 10 by default tries to go over IPv6 (That has been disabled.) = OK
- Windows 10 by default has mDNS enabled for Local Network hence LAN - Port 5353 - LeakPotential
- Application Controlled DNS over HTTPS / TLS is a Proxy on Windows Client that can.. Depends on config not work coz of Certificates.
- Windows 10 UWP Apps can have a Static DNS Entries...- Use Software Firewall to Block it!
- If a Switch is used in the Network for Example a "Cisco SG250" they can break DNS and Leak....

Now to the LeakTests:
- Take it with a grain of salt! -> Not all LeakTest are equal and are very Browser dependent! - Some Browsers use alternative DNS Address Settings others can forward the traffic to other DNS Servers if things are in use like DoH or DoT.

Known DNS Ports:
DNS Port 53 TCP/UDP - DoH (DNS over HTTPS)
DNS over TLS Port 853 TCP/UDP - DoH (DNS over HTTPS)
mDNS Port 5353 UDP

Known Browsers with build in DNS Services:
Firefox - DoH - Options/Preferences > General > Network Settings.
Edge Chromium - DoH - at edge://settings/privacy on feature versions current canary build.
Chromium = I don't know...

Sincerely
Val.
The only sureshot fix to all those dns leaks is to use doh or dot in router and crate a dst nat rule to forward all port 53 and 5353 traffic to router dns. For that you might need edge/ mikrotic/ pfsense ( or it's iterations)/ddwrt/open wrt routers where you can configure firewall rules and a proper dns leak test would be to sniff port53 traffic on wan port ( if you have enabled doh or dot, than wan port should not show port 53 traffic.) (Mikrotic routers have a tool called "torch" by which you can see the traffic going through its ports.)
 
Last edited:
  • Like
Reactions: Ville and valvaris

porkpiehat

Level 6
May 30, 2015
255
It appears that I'm having a similar problem... when using Web-based DNS Randomness Test | DNS-OARC test.. both the system (network) DNS , and the browser based (DoH) DNS show up.. if you have your system (network) DNS set for Quad9, and browser set for Cloudflare, both will show up, but if you do a DNS leaktest, only the browser DNS will show... somehow, the DNS Randomness Test is managing to test both the system, and the browser based DNS.
 
Top