Configuration
- OPNsense with AdGuard Home as a plugin (`os-adguardhome-maxit`), Unbound as the upstream resolver at `127.0.0.1:5335`
- LAN `192.168.188.0/24`, IoT VLAN `192.168.20.0/24`
- WireGuard active on port 51820, 3 peers (iPhone, iPad, MacBook)
Problem
In the AdGuard Home query log, I see constantly repeated DNS queries (multiple per second, active for hours/days) to four seemingly random domains:
```
setrol.com
holodisks.com
randomchoice.org
eletricalsheet.com
```
All queries are logged with **client IP `60.168.131.252`**, a public IP address in China (WHOIS: CHINANET-AH, Anhui).
Raw data from `/usr/local/AdGuardHome/data/querylog.json`:
```json
{"T":"2026-06-29T12:07:57.804291543+02:00","QH":"eletricalsheet.com","QT":"A","QC":"IN","CP":""," IP":"60.168.131.252","Result":{"Rules":[{"Text":"||eletricalsheet.com^$important"}],"Reason":3,"IsFiltered":true},"Elapsed":99867}
```
What I've already ruled out
1. **Open DNS resolver on the WAN**: Found a WireGuard firewall rule that was too broad (UDP, source `*`, destination port `*` to WAN address) which accidentally allowed external requests on port 53 as well. I restricted this to destination port 51820 (the WireGuard port). Confirmed with `nslookup google.com <WAN-IP>` from an external network → now correctly times out.
- **Result: Queries in the AdGuard query log continue unabated, even after this fix.** However, I now see "Blocked" instead of "Processed" since I manually added the 4 domains to the custom filter rules—so AdGuard is still actively receiving these queries.
2. **WireGuard as a relay**: checked via VPN → WireGuard → Status. None of the 3 peers have a recent handshake (oldest was 4–6 days ago), and all peers currently show 0 or very little traffic. This rules out an active WireGuard tunnel as the direct source.
3. **Local device sending the queries**: packet capture on the LAN interface (igc1), filter `udp port 53`, over 100 packets captured—none of the four suspicious domain names appeared in the capture, even though they did appear in the AdGuard query log during the same period.
4. **IPv6 as an alternative path**: checked via Interfaces → Overview on the WAN interface (OdidoWAN). Only an IPv4 address is present; no routable IPv6 address. This rules out an IPv6 leak alongside the IPv4 WireGuard rule as an explanation.
## The Question
How can AdGuard Home log queries with an external (Chinese) source IP when:
- WAN port 53 is no longer accessible from the outside (confirmed with an nslookup test),
- there is no active WireGuard session,
- a packet capture on the LAN interface does not show these queries?
Is there a mechanism in AdGuard Home (e.g., EDNS Client Subnet, or something related to how the plugin/Unbound integration works) that could cause an external IP address to appear in the query log without it actually being an incoming request? Or is there another vulnerability I haven't found yet (for example, another open port, IPv6 instead of IPv4, or a tunnel/proxy I haven't checked)?
Any suggestions on where to look next are welcome.
It sounds like somehow your firewall rules are or were left too open and allowed traffic into your AdGuardHome port.
If you use the ADGH UI and go to "Setup guide" you'll see it listening to all interfaces unless you've changed from defaults, which are the result of "$ifconfig | grep inet" on your OPN.
That will include your WAN ip address.
Therefore my thinking is firewall rules need revising.
So 1. **Open DNS resolver on the WAN**: seems to have caught it. It might only need reset of firewall states. Hopefully.!