inconclusive case. AdGuard Home not listening on loopback by default

[iorx]

Hi!

Encountered this when mocking around with DNS redirects, AdGuard Home set as primary (53) and unbound at 8053. I wanted the redirect to go to loopback:53. (note: Unbound usage. Forwarding my local domain suffix to unbound:8053 to get hosts resolving and reverse lookups.)

AdGuard not answering... until i added 127.0.0.1 to bind_hosts in AdGuardHome.yaml @ /usr/local/AdGuardHome

Code Select Expand

dns:
  bind_hosts:
    - 0.0.0.0
    - 127.0.0.1
  port: 53

BSD by default doesn't bind loopback interface when specifying only 0.0.0.0. Linux does...
Unbound does answer on loopback by default as I understand it.

Don't know if mimugmail lurks the forums here. If so, any comment on this? Should the above bind be set as default maybe? It conforms more with the behaviour of unbound implementation then.

For ref. nslookup tests:

Code Select Expand

> set port=8053
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#8053
> dn.se
Server:         127.0.0.1
Address:        127.0.0.1#8053

Non-authoritative answer:
Name:   dn.se
Address: 34.117.105.189

> set port=53
> dn.se
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   dn.se
Address: 34.117.105.189


[cookiemonster]

> BSD by default doesn't bind loopback interface when specifying only 0.0.0.0. Linux does...
Not quite correct. The behaviour of /etc/resolv.conf for your OPN is determined by the use of System > Settings > General > DNS Server options.
If you select (tick) "Do not use the local DNS service as a nameserver for this system " then the entry "nameserver 127.0.0.1" in the file is removed. Nothing to do with freebsd default bindings.
If you untick it, then the entry is added.

[iorx]

Hi!

If I interpret what you say here, it is about how Unbound handles answering on 127.0.0.1.

More generally, how 127.0.0.1 is bound as an interface. 0.0.0.0 binds to all interfaces but not the loopback 127.0.0.1 because "it's a bit special" as I understand it.

It was not easy to find a good reference for this. Two different AI explained it rather well though, but for a human-generated explanation, I found this https://stackoverflow.com/questions/20778771/what-is-the-difference-between-0-0-0-0-127-0-0-1-and-localhost

Editing the YAML for AdGuard and adding 127.0.0.1 so it listens on that makes it behave more like Unbound's default settings in OPNsense. "Do not use the local DNS service as a nameserver for this system" is default off and Unbound answers on 127.0.0.1.

Is that more correct?

[Patrick M. Hausen]

0.0.0.0 is INADDR_ANY and does also cover 127.0.0.1. I wonder what's different for your installation?

I have this in my YAML:

Code Select Expand

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

And this is the result:

Code Select Expand

tcp46      0      0 *.53                   *.*                    LISTEN     
udp46      0      0 *.53                   *.*                   

HTH,
Patrick

[cookiemonster]

same with mine AdGH yaml

Code Select Expand

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53giving:

Code Select Expand

root     AdGuardHom 24535 115 udp46  *:53                  *:*
root     AdGuardHom 24535 119 tcp46  *:53                  *:*Additionally if I go to AdG UI and to the Setup Guide tab, I see that unwrapped to list each enabled interface including 127.0.0.1
I never added 127.0.0.1 to the yaml myself.

[iorx]

Patrick M. & Hausen cookiemonster

Strange. Maybe I made a blunder going through the Setup guide initially then if 127.0.0.1 was an option to include.

But to make things obvious here. If you guys use nslookup in a shell and set server to 127.0.0.1 you get answers? Mine didn't until I added 127.0.0.1...
Trying to figure out if my install is "borked" or what can be going on here.

[Patrick M. Hausen]

Sure:

Code Select Expand

root@opnsense:~ # drill @127.0.0.1 www.heise.de
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 10056
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.heise.de. IN A

;; ANSWER SECTION:
www.heise.de. 50122 IN A 193.99.144.85

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 25 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Mar 31 17:10:32 2025
;; MSG SIZE  rcvd: 46


[Patrick M. Hausen]

Not quite correct. The behaviour of /etc/resolv.conf for your OPN is determined by the use of System > Settings > General > DNS Server options.

/etc/resolv.conf and the bind address of the DNS service are not related to each other.

[iorx]

What the fork!

I just edited so yaml just have 0.0.0.0 and restarted AdGuard service. Now it works!
So odd, as I tested this back and forth to be sure that it only worked when I hade 127.0.0.1 in there.

I'm confused. Maybe should change the subject on this thread "inconclusive case"

Code Select Expand

root@fw:/usr/local/AdGuardHome # drill @127.0.0.1 svt.se
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65417
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; svt.se.      IN      A

;; ANSWER SECTION:
svt.se. 2908    IN      A       13.248.174.171
svt.se. 2908    IN      A       3.33.226.205

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Mar 31 17:17:37 2025
;; MSG SIZE  rcvd: 56
root@fw:/usr/local/AdGuardHome # cat AdGuardHome.yaml
http:
  pprof:
    port: 6060
    enabled: false
  address: 10.23.1.2:3333
  session_ttl: 720h
users:
  - name: admin
    password: ***********
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53


[iorx]

Many thanks to everyone putting time, brain and keypushing into this!

And sorry for the noise.

Brgs,

[cookiemonster]

Not quite correct. The behaviour of /etc/resolv.conf for your OPN is determined by the use of System > Settings > General > DNS Server options.

/etc/resolv.conf and the bind address of the DNS service are not related to each other.

I know. There is the rest of the post for context.