While testing an AdGuard Home (ADH) container in a HAP AX3, I was unable to use TLS upstream domains.
When I try to use a TLS server, ADH fails to test the upstream DNS or respond to a client request.
Test upstream DNS Servers
tls://94.140.14.140
tls://dns.adguard-dns.com
Using default bootstrap DNS servers:
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10
When I test the DNS server, ADH displays an error like this:
Server “tls://94.140.14.140”: could not be used, please check that you’ve written it correctly
tls_test_error
However, when I try an HTTPS server, the connection is successful (_https://94.140.14.140/dns-query_).
Specified DNS servers are working correctly
https_test_success
What bugs me more is that I have two other ADH setups with TLS servers and the tests are all successful, with no problems.
Only this instance running on Mikrotik fails with TLS servers.
I haven’t configured much of anything yet. Everything is running with the default configuration.
I thought this was a firewall issue, but could not find any rule that would drop AdGuard DNS requests.
This is my current firewall ruleset.
[MikroTik] > ip firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp in-interface=ether1 log=no log-prefix=""
4 ;;; allow SSH connection from WAN
chain=input action=accept protocol=tcp in-interface=ether1 port=1622 log=no log-prefix=""
5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
9 ;;; defconf: fasttrack for established and related
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
This is the current container setup:
[@MikroTik] > container/print
0 name="becac96f-607b-4c47-babe-0c41fc33a192" tag="adguard/adguardhome:latest" os="linux" arch="arm64" interface=veth1 root-dir=usb1/adguard mounts=adguard_workdir,adguard_confdir dns="" workdir="/opt/adguardhome/work"
start-on-boot=yes status=running
[@MikroTik] > container/mounts/print
0 ;;; AdGuard Home working directory
name="adguard_workdir" src="/usb1/adguard/workdir" dst="/opt/adguardhome/work"
1 ;;; Adguard Home configuration directory
name="adguard_confdir" src="/usb1/adguard/confdir" dst="/opt/adguardhome/conf"
So, I’m lost. Why would only TLS servers fail to query in this Mikrotik container?
Can you guys help me diagnose this problem?
