Settings custom DNS server not always possible, fallback fails

[gitthangbaby]

AdGuard version

7.16.0

Browser version

any

OS version

Windows 11 2023H2

What filters do you have enabled?

AdGuard Base filter

What Stealth Mode options do you have enabled?

Hide your search queries, Strip URLs of tracking parameters, Self-destruction of third-party cookies, Disable WebRTC, Block Location API, Block Flash, Disable Windows Telemetry, Turn off Advertising ID, Disable Microsoft Defender automatic samples submission

Support ticket ID

No response

Issue Details

Steps to reproduce:

1. go to Settings\DNS Protection>
2. in "Select DNS server from the list" dialog, Add a custom DNS server
3. add Adguard Home server, Save and select

Actual Behavior

A DNS server with this address already exists. DNS protection is enabled.

Expected Behavior

accept the custom record whatever it is.

• ideally without the connectivity check ("Invalid Address"), This help is not needed

Screenshots

No response

Additional Information

Adguard for Windows, unlike Adguard for Android, doesn't allow Adguard Home or any custom DNS server just because it thinks it's duplicit. The steps above work on Android, same server can be added many times no matter if it equals another custom item or equals "system default".

It should be allowed on Windows. "System default", and the failover mechanism, is condusing on both OS, and causes connectivity blocking in years of use. "System default" could be also anything at the moment, which is highly undesirable and means "bypass". The idea is to use Adguard Home all of the time.

DNS filtering or at least logging is desired, but without the cost of Adguard trying to set the DNS address with random success. Solution
a) don't set the DNS upstream. DNS filtering seems to be linked to control of the DNS server setting. Not sure if this is a must but if so, point b)
b) Adguard for Windows fix: be able to set a static forever address as a DNS. Ignore the fact that it is same as "System default" at the moment. Ignore the connectivity check as well.,
c) admin can also try to trick the GUI. Add a unique record to pass the unwanted duplicit and connectivity check (can be challenging in the environment where firewall is blocking allien DNS). Then edit the record and set it to Adguard home IP with port 53. Bingo, checks bypassed.

It takes a blackout or just resume from sleep to be locked out of DNS. In the tested environment, in this case there's only Adguard home allowed as DNS (simple IP). A local server DNS query could be easily found in the "DNS exclusions". With "[ ] Use fallback DNS upstreams" disabled (knowing on Android it forces Adguard public servers = bypass), this causes Adguard for Windows report SERVFAIL back to the user. The Adguard's "filtering log" doesn't show the DNS upstream server in this case, so communication must be recorded in Wireshark:

No.	Time	Source	Destination	Protocol	Length	Info
961	1.885912	localhost.local	localhost.local	DNS	70	Standard query 0x0002 A web.local.net.local
962	1.886444	localhost.local	localhost.local	DNS	70	Standard query response 0x0002 Server failure A web.local.net.local
967	1.887530	localhost.local	localhost.local	DNS	70	Standard query 0x0003 AAAA web.local.net.local
968	1.887931	localhost.local	localhost.local	DNS	70	Standard query response 0x0003 Server failure AAAA web.local.net.local
973	1.888910	localhost.local	localhost.local	DNS	63	Standard query 0x0004 A web.local.net
974	1.889284	localhost.local	localhost.local	DNS	63	Standard query response 0x0004 Server failure A web.local.net
979	1.890766	localhost.local	localhost.local	DNS	63	Standard query 0x0005 AAAA web.local.net

So Adguard for Windows is no longer asking Adguard home for local records, despite connectivity was resumed. From user point of view, dozens of local servers stop working but they worked before a general network issue.

It seems trying to avoid Adguard's DNS management as much as possible reveals the second issue: existing default DNS exclusion lists collide with the admin's setting. Solution:
a) Adguard for Windows fix: if fallback is disabled, ignore the exclusion lists. Can't force DNS to null.
b) admin don't alter the "Use fallback DNS upstreams" checkbox, instead define custom fallback server = Adguard home IP

[Aydinv13]

@gitthangbaby Hi there and sorry for a big delay.

add Adguard Home server, Save and select

Are you just adding the same DNS server twice?

Adguard for Windows, unlike Adguard for Android, doesn't allow Adguard Home or any custom DNS server just because it thinks it's duplicit.

Can you give us an example?

Ignore the connectivity check as well

Can you explain it in more detail, please.

[gitthangbaby]

@Aydinv13 Hi

• no, i'm adding a unique server IP or hostname (which might be the same as "Automatic" but that's ok) and it's the first custom item (that should allow any entry)

• so when adding the first custom entry and that entry happens to be the same what Adguard think is "System default", it will end up like this:
  
  ->
  

To override, it's possible to add port :53. Despite it's literally still the same address as "System Default".
I reckon such duplicity check is completely pointless. We should add our servers as we wish. What is "System Default" right now is not important, The goal is to set your server statically from now.

Duplicity check could perhaps check only custom entries.

• Connectivity check is redundant too.
  I don't see a point of telling me about Adguard not able to connect. I care about what I will be able to connect, and i know it's that IP. Such assistance is not needed:
  
  But i'd say it's lower priority than the duplicity check.