External ISP DNS config overwrites local AGH DNS Rewrite config. Why?

[MarsWarrior]

Have a question or an idea? Please search it on our forum to make sure it was not yet asked. If you cannot find what you had in mind, please submit it here.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version (problem first found with version 105.3)
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Issue Details

• Version of AdGuard Home server:
  • 105.3/106.3
• How did you install AdGuard Home:
  • Docker
• How did you setup DNS configuration:
  • dhcpd on RPI
• If it's a router or IoT, please write device model:
  • RPI2
• CPU architecture:
  • AMD64
• Operating system and version:
  • Ubuntu 20.04 LTS

Expected Behavior

AGH is combined with Unbound in a single Docker container.

A DNS rewrite for say test1.domain.com uses the defined ip address (A record) and not the externally defined CNAME, which points to another A record.

Actual Behavior

Depending on the order of configuration actions, the DNS rewrite is overruled by the external DNS configuration.

Situation:

• external DNS defines domain.com to the static public IP address of my internet connection.
• external DNS defines test1.domain.com as a CNAME to domain.com

And:

• internal DNS (AGH DNS rewrite) defines domain.com to local ip 192.168.0.100
• internal DNS (AGH DNS rewrite) defines test1.domain.com as local ip 192.168.0.200

Depending on the order of the external/internal definitions the internal test1.domain.com is pointed to 192.168.0.100 instead of .200.

This only happens if the subdomain is used, but not yet defined in AGH as a DNS rewrite. In this case of course, the DNS request is passed to unbound and solved externally: hence the CNAME interpretation I guess. However, the CNAME is interpreted with the local address, and not with the external DNS address (my static public IP).

If then the DNS rewrite is entered, AGH does not return the .200 address (or in some cases it does say 10 seconds), but returns the .100 address.

A dig command shows that test1.domain.com is a CNAME pointing to domain.com, hence the .100 address, where I would expect an A record, ie the ip address configured in AGH.

If the local DNS rewrite is entered before the external DNS is configured, no problem occurs: in that case AGH returns the defined ip address, and dig shows an A record.

Screenshots

Screenshot:

Additional Information

I have no idea if this is an AGH problem, or a combined Ubuntu/AGH/Unbound problem, but even if Unbound has the external DNS configuration loaded, I would expect that a DNS rewrite to overwrite this configuration!

If I change the external DNS for test1.domain.com to an A record pointing to my public IP, the DNS rewrite works!
So something is querying my external DNS, finds that the CNAME is replaced with an A record, and then AGH returns the defined IP address.

[ameshkov]

From what I read this sounds like an expected outcome.

Please note, that AGH is a DNS forwarder, not a recursor. It does not goes through the recursion itself and just forwards the DNS query to the upstream.

So if you have not defined any DNS rewrite for test1.domain.com, AGH will simply forward the DNS query to the upstream and won't consult any other rewrites.

[MarsWarrior]

If I have no DNS rewrite for test1.domain.com, I understand that AGH will forward the request.

However, if I enter a DNS rewrite for test1.domain.com I would expect that this IP address is returned, because what's the use of a rewrite if some external definition overwrites this local setting?

This only happens if I use the test1.domain.com before the DNS rewrite is defined.

If the DNS rewrite is defined before I use the test1.domain.com, then the AGH DNS rewrite works as expected!

In other words: why does the order of events result in a different outcome? In both cases the AGH DNS rewrite is the same, but the answer is different, and for me completely unusable.

[ameshkov]

This only happens if I use the test1.domain.com before the DNS rewrite is defined.

What do you mean by "before" here?
How do you test it?
Could it be that the result of the first query is cached locally?