Why is my Adguard Home not filtering ads?

kosymodo

kosymodo

kosymodo

Associate
Joined
18 Jun 2020
Posts
403
Location
Warminster
I've had my Adguard Home set up on my RPi for a few months now, after some excellent advice from @Rainmaker however I'm noticing more and more that an increasing number of websites are displaying ads. I've no idea why, so thought of asking you knowledgable folk!

AGH is set up with the oisd full blocklist (374,364 rules) which was last updated yesterday evening.

An example of a website currently displaying ads, which I'm sure didn't use to, is speedtest.net. I see ads surrounding the speedtest results on all 4 sides.

I've checked the Query Log, and my laptop is definitely a client. I've also checked my DNS settings in Win 10, which show the RPi IP address as the DNS server.

I should mention that DNS settings are being taken from my USG, which again has the RPi IP address in the DNS server field.

Any ideas folks?
 
OK, so I've kinda answered my own question - it's something to do with VPN changes from my employer.

Our IT dept made some changes to reduce the number of MFA prompts we will see when using the VPN, and it seems that something they've changed has affected my name servers. With the VPN connected (which it generally is all day), I have ads appearing. As soon as I disconnect from the VPN, the ads disappear. Therefore, to me anyway, it seems the VPN client is setting the name servers somehow. The odd thing is that we have 2 VPN connections - 1 which is 'split' so only empployer-related traffic is supposed to be affected, and then an 'all traffic' VPN which obviously affects all traffic. I'm connecting to the split VPN, yet it's still affecting the name servers.

Running nslookup when the VPN is connected, my default server is ***.***.ac.uk and the address is ***.38.1.1. (Both redacted for privacy reasons) With the VPN disconnected, my default server is UnKnown and the address is 192.168.1.100 (as expected)
 
Bummer. Is using your employer's DNS mandatory? You could always set up DoH in AGH and then set Firefox (or Chromium/Brave/whatever) to use DoH to bypass the local nameservers set by the VPN. In Firefox it's Settings > Network Settings (scroll down the first page in settings), and in Chromium based browsers it's under chrome://flags/settings/security.
 
Rainmaker said:
Bummer. Is using your employer's DNS mandatory? You could always set up DoH in AGH and then set Firefox (or Chromium/Brave/whatever) to use DoH to bypass the local nameservers set by the VPN. In Firefox it's Settings > Network Settings (scroll down the first page in settings), and in Chromium based browsers it's under chrome://flags/settings/security.
Click to expand...

It's not so much that it's mandatory, it's that I can't access anything off-site without using it lol!

Got one of my colleagues, who used to manage the VPN service, to ask some questions internally. He reckons it might be something to do with staff having problems connecting to hosts on private addresses. Seems wrong to set it up in this way though, so maybe they'll adjust the settings
 
Can you two not install uBlock Origin at least? Obviously it depends on whether the device is work owned or BYOD. If not, separate browser profiles and enabling DoH is all I can think of, if split DNS isn't a possibility.
 
With the VPN connected, I would assume that it is now your default Gateway (or only route) and all traffic from the connected device is being forced down that. It also means that if you override the dns settings they will not work as they are also being forced down the VPN.

Would suggest checking your routing table before and after connecting, it's possible you could add a static route in to allow you to atleast by pass it at the browser level.

Is the VPN configured on company hardware?
 
droyden said:
With the VPN connected, I would assume that it is now your default Gateway (or only route) and all traffic from the connected device is being forced down that. It also means that if you override the dns settings they will not work as they are also being forced down the VPN.

Would suggest checking your routing table before and after connecting, it's possible you could add a static route in to allow you to atleast by pass it at the browser level.

Is the VPN configured on company hardware?
Click to expand...

Many VPNs will still allow LAN access while connected, but as you say in this instance the DNS is the issue (but not for the reasons you state). The OP says he needs to resolve particular domains via the VPN's DNS for work (internal hosts, I guess) so at best split DNS is the way to go, if it's possible at all.
 
You must log in or register to reply here.
Back
Top Bottom