Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdGuard blocking facebook.com domain #7535

Open
4 tasks done
naisanzaa opened this issue Dec 28, 2024 · 20 comments
Open
4 tasks done

AdGuard blocking facebook.com domain #7535

naisanzaa opened this issue Dec 28, 2024 · 20 comments

Comments

@naisanzaa
Copy link

Prerequisites

Platform (OS and CPU architecture)

Darwin (aka macOS), AMD64 (aka x86_64)

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

On a router, DHCP is handled by the router

AdGuard Home version

v0.107.52

Action

image

image

image

image

Expected result

Load facebook.com

Actual result

(failed)net::ERR_CONNECTION_TIMED_OUT

Additional information and/or screenshots

This stops happening when AdGuard is turned off.

  • Using GL.iNet GL-MT3000
@tjharman
Copy link

tjharman commented Dec 28, 2024
edited
Loading

It is telling you right there in your screenshot that you have a custom filtering rule blocking facebook.

image

This is not an AdguardHome issue.

The rules you use/apply to AdguardHome are up to you, please don't open tickets for filtering rules against the AdguardHome codebase.

@naisanzaa
Copy link
Author

It is telling you right there in your screenshot that you have a custom filtering rule blocking facebook.

image

This is not an AdguardHome issue.

The rules you use/apply to AdguardHome are up to you, please don't open tickets for filtering rules against the AdguardHome codebase.

It's not about filtering.

I'm just showing that there should be no reason facebook.com domain is blocked. But it is.

@tjharman
Copy link

What IP address is AdguardHome returning for facebook.com?

@ppfeufer
Copy link

As far as I know, custom rules starting with @@|| are allowing the request.
Might want to change that rule to:

@@||facebook.com^$important

@naisanzaa
Copy link
Author

As far as I know, custom rules starting with @@|| are allowing the request. Might want to change that rule to:

@@||facebook.com^$important

correct.

I have tried both. With ^$important and without. Neither worked.

I was just trying to show that it is also explicitly configured to be unblocked.

@naisanzaa
Copy link
Author

What IP address is AdguardHome returning for facebook.com?

mm I don't see where to find the option to do a dns resolution in AdGuard

Could you let me know where to find that?

@tjharman
Copy link

Open up a CMD prompt and type ping facebook.com

What ip does it give you?

@naisanzaa
Copy link
Author

naisanzaa commented Dec 29, 2024
edited
Loading

Open up a CMD prompt and type ping facebook.com

What ip does it give you?

Oh I thought there was some special maintenance command in AdGuard.

image 
Name:      facebook.com
Address 1: 157.240.24.35
Address 2: 2a03:2880:f162:81:face:b00c:0:25de

@tjharman
Copy link

tjharman commented Dec 29, 2024
edited
Loading

That's a Facebook IP so AdGuard is working fine and returning a valid and correct IP. I'm unsure what your issue is but again, this isn't an AdGuard issue.

@Dynamic5912
Copy link

What custom filtering rules do you have set?

@naisanzaa
Copy link
Author

That's a Facebook IP so AdGuard is working fine and returning a valid and correct IP. I'm unsure what your issue is but again, this isn't an AdGuard issue.

Turning AdGuard off -> page loads
Turning AdGuard on -> page does not load

Thus it is AdGuard.

@naisanzaa
Copy link
Author

What custom filtering rules do you have set?

These are the custom filtering rules (all are for allowing)

Also, there are not blocklists active. So 0 domains are being blocked.

@@||url6109.playbook.com^$important
@@||t.co^$important
@@||edhec.az1.qualtrics.com^$important
@@||sentry.io^$important
@@||sentry-cdn.com^$important
@@||awstrack.me^$important
@@||googleadservices.com^$important
@@||email.friendbuy-mail.com^$important
@@||redirect.fbot.me^$important
@@||public.fbot.me^$important
@@||www.datadoghq-browser-agent.com^$important
@@||shareasale.com^$important
@@||graph.instagram.com^$important
@@||link.rottentomatoes.com^$important
@@||link.info.email.aa.com^$important
@@||onedrive.live.com^$important
@@||beacons.gvt2.com^$important
@@||beacons5.gvt3.com^$important
@@||beacons.gcp.gvt2.com^$important
@@||beacons4.gvt2.com^$important
@@||mobile.events.data.microsoft.com^$important
@@||beacons3.gvt2.com^$important
@@||self.events.data.microsoft.com^$important
@@||facebook.com^$important

@tjharman
Copy link

It's really not Adguard, but I can understand why you think it is given what you are seeing.

What are your upstream DNS servers? You haven't mentioned this yet.

What IP is returned when AdGuard is enabled? Use the ping command I gave you before?

What IP is turned when AdGuard is disabled? Same.

If you can provide some concrete evidence as to why you think this is an AdGuard issue, we can investigate it. Thus far it seems when AdGuard is enabled, your client is trying to connect to an IP that's incorrect thus it's timing out.

Thousands and Thousands of people are using AdGuard and Facebook works just fine.

@tjharman tjharman reopened this Dec 30, 2024
@tjharman
Copy link

Sorry I didn't mean to close the issue. I am happy to help you figure out what your issue is.

@naisanzaa
Copy link
Author

When AdGuard is enabled:

image 
Server:		75.75.75.75
Address:	75.75.75.75#53

Name:      facebook.com
Address 1: 100.81.171.47
Address 2: fd::6b35:cc59:5faa:40d7:dba6

nslookup:
image

> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> facebook.com
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	facebook.com
Address: 100.81.171.47

@tjharman
Copy link

Looks like when Adguard is enabled it's returning an IPv6 address for Facebook. I guess your laptop/device thinks it has IPv6 connectivity, tries to use it, and it faills (thus the timeout message you're getting)

Either 1) fix your IPv6 stack or
2) Tick this option
image

@naisanzaa
Copy link
Author

Looks like when Adguard is enabled it's returning an IPv6 address for Facebook. I guess your laptop/device thinks it has IPv6 connectivity, tries to use it, and it faills (thus the timeout message you're getting)

Either 1) fix your IPv6 stack or 2) Tick this option image

The part to note is that it resolves to a private ip space when AdGuard is enabled.

Disabling ipv6 has the same result as well

@tjharman
Copy link

tjharman commented Dec 30, 2024
edited
Loading

Good point, I'd missed that was CGNAT shared address space. I expect that's a Comcast Facebook FNA node you're being pointed at, in shared address space your home should able to route to. The fact that even Cloudflare DNS returns that is why I think this.

Ok, so please answer these questions. You keep ignoring my questions above and reply with selective bits. Answer every question please.

  1. What IP address does your client try to connect to when Adguard is disabled? Not a lookup from your router, your desktop/laptop/whatever is showing the connection timed out above.

  2. What IP address does your client try to connect to when Adguard is Enabled? As above, not from your router. From your client.

  3. How are you disabling AdGuard exactly? Do you mean you just click the "Disable" button, or are you doing something else?

  4. Can you perform a tracert (windows CMD) towards the IP address returned in question 1 and paste it here.

  5. Can you perform a tracert towards the IP address returned in question 2 and paste it here.

  6. What upstream DNS server(s) do you have configured in Adguard Home?

@naisanzaa
Copy link
Author

  1. What IP address does your client try to connect to when Adguard is disabled? Not a lookup from your router, your desktop/laptop/whatever is showing the connection timed out above.

router:

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      facebook.com
Address 1: 157.240.24.35
Address 2: 2a03:2880:f162:81:face:b00c:0:25de

client:

eric@Mac ~ % nslookup 
> facebook.com
Server:		192.168.111.1
Address:	192.168.111.1#53

Non-authoritative answer:
Name:	facebook.com
Address: 157.240.24.35
> server 75.75.75.75
Default server: 75.75.75.75
Address: 75.75.75.75#53
> facebook.com
Server:		75.75.75.75
Address:	75.75.75.75#53

Non-authoritative answer:
Name:	facebook.com
Address: 157.240.24.35
>
  1. What IP address does your client try to connect to when Adguard is Enabled? As above, not from your router. From your client.

router:

Server:		75.75.75.75
Address:	75.75.75.75#53

Name:      facebook.com
Address 1: 100.84.165.78
Address 2: fd::634d:efa0:9633:67e4:d4b5

client:

eric@Mac ~ % nslookup 
> facebook.com
Server:		192.168.111.1
Address:	192.168.111.1#53

Non-authoritative answer:
Name:	facebook.com
Address: 100.84.165.78
> server 75.75.75.75
Default server: 75.75.75.75
Address: 75.75.75.75#53
> facebook.com
Server:		75.75.75.75
Address:	75.75.75.75#53

Non-authoritative answer:
Name:	facebook.com
Address: 100.84.165.78
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> facebook.com
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	facebook.com
Address: 100.84.165.78
>
  1. How are you disabling AdGuard exactly? Do you mean you just click the "Disable" button, or are you doing something else?

clicking disable.

  1. Can you perform a tracert (windows CMD) towards the IP address returned in question 1 and paste it here.
eric@Mac ~ % traceroute -n 157.240.24.35
traceroute to 157.240.24.35 (157.240.24.35), 64 hops max, 40 byte packets
 1  192.168.111.1  21.048 ms  9.147 ms  9.080 ms
 2  10.0.0.1  5.781 ms  12.379 ms  3.845 ms
 3  96.120.16.221  54.791 ms  43.645 ms  123.440 ms
 4  96.110.197.109  10.944 ms  51.980 ms  17.158 ms
 5  68.85.244.85  43.074 ms  32.634 ms  72.081 ms
 6  50.172.248.122  44.197 ms  40.092 ms  44.504 ms
 7  129.134.33.92  27.846 ms  36.748 ms
    129.134.33.86  21.709 ms
 8  129.134.93.102  11.966 ms
    129.134.93.103  43.916 ms
    129.134.93.104  22.173 ms
 9  129.134.93.19  44.583 ms  35.669 ms
    129.134.80.65  70.999 ms
10  * * *
11  * * *
12  * * *
  1. Can you perform a tracert towards the IP address returned in question 2 and paste it here.
eric@Mac ~ % traceroute -n 100.84.165.78
traceroute to 100.84.165.78 (100.84.165.78), 64 hops max, 40 byte packets
 1  192.168.111.1  6.309 ms  2.658 ms  23.856 ms
 2  10.0.0.1  14.414 ms  4.880 ms  8.929 ms
  1. What upstream DNS server(s) do you have configured in Adguard Home?
8.8.8.8
9.9.9.9
1.1.1.1

@tjharman
Copy link

tjharman commented Dec 31, 2024
edited
Loading

I don't understand your output from Question 2.

Even though you are manually setting your DNS Server for nslookup to 1.1.1.1, you are still being given 100.84.165.78 as the IP Address? Is that how I read that?

That should be bypassing Adguard directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tjharman @ppfeufer @naisanzaa @Dynamic5912