BinaryDichotomy
New Member
I'm in the process of piloting AdGuard for my development domain for an upcoming pitch so I'm giving it a thorough run-through in the lead up. I'm noticing some peculiar behavior on AdGuard for iOS on an iPad that is on a Windows domain, but isn't managed by Azure/InTune/Endpoint mgr, etc. I have my local domain controllers set as static DNS servers on my iPad, so those should be in effect the "system servers" used if you don't include server names in the fallback DNS section.
This is not working correctly. I have DNS labels set up correctly for suffixes (mydomain.local), and prior to AdGuard being installed, name resolution worked correctly, e.g. I could ping network servers, RDP into hyper-v machines, etc. I have installed AdGuard and gone through the documentation, which specifically states that if a DNS name times out for the AdGuard for DNS server, that the fallback (in my case, I have nothing in that section, and the docs say that it should fall back to system dns servers) should be used. When I attempt to ping a server like server.domain.local, a lookup that by all accounts should fail on the AdGuard for DNS servers given that's a non-canonical TLD, but the ping fails immediately, almost as if the fallback servers aren't even being hit. I haven't done a wireshark trace, but I am fairly confident this is happening, otherwise the ping would be successful.
This effectively severs our mobile devices from the network, so we are trying to find a setting that will gracefully and quickly fall back to our local DC/DNS infrastructure, but cannot figure out the setting. Could it be bootstrap servers that need to be local DNS servers? FWIW, we have forwarders on our DCs pointing to a Private AdGuard DNS Server since we have a static IP, but then we lose finer grained reporting. So, "unhooking" the mobile devices from AdGuard for DNS makes little sense.
Assume that DNS and client configuration from my end is correct as it worked perfectly well prior to AdGuard. AdGuard is not falling back to our local DNS servers though, so this is a big problem with adoption going forward. We are looking at several hundreds of seats for licenses. THe workers must have local DNS resolution for this to work though. I have a related post over in the Windows section as we are also having major pain points trying to get this to work on a local domain with PCs as well. We can use a reverse proxy solution there if we have to, but that's A) more overhead and B) doesn't work for mobile devices, thus negating having a common configuration for all of our devices. We don't want to get into any kind of corner cases.
How can we get local domain resolution to work properly, but also have seamless handoff to AdGuard private DNS servers when mobile devices are off the network? That's the reason also why we can't just configure static local DNS servers, it screws up other parts, which is why we want *all* network traffic go to AdGuard first, and if something in *.local is sent, it goes directly to the local DNS servers. Adguard for Windows has a setting for this to bypass ADguard entirely for specific domains even. But for now, just any setting that will achieve the goals specified above, otherwise this won't be a solution that works for us. FWIW, we are migrating from NextDNS.
This is not working correctly. I have DNS labels set up correctly for suffixes (mydomain.local), and prior to AdGuard being installed, name resolution worked correctly, e.g. I could ping network servers, RDP into hyper-v machines, etc. I have installed AdGuard and gone through the documentation, which specifically states that if a DNS name times out for the AdGuard for DNS server, that the fallback (in my case, I have nothing in that section, and the docs say that it should fall back to system dns servers) should be used. When I attempt to ping a server like server.domain.local, a lookup that by all accounts should fail on the AdGuard for DNS servers given that's a non-canonical TLD, but the ping fails immediately, almost as if the fallback servers aren't even being hit. I haven't done a wireshark trace, but I am fairly confident this is happening, otherwise the ping would be successful.
This effectively severs our mobile devices from the network, so we are trying to find a setting that will gracefully and quickly fall back to our local DC/DNS infrastructure, but cannot figure out the setting. Could it be bootstrap servers that need to be local DNS servers? FWIW, we have forwarders on our DCs pointing to a Private AdGuard DNS Server since we have a static IP, but then we lose finer grained reporting. So, "unhooking" the mobile devices from AdGuard for DNS makes little sense.
Assume that DNS and client configuration from my end is correct as it worked perfectly well prior to AdGuard. AdGuard is not falling back to our local DNS servers though, so this is a big problem with adoption going forward. We are looking at several hundreds of seats for licenses. THe workers must have local DNS resolution for this to work though. I have a related post over in the Windows section as we are also having major pain points trying to get this to work on a local domain with PCs as well. We can use a reverse proxy solution there if we have to, but that's A) more overhead and B) doesn't work for mobile devices, thus negating having a common configuration for all of our devices. We don't want to get into any kind of corner cases.
How can we get local domain resolution to work properly, but also have seamless handoff to AdGuard private DNS servers when mobile devices are off the network? That's the reason also why we can't just configure static local DNS servers, it screws up other parts, which is why we want *all* network traffic go to AdGuard first, and if something in *.local is sent, it goes directly to the local DNS servers. Adguard for Windows has a setting for this to bypass ADguard entirely for specific domains even. But for now, just any setting that will achieve the goals specified above, otherwise this won't be a solution that works for us. FWIW, we are migrating from NextDNS.