I have AdGuard running on a RPi and have configured my router to use it as the main DNS. However, I need to have a secondary DNS for the router to fallback to if the RPi crashes (which has happened). I know this therefore mean AdGuard ends up being effectively bypassed.
Is there any way to make AdGuard respond to blocked queries with some sort of successful response so that the secondary DNS isn’t tried?
I have experienced this myself.
I think the problem is, that there is no real order in regards which DNS server will be used.
Additionally each OS handles it a bit different.
Here are a few more in depth answers:
Solution would be:
You have to set up 2 DNS servers which are identical.
Solution is to set up two name servers.
One is a master and the other is a slave.
A slave will use AXFR to copy the entire zone of the master, so only one server needs to be maintained.
Thing is for that I need another computer which I don’t want.
You can set up the router to just use your AdGuard server as DNS servers, but the problem is that if AdGuard goes down, then your router will not be able to resolve names, because it has no list itself.
Set up Adguard and your router (OS/software like pfSense) on the same x86 mini system (instead of a commercial router appliance). So if anything goes down, it’s because the whole system goes down and you don’t have to worry about some RPi and its SD card.
Run it in a VM so you can easily make snapshots and clones, and you can get everything back easily and quickly, even on new hardware if needed.
Actually I use an SSD with my Pi so it’s pretty robust but it can go down. It runs all the time and I want to use it as my DNS for all devices unless it’s down. No other devices in my house run all the time. I only want a fall back if it’s down.
Then you’re out of luck if you don’t want to change your router. That functionality has to be supported by the router and simply having two servers listed isn’t a solution because the router will use them randomly.
I thought a secondary router was only used if the primary one doesn’t respond. Hence my suggestion for AdGuard to have the option of responding but with essentially an empty response.
It depends on the device how they use DNS servers.
Some do a prioritized list, where the primary will be used unless it times out, then the secondary will be used and so on.
Some do a round-robin, which means it will use the primary in one lookup, then the secondary in the next and so on.
Some keep a list of response times and order the DNS servers based on that.
Some just do it randomly.
The issue is that you can rarely change this behavior and actually finding out what algorithm your device use is extremely hard.