Filtered requests do not include an EDNS response - breaks "systemd-resolved" #8183
Description
Prerequisites
-
I have checked the Wiki and Discussions and found no answer
-
I have searched other issues and found no duplicates
-
I want to report a bug and not ask a question or ask for help
-
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, AMD64 (aka x86_64)
Installation
Docker
Setup
On one machine
AdGuard Home version
v0.107.65
Action
Replace the following command with the one you're calling or a
description of the failing action:
dig +edns +tls @my.server.fqdn ad.doubleclick.net
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn ad.doubleclick.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31753
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ad.doubleclick.net. IN A
;; ANSWER SECTION:
ad.doubleclick.net. 30 IN A 0.0.0.0
;; Query time: 54 msec
;; SERVER: (my.server.fqdn) (TLS)
;; WHEN: Wed Dec 31 18:01:32 CST 2025
;; MSG SIZE rcvd: 52Expected result
Something with the EDNS option in the response:
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @my.server.fqdn google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 55 IN A 142.250.191.206
;; Query time: 57 msec
;; SERVER: (my.server.fqdn) (TLS)
;; WHEN: Wed Dec 31 18:03:47 CST 2025
;; MSG SIZE rcvd: 55
Actual result
As seen above no EDNS option in the blocked response, but there is in the unfiltered response.
When hooked up to systemd-resolved this leads to an error that prevents using the resolver:
# Route most queries over TLS to my filtering server.
# Other ones can fallback to local DHCP assigned DNS.
[Resolve]
DNS=1.2.3.4#my.server.fqdn
FallbackDNS=
Domains=~.
DNSOverTLS=opportunistic
resolvectl log-level debug
resolvectl query ad.doubleclick.net
ad.doubleclick.net: resolve call failed: Received invalid reply
In the logs we see that systemd-resolved disables this resolver since it "doesn't support EDNS". It then attempts to fallback to UDP instead of TLS, which isn't available on this particular host and hence fails.
Cache miss for ad.doubleclick.net IN A
Firing regular transaction 56801 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes).
Using feature level TLS+EDNS0 for transaction 56801.
Using DNS server my.server.fqdn for transaction 56801.
Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
Using feature level TLS+EDNS0 for transaction 56801.
Announcing packet size 1452 in egress EDNS(0) packet.
Cache miss for ad.doubleclick.net IN AAAA
Firing regular transaction 32201 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes).
Using feature level TLS+EDNS0 for transaction 32201.
Using DNS server my.server.fqdn for transaction 32201.
Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
Using feature level TLS+EDNS0 for transaction 32201.
Announcing packet size 1452 in egress EDNS(0) packet.
Processing incoming packet of size 52 on transaction 56801 (rcode=SUCCESS).
Server doesn't support EDNS(0) properly, downgrading feature level...
Using degraded feature set UDP instead of TLS+EDNS0 for DNS server my.server.fqdn.
Server feature level is now lower than when we began our transaction. Restarting with new ID.
Cache miss for ad.doubleclick.net IN A
Firing regular transaction 43548 for <ad.doubleclick.net IN A> scope dns on */* (validate=yes).
Using feature level UDP for transaction 43548.
Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60
Sending query packet with id 43548 of size 36.
Regular transaction 43548 for <ad.doubleclick.net IN A> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential).
Processing incoming packet of size 64 on transaction 32201 (rcode=SUCCESS).
Server feature level is now lower than when we began our transaction. Restarting with new ID.
Cache miss for ad.doubleclick.net IN AAAA
Firing regular transaction 17798 for <ad.doubleclick.net IN AAAA> scope dns on */* (validate=yes).
Using feature level UDP for transaction 17798.
Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 60
Sending query packet with id 17798 of size 36.
Regular transaction 17798 for <ad.doubleclick.net IN AAAA> on scope dns on */* now complete with <invalid-reply> from none (unsigned; non-confidential).
Additional information and/or screenshots
When querying the upstream dns.adguard.com servers, they always include an EDNS opt field response, even for the blocks. I think adguard home should be fixed to do that too:
dig +edns +tls @dns.adguard.com ad.doubleclick.net
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> +edns +tls @dns.adguard.com ad.doubleclick.net
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19198
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;ad.doubleclick.net. IN A
;; ANSWER SECTION:
ad.doubleclick.net. 3600 IN A 0.0.0.0
;; Query time: 96 msec
;; SERVER: 2a10:50c0::ad1:ff#853(dns.adguard.com) (TLS)
;; WHEN: Wed Dec 31 18:26:33 CST 2025
;; MSG SIZE rcvd: 69