Android and selfhosting
tl;dr: Android doesn't work well with AdGuard Home's CNAME rewriting. If you are having issues, try to set the A directly instead of CNAME.
I am one of those weird people who self-host services at home. Since you are reading this, I assume you are also weird like that.
My setup can be described as:
- a Mikrotik router as the gateway into the LAN,
- a small amd64 box where most of my stuff lives,
- various versions of Raspberry Pi.
The first important thing is a bash script that talks to my domain provider and keeps the router's public IP address pointed at the router -- a DDNS (dynamic DNS).
The second thing is Wireguard. Fortunately it is part of RouterOS. My phone has the WireGuard app installed and I'm using the "Always-on VPN" feature to force all my internet traffic through my home network before it goes into the internet.
That's it for the IP layer, pretty much.
For DNS, I have an AdGuard Home container that:
- manages static DNS entries (each service is available at
.internal-- thanks ICANN for reserving it!), - does DNS filtering for ads and malware.
By having my phone connected to my home network, and using it to resolve DNS queries, I have ad blocking anywhere I go! I know there are some public resolvers that do this already; if I didn't have anything hosted internally, those would be enough. (Though I keep hearing that Android tends to ignore the DNS servers set in the settings, so perhaps there is still some value.)
When you set up a DNS Rewrite within AdGuard Home, you can set A, AAAA or CNAME as the value. I've been using the CNAME feature a lot -- all my services records point at their respective servers, making them easier to audit.
This has been working fine, as long as I stayed on Linux. On Android, the apps wouldn't connect, no matter how much I tried to convince them. For a long time I thought it was something to do with TLS (with Android or the apps ignoring my custom CA I have imported into the phone).
So I just used IP:port everywhere where it didn't work.
Today I upgraded the router, and changed my IP assignment schema at the same time. Since I had to change all the apps' configurations (because they had the old IPs hardcoded), I tried to set the DNS record for NextCloud explicitly as an A record, intead of CNAME, just out of curiosity. It started working. I did the same with Forgejo, with the same result.
I don't think I have ever 🦆ed this problem. I did now, and there's people talking about it.
There is net zero new information in this article. I hope you don't feel robbed of your time -- I did have the tl;dr on top after all.
PS: There's more stuff I had to do once I have re-set the Wireguard connection on my phone.
First, make sure you set the DNS server in the VPN settings, otherwise nothing on the internal network will resolve.
Second, make sure the Android version of Firefox (Fennec in my case) is allowed to use the custom imported CA certificates. It is hidden away, quite literally: Settings > About Fennec > tap the logo seven times > back > Secret Settings > Use third party CA certificates. I haven't found this documented anywhere; thanks, JeroenHD!