SOLVED - Channels DNS issue Adguardhome->Unbound->NextDNS

Hagary · September 20, 2021, 4:31pm

Hey all, hoping someone can help me provide the right information needed to get to the bottom of this. First, I've been using Channels fine with 2-3 varying providers for several months. I use Unbound on my OPNsense firewall and more recently I've had Unbound pointing to NextDNS via DNS over TLS rather than its default behavior of recursive requests to the Root Servers as NextDNS gives me more analytics for non-local traffic. It has all continued to work well.

For local filtering and analytics I started using AdGuardHome (similar to Pihole) on my OPNsense firewall port 53, and then it forwards to Unbound which I switch to another open listening port, then Unbound to NextDNS. At this point everything except Channels continues to work just fine as best I can tell. Channels doesn't like this one bit though. On my client, it will hang at Preparing Your TV for a long time before lettting me in. Then it shows Connected on the IP address, and it reports my Scheduled Recordings and Passes and such, but the Guide no longer works and I can't get any channels at all - none of the Sources show.
Firewall scans show Adobe auth calls that appear to be stream authentication-related being allowed out of the firewall, and I see them still being allowed at NextDNS, but Channels just isn't working.

Any idea why Channels would be uniquely impacted in this way, and how I can fix it?

Hagary · September 20, 2021, 6:17pm

Another piece of info I realized I should confirm. When I've added ADGH to the mix before Unbound while it does cause Channels TVE to have issues with Sources and channels, I can still access TVE streams directly via links like https://www.cbs.com/live-tv/stream/tveverywhere/ and I can still use the Vidgo, FuboTV, etc apps just fine, so that seems to confirm it is something Channels is doing for which we need to account.
Trying directly from the Channels GUI on the server all channels just time out if you try to Watch them, and after many seconds it briefly flashes Reconnecting.... before that disappears and then it acts like it is playing something but it isn't. On clients it goes to Playback Failed.

slampman · September 21, 2021, 1:10am

So I have a pfsense firewall and also use NextDNS. I have 2 VLANs, one for AD and the other for IoT devices. The IoT devices use the pfsense firewall as their DNS server. I have NextDNS installed on pfsense. In NextDNS I configured a profile that is basically wide open. I assign that profile to the IP address of my channels DVR server. I had to do this because some of the TVE urls were blocked by a rule. I really don't care if the channels server is wide open but I can monitor it if I need to with the NextDNS logging. My advice would be to do something similar or just simply assign an unfiltered DNS server to the channels server like 1.1.1.1 or something....

Hagary · September 21, 2021, 2:28am

I appreciate your repsonse. I didn't think that would fix my issue because I'd tried removing a lot of the filters and it just seemed to be something else. You got me motivated to test that theory though. I tried 1.1.1.1 and 1.1.1.2 and I could get the locals via TVE, but not the others. That success made me decide I'd just pop in my firewall/DNS server IP directly. It should be grabbing that off the Unraid custom bridge I've been using for that network just fine for months, but WTH, let's put it in anyway. Success!

Thanks again, this is why user communities and good developers are a winning combo.

slinkyrich · September 21, 2021, 8:40am

I use AdGuard Home but I only use the block list below...

oisd | domain blocklist

Upstream 1.1.1.3 & 1.0.0.3

speedingcheetah · September 21, 2021, 2:29pm

i use AGH with several block lists and quad9 as upstream. no issues with channels

Hagary · September 21, 2021, 3:52pm

Yeah, I never thought it was blocklist related and I use 5-7 as well. Nonetheless I didn't mind testing to see if I was mistaken in that assumption or if I was missing something in the logs. My setup is just more complex than many others. Most users direct AGH to an upstream like Google or Quad9 and I presume it works fine for that. Mine goes from AGH on the firewall to Unbound on the same box but different port, using the former for filtering and analytics and the latter for DHCP, internal name lookups, and recursive DNS, then from there to the upstream DNS servers (NextDNS in this case). By default a lot of that on-box port redirecting traffic doesn't show in the logs. It's also not just a container, but a container on an Unraid server with 4 custom bridges. Happy to report it's working awesomely now though.

tmm1 · January 7, 2022, 11:40pm

I know it's been a while, but if you have more information about which URLs were being blocked that would be helpful.

slampman · January 8, 2022, 5:49am

@tmm1 I can't remember but you could use my nextdns config if you like. You just need to change your DNS to 45.90.28.109 flush the cache and then pm me your public ip and I can add it to my config. Once I do that you can replicate exactly what I was seeing. LMK.