AdGuard Home is a network-wide ad-and-tracker blocking DNS server. Its purpose is to let you control your entire network and all your devices, and it does not require using a client-side program. It is a fully-fledged server application which runs on a separate machine (your home router or even a remote VPS), and provide cross-device protection over your network with a mechanism to actively block certain requests from the websites you visit. In this short guide, I will show you how to setup your own AdGuard Home on a VPS (preferred Ubuntu 18.04+).
How does AdGuard Home work?
Whenever you navigate to a website using its URL (https://baidu.com, for example), your device needs to know which IP address that domain refers to. In order to determine the IP address, your device makes a DNS (domain name system1) query to a DNS nameservers which will respond with a DNS record for that particular domain, containing its IP address(es) and many other information.
But how does your device know which DNS servers to call for each request? Well, it’s generally the job of your router’s DHCP2. It is entirely possible to override the DNS server on the router, but for most people won’t do that and leave the one configured by your ISP (Internet service provider).
There are thousands of public DNS servers out in the world. Like Google’s public DNS servers (18.104.22.168 & 22.214.171.124), or Cloudflare’s 126.96.36.199. When you’re running the AdGuard Home in your network, you can configure your router’s DHCP service to use AdGuard Home’s DNS address as the DNS nameservers instead. Doing so, AdGuard Home now has carte blanche to device which DNS queries are allowed, and which ones are blocked.
AdGuard Home is effectively a DNS proxy, whereby it acts as your network’s primary DNS nameservers, filter requests, then relays the requests that satisfy your configured filters to certain “upstream” DNS nameservers, which does the real DNS resolution.
So, AdGuard Home is working at the DNS level that guards your DNS requests with a layer of filtering.
Install AdGuard Home on VPS
This section is originated from AdGuard Home’s official wiki. All commands are adapted to a Ubuntu server.
Install necessary requirement:
sudo apt install bind9-host
Download AdGuard Home’s binaries and unpack it:
tar xvf AdGuardHome_linux_amd64.tar.gz
Then, install AdGuard Home as a system service:
sudo ./AdGuardHome -sinstall
If no errors prompt, AdGuard Home is now running on the server.
Here are the other commands you might need to control the service.
sudo ./AdGuardHome -s uninstall - uninstall the AdGuard Home service.
sudo ./AdGuardHome -s start - start the service.
sudo ./AdGuardHome -s stop - stop the service.
sudo ./AdGuardHome -s restart - restart the service.
sudo ./AdGuardHome -s status - check the status of the service.
You can also use systemctl to manage the AdGuardHome service:
sudo systemctl start AdGuardHome
sudo systemctl restart AdGuardHome
After installation, we can access the AdGuard Home’s web interface on port 3000 (by default). For example, http://188.8.131.52:3000. Replace 184.108.40.206 with your VPS’s public IP address, or a bound domain name.
Follow the instructions on the web interface to finish the setup.
Some ports maybe used by other programs on the same server, just replace them with desired ones and allow traffics of these ports via your firewall. I have set the default web interface port to 3000 instead of 80, which is already consumed by Nginx.
If you need to use the 53 port (normal DNS port via UDP), just follow up the following section.
Now, it’s safe to config the 53 port in AdGuard Home.
If you have used other port in AdGuard Home during setting up, you can go to AdGuardHome’s folder, edit the port number in AdGuardHome.yaml, then restart AdGuard Home service to take effect.
Enable DNS-over-HTTPS & DNS-over-TLS
Both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoH) are based on TLS encryption3 so in order to use them, you will need to acquire an SSL certificate for your registered domain name. You can get the certificate for free from Let’s Encrypt, and follow the steps in a previous post to get a certificate with Nginx.
Here’s another example to get an SSL certificate using DNS challenge instead of using Nginx:
In the end, you’ll get two .pem files that required by AdGuard Home:
fullchain.pem – your PEM-encoded SSL certificate
privkey.pem – your PEM-encoded private key
Now, open AdGuard Home’s web interface (your-server-ip:3000, for example) and go to Settings > Encryption settings. Follow the page’s instructions and set Server name to your desired domain name and configure a port number for HTTPS port (yes, you can use ports other than 443). Please leave the default port number 853 for DNS-over-TLS port to work properly.
In the Certificates section, set the file path refer to the .pem files:
Set a certificates file path: /etc/letsencrypt/live/domain.example.com/fullchain.pem
Set a private key file: /etc/letsencrypt/live/domain.example.com/privkey.pem
Then, don’t forget to Save config.
The core function of AdGuard Home is to filter DNS queries. But that relies on the filters you defined.
Apple natively supports encrypted DoH & DoT starting from this year. As long as we upgraded the system, we can manually enable our AdGuard Home service on Apple devices.
First, create a file named adg.mobileconfig, rename it as you prefer but the file extension must be .mobileconfig. Then paste the following template content into this profile file4 using a text editor (VS Code or nano, etc.):
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plistversion="1.0"><dict><key>PayloadContent</key><array><dict><key>Name</key><string>AdGuardHome DNS over TLS</string><key>PayloadDescription</key><string>Configures device to use AdGuardHome Encrypted DNS over TLS</string><key>PayloadDisplayName</key><string>AdGuardHome DNS over TLS</string><key>PayloadIdentifier</key><string>com.apple.dnsSettings.managed.9d6e5fdf-e404-4f34-ae94-27ed2f636ac4</string><key>PayloadType</key><string>com.apple.dnsSettings.managed</string><key>PayloadUUID</key><string>35d5c8a0-afa6-4b36-a9fe-099a997b44ad</string><key>PayloadVersion</key><integer>1</integer><key>DNSSettings</key><dict><key>DNSProtocol</key><string>TLS</string><key>ServerAddresses</key><array><string>2a00:5a60::ad1:0ff</string><string>2a00:5a60::ad2:0ff</string><string>220.127.116.11</string><string>18.104.22.168</string></array><key>ServerName</key><string>dns.adguard.com</string></dict></dict><dict><key>Name</key><string>AdGuardHome DNS over HTTPS</string><key>PayloadDescription</key><string>Configures device to use AdGuard Encrypted DNS over HTTPS</string><key>PayloadDisplayName</key><string>AdGuardHome DNS over HTTPS</string><key>PayloadIdentifier</key><string>com.apple.dnsSettings.managed.1a34c0a8-ed56-4417-bed5-d6f05f63b355</string><key>PayloadType</key><string>com.apple.dnsSettings.managed</string><key>PayloadUUID</key><string>763f25ec-f421-411d-9928-3e8653b99155</string><key>PayloadVersion</key><integer>1</integer><key>DNSSettings</key><dict><key>DNSProtocol</key><string>HTTPS</string><key>ServerAddresses</key><array><string>2a00:5a60::ad1:0ff</string><string>2a00:5a60::ad2:0ff</string><string>22.214.171.124</string><string>126.96.36.199</string></array><key>ServerURL</key><string>https://dns.adguard.com/dns-query</string></dict></dict></array><key>PayloadDescription</key><string>Adds the AdGuardHome DNS to Big Sur and iOS 14 based systems</string><key>PayloadDisplayName</key><string>AdGuardHome Encrypted DNS</string><key>PayloadIdentifier</key><string>macos.local.093e49d8-fe7f-4a2b-8a32-d32a09be4dd3</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>5de86739-393f-42be-a8f8-95735f100400</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
Manually replace those fields with your AdGuardHome’s IPs and URIs. We can adjust the named strings to our desired descriptions, and leave other strings/numbers untouched.
In the above template, both DoT and DoH are configured. Delete one of the <dict>...</dict> inside <array>...</array> to adjust the service.
There are various ways to install the mobile config:
Share this config file through iCloud, click it directly from Files on iOS, it will say Profile Downloaded.
Email yourself the file and open it from Safari.
share this file with AirDrop to you iOS device, it will automatic set this file to General -> Profiles.
Upload it to a web server, and then open it from Safari.
After you receive the profile file, go to Settings -> General -> Profiles, you’ll see there’s a downloaded profile item. Tap on it, check if everything is right, and then install it.
Go to Settings -> General -> VPN & Network -> DNS. There you will find all installed DNS servers, just select one.
macOS Big Sur:
Double-click the resulting adg.mobileconfig file in Finder. You will receive a notification that a profile is installed and waiting for review. Approve the new profile, then go on settings.
It will warn that the file is unsigned, but this just means it was not cryptographically signed and distributed, which is standard for DIY configuration profiles…
Cheers, now you enabled encrypted DNS with your AdGuard Home.
The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. Link↩
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks. Link↩
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Link↩
How to configure DNS security using Cloudflare DNS. Link↩
Ads by Google
Hey, there! This is Frank Lin (@flinhong), one of the 1.4 billion 🇨🇳. This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.
IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunneling between the server and client. In IKEv2 implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary, and it handles client hiccups quite smoothly.
Nextcloud, a fork of ownCloud, is a open-source file sharing server that allows you to store your personal content, like documents and pictures, in a centralized location, much like Dropbox. It also returns the control and security of your sensitive data back to you, thus eliminating the use of a third-party cloud hosting service. Here, I'm going to walk through the installing and configurations on Ubuntu 18.04 using the snappy packaging system.