A managed AdBock powered by AdGuard Home with DoH & DoT enabled

A managed AdBock powered by AdGuard Home with DoH & DoT enabled

filter ads from DNS

AdGuard Home is a network-wide ad-and-tracker blocking DNS server. Its purpose is to let you control your entire network and all your devices, and it does not require using a client-side program. It is a fully-fledged server application which runs on a separete machine (your home router or even a VPS), and provide cross-device protection over your network with a mechanism to actively block certain requests from the websites you visit. In this short guide, I will show you how to setup your own AdGuard Home on a VPS (preferred Ubuntu 18.04).

How does AdGuard Home work?

Whenever you navigate to a website using its URL (https://baidu.com, for example), your device needs to know which IP address that domain refers to. In order to determine the IP address, your device makes a DNS (domain name system1) query to a DNS nameserver which will respond with a DNS record for that domain, containing its IP address and many other infomation.

But how does your device know which DNS servers to call for each request? Well, it’s generally the job of your router’s DHCP2. It is entirely possible to override the DNS server on the router, but for most people won’t do that and leave the one configured by your ISP (Internet service provider).

There are thousands of public DNS servers out in the world. Like Google’s public DNS servers (8.8.8.8 & 8.8.4.4) or Cloudflare’s 1.1.1.1. When you’re running the AdGuard Home in your network, you can configure your router’s DHCP service to use AdGuard Home’s DNS address as the DNS nameserver instead. Doing so, AdGuard Home now has carte blanche to device which DNS queries are allowd, and which ones are blocked.

AdGuard Home is effectively a DNS proxy, whereby it acts as your network’s primary DNS nameserver, filter requests, then relays the requests that satisfy your configured filters to certain “upstream” DNS nameserver, which does the real DNS resolution.

So, AdGuard Home is working at the DNS level that guards your DNS requests with a layer of filtering.

Install AdGuard Home on VPS

This section is originated from AdGuard Home’s official wiki. All commands are adapted to a Ubuntu server.

Initial installation

Install necessary requirement:

sudo apt install bind9-host

Download AdGuard Home’s binaries and unpack it:

wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz

tar xvf AdGuardHome_linux_amd64.tar.gz

Then, install AdGuard Home as a system service:

cd AdGuardHome

sudo ./AdGuardHome -s install

If no errors prompt, AdGuard Home is now runing on the server.

Here are the other commands you might need to control the service.

  • sudo ./AdGuardHome -s uninstall - uninstall the AdGuard Home service.
  • sudo ./AdGuardHome -s start - start the service.
  • sudo ./AdGuardHome -s stop - stop the service.
  • sudo ./AdGuardHome -s restart - restart the service.
  • sudo ./AdGuardHome -s status - check the status of the service.

You can also use systemctl to manage the AdGuardHome service, e.g., sudo systemctl restart AdGuardHome.

After installation, you can access the AdGuard Home’s web interface on port 3000. For example, http://1.2.3.4:3000. Replace 1.2.3.4 with your VPS’s public IP address, or a binded domain name.

Follow the instructions on the web interface to finish the setup.

Some ports maybe used by other programs on the same server, just replace them with desired ones and allow traffics of these ports in your firewall. I have set the default web interface port to 3000 instead of 80, which is already used by Nginx.

If you need to use the 53 port, just follow up the following section.

Getting rid of systemd-resolved consuming port 53

This section is based on this post: Getting rid of systemd-resolved consuming port 53.

In case the 53 port is used by systemd-resolved, and you still need to use the 53 port for AdGuard Home, you can get rid of systemd-resolved using 53 port safely.

sudo systemctl stop systemd-resolved

sudo nano /etc/systemd/resolved.conf

Set DNS and FallbackDNS in resolved.conf, and comment out & set DNSStubListener=no. For example:

[Resolve]
DNS=127.0.0.1
FallbackDNS=9.9.9.9
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#Cache=yes
DNSStubListener=no

Here, 127.0.0.1 is configured to AdGuard Home on my server, thus all DNS queries from my server will be listened by AdGuard Home.

Then, you need to link the configured file:

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

sudo systemctl restart systemd-resolved

Now, you can use the 53 port in AdGuard Home.

If you have used other port in AdGuard Home during setting up, you can go to AdGuardHome’s folder, edit the port number in AdGuardHome.yaml, then restart AdGuard Home service to make effect.

Enable DNS-over-HTTPS & DNS-over-TLS

Both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoH) are based on TLS encryption3 so in order to use them, you will need to acquire an SSL certificate for your registed domain name. You can get the certificate for free from Let’s Encrypt, and follow the steps in a previous post to get a certificate with Nginx.

Here’s another example to get an SSL certificate using DNS challenge instead of using Nginx:

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot

sudo apt update
sudo apt install certbot

sudo certbot certonly --manual --preferred-challenges=dns

In the end, you’ll get two .pem files that required by AdGuard Home:

  1. fullchain.pem – your PEM-encoded SSL certificate
  2. privkey.pem – your PEM-encoded private key

Now, open AdGuard Home’s web interface (your-server-ip:3000, for example) and go to Settings > Encryption settings. Follow the page’s instructions and set Server name to your desired domain name and configure a port number for HTTPS port. Please leave the default port number 853 for DNS-over-TLS port that required by Android devices to work properly.

In the Certificates section, you can now set the file path refer to the .pem files:

  • Set a certificates file path: /etc/letsencrypt/live/domain.example.com/fullchain.pem
  • Set a private key file: /etc/letsencrypt/live/domain.example.com/privkey.pem

Then, don’t forget to Save config.

Filters

The core of AdGuard Home is to filter DNS queries. But that relies on the filters you defined.

Here’s a list of filters I used:

  • uBlock filters

    https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters.txt

  • uBlock filters – Badware risks

    https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt

  • uBlock filters – Privacy

    https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/privacy.txt

  • uBlock filters – Resource abuse

    https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt

  • uBlock filters – Unbreak

    https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/unbreak.txt

  • EasyList

    https://easylist.to/easylist/easylist.txt

  • EasyList China

    https://easylist-downloads.adblockplus.org/easylistchina.txt

  • EasyPrivacy

    https://easylist.to/easylist/easyprivacy.txt

  • Fanboy’s Annoyance List

    https://easylist.to/easylist/fanboy-annoyance.txt

  • Peter Lowe’s Ad and tracking server list

    https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext&_=217675

  • Filter unblocking search ads and self-promotion

    https://filters.adtidy.org/extension/chromium/filters/10.txt

More available ad-filters can be found at https://filterlists.com/.

Configure in the browser/Android device

Android

Please note that encrypted DNS protocols are supported only on Android 9 and above.

To configure it, go to Setting > Network & internet > Advanced > Private DNS and enter your domain name there.

On my OnePlus phone (OxygenOS 9.0.9), it’s Settings > WiFi & Internet > Private DNS.

You can try my AdGuard Home with ZG5zLmluZGV2LnRr (base64, double click to reveal) to have a taste. Note that query logs are enabled on my side…

I found that if I use Chrome on Android a lot, the connection to my private DNS often get lost, which shows couldn’t connect. Things getting better when I switched my primary browser to Firefox on my phone. That’s interesting…

Firefox & Chrome

Firefox now supports DoH, you can manually enabling and disabling DNS-over-HTTPS at Preferences > General > Network Setting > Enable DNS over HTTPS.

Change to Custom in the Use Provider and set the query url to the one shown on AdGuard Home’s web interface under Setup guide.

The same to Chrome’s settings, but I haven’t use Chrome for a long time. This post may help for Chrome users: https://techcodex.com/how-to-enable-dns-over-https-doh-in-firefox-and-chrome/.

Also, there’s a long list of available DoH server you can choose: https://github.com/curl/curl/wiki/DNS-over-HTTPS. Some of them also configured with AdBlock filters.

It seems that you can also specify the DoH on Firefox for Android, details are discussed here: https://android.stackexchange.com/questions/214574/how-do-i-enable-dns-over-https-on-firefox-for-android. If you’re using older Android versions, worth to try inside a browser.

  1. The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. Link 

  2. The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks. Link 

  3. Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Link 

林宏

Frank Lin

Hey, there! This is Frank Lin (@flinhong), one of the 1.4 billion 🇨🇳. This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.

YOU MAY ALSO LIKE

Setting up snap Nextcloud on Ubuntu

Tutorials

2019.12.05

Setting up snap Nextcloud on Ubuntu

Nextcloud, a fork of ownCloud, is a open-source file sharing server that allows you to store your personal content, like documents and pictures, in a centralized location, much like Dropbox. It also returns the control and security of your sensitive data back to you, thus eliminating the use of a third-party cloud hosting service. Here, I'm going to walk through the installing and configurations on Ubuntu 18.04 using the snappy packaging system.

Using Liquid in Jekyll - Live with Demos

Web Notes

2016.08.20

Using Liquid in Jekyll - Live with Demos

Liquid is a simple templating language that Jekyll uses to process pages on your site. With Liquid you can output an modify variables, have logic statements inside your pages and loop over content.