AdGuard Home and DNS-over-HTTPS

If you’re not familiar with PiHole or AdGuard here’s a quick summary:
We all know browser extensions like uBlock, AdBlock Plus etc. and while these work quite well they only protect a single browser. PiHole and AdGuard Home are small open source DNS servers that function just like any other standalone DNS server while blocking ads, tracking, malware and other unwanted stuff all across your network and all devices. Not just in browsers but also in mobile apps, gaming consoles, operating systems and home appliances like your smart TV, robot vacuum cleaner, etc.. If you have kids this will also be an easy way to protect them online by just adding the IP of your AdGuard/PiHole server as default DNS in your wifi router.

For years I’ve been protecting my home network and blocking ads and malware with PiHole, but sadly recently my Raspberry Pi died. Pi’s are out of stock all over the world currently so I went looking for alternatives. One of the more popular alternatives is AdGuard Home, an open source project with a lot of the same features as PiHole but also offering DNS-over-HTTPS and DNS-over-TLS. I decided to give it a shot and must admit that I’m quite impressed and pleased with how well it works. You can easily find guides on how to set it up but I found most guides lacking essential parts about certificates and DNS-over-TLS and DNS-over-HTTPS, so I decided to write my own guide here.

This guide will cover how to set up AdGuard Home on a public server that you can reach from any device all around the world. You can also run it locally on your own network, just skip the part about certificates and

What we will cover

1. Installing AdGuard Home on a Linux server. I will cover installation in CentOS 8 stream.
   (you can also install AdGuard Home as an application but I wont cover that here)
   
2. A domain name
3. An SSL certificate
4. Enable DNS-over-HTTPS in Windows 11
5. Enable DNS-over-TLS on your Android phone

Part 1 – Linux server and installation

If you don’t already have a Linux server I can recommend getting a virtual machine (VPS) from Contabo, that is what I’ve been using for several years now.

Make sure your server is up to date and has CURL and BIND-UTILS or DNSUTILS

dnf update
dnf install curl
dnf install bind-utils

An important thing to have in mind:
You can run AdGuard Home as a simple unencrypted DNS server (preferably locally behind your firewall) on port 53/UDP but if you want to use DNS-over-HTTPS and DNS-over-TLS (especially on a public server) you need to have a few ports available:

• The admin interface is webbased and running on port 3000/TCP by default
• DNS-over-HTTPS over port 443/TCP. This port will also be used for the admin webinterface if you activate HTTPS/SSL instead of port 3000
• DNS-over-TLS requires port 853/TCP
• Regular unencrypted DNS will run on port 53/UDP

If you are already running a webserver on your Linux server this might be an issue, especially port 443. If this is the case I recommend running AdGuard on a seperate IP address or perhaps a completely separate server.

Installing AdGuard Home is easy:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

The installation script will tell you what URL you can use to access the admin interface and begin the initial setup. Do that, it’s just a few steps creating a user account.

You will probably need to open up the required ports in your firewall. Only open the ports that you need!

firewall-cmd --add-port=53/udp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --add-port=853/tcp --permanent
firewall-cmd --add-port=3000/tcp --permanent
firewall-cmd --reload

Your DNS server is now up and running and you can test it either from Linux with “dig”

dig neocortex.dk @xxx.xxx.xxx.xxx (replace with your server IP)

or from Windows command line / Powershell

nslookup neocortex.dk xxx.xxx.xxx.xxx (replace with your server IP)

Part 2 – Domain name

There are tons of places where you can buy and manage your own domain name so I wont cover that. I use Cloudflare (free).

Once you got your domain make sure that it is pointing to the IP address of your AdGuard server. Don’t activate proxy if using Cloudflare.

Part 3 – An SSL certificate

Like domain names you can buy certificates from all kinds of suppliers, but the easiest and cheapest (free) way is using Let’s Encrypt so that’s what I’m going with.

Once you have a domain name that is pointing to your server IP you can acquire a free SSL certificate with Let’s Encrypt using one of their many tools like Certbot and Lego. I prefer Lego – once installed you can request a new certificate like this:

lego --email="[email protected]" --domains="example.com" --http run

Lego will open a small standalone webservice on port 80 that is used to verify that you own the domain name and server/IP. If you already have a webservice running on port 80 you can also use that for verification with the –http.webroot option. See the Lego documentation for more info.

Move the new certificate and private key to a folder that makes sense to you, e.g. /opt/lego/ and enable encryption in AdGuard

Edit the paths so they point at your new certificates

and verify that the certificate is valid

Reload the AdGuard admin webpage and you should notice that it now is using HTTPS in your browser.

Part 4 – Enable DNS-over-HTTPS in Windows 11

DNS over a secure encrypted connection is a relatively new thing and not fully supported on all platforms. In Windows 11 it is possible to use DNS-over-HTTPS out of the box but only for a selection of preconfigured DNS servers from Google, Cloudflare and Quad9. In our case that is not really useful as we now have our own really nice adblocking DNS server so we need to expand the list of DNS-over-HTTPS enabled servers. We do this with the following Powershell command (as admin):

Add-DnsClientDohServerAddress -ServerAddress 111.222.333.444 -DohTemplate https://dns.neocortex.dk/dns-query -AutoUpgrade $true

Replace IP and DohTemplate with your own AdGuard servers IP and hostname.

Open your Network settings and edit the DNS settings with your AdGuard server IP.
Be sure to select Encrypted Only (DNS over HTTPS)

Part 5 – Enable DNS-over-TLS on your Android phone

On newer versions of Android OS you have an option to use a “Private DNS” which is using DNS-over-TLS.

Just open Settings -> Connection & Sharing -> Private DNS and select “Designated private DNS” and enter your domain name.

According to guides online it is also possible to use DNS-over-HTTPS/TLS on iPhone and MacOS, probably also on Linux, but I won’t be covering that in this guide

Done

Now that your devices are configure to use DNS over secure connections you can check the AdGuard query log and verify that your DNS requests are in fact using TLS and HTTPS: