Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:adguard-home [2022/01/29 21:18] – [Setup] fix ipv6 DNS for multiple ips. mercygroundabyss | docs:guide-user:services:dns:adguard-home [2022/06/25 22:41] – [Bypassing encrypted DNS for NTP] enhanced warning for NTP bypass for lookups. mercygroundabyss | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== AdGuard Home ====== | ====== AdGuard Home ====== | ||
| - | AdGuard Home (AGH) is a free and open source network-wide advertising and trackers blocking DNS server. It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It is based on software used with public AdGuard DNS servers. | + | [[https:// |
| In addition, AdGuard Home also offers DNS encryption features such as DNS over TLS (DoT) and DNS over HTTPS (DoH) built-in without any additional packages needed. | In addition, AdGuard Home also offers DNS encryption features such as DNS over TLS (DoT) and DNS over HTTPS (DoH) built-in without any additional packages needed. | ||
| + | |||
| + | {{: | ||
| ===== Prerequisites ===== | ===== Prerequisites ===== | ||
| Line 12: | Line 14: | ||
| * Minimum of 50MB free RAM. | * Minimum of 50MB free RAM. | ||
| - | * Minimum of 30MB free disk/flash space ([[# | + | * Minimum of 100MB free disk/flash space ([[# |
| * Higher performance routers i.e. dual-core with higher processor clock speeds are recommended. | * Higher performance routers i.e. dual-core with higher processor clock speeds are recommended. | ||
| Line 20: | Line 22: | ||
| An alternative option could be to use a Raspberry Pi Zero plugged into your routers USB port to run AGH. [[https:// | An alternative option could be to use a Raspberry Pi Zero plugged into your routers USB port to run AGH. [[https:// | ||
| + | |||
| + | ==== DNS latency/ | ||
| + | |||
| + | For the best performance and lowest latency on DNS requests, AGH should be your primary DNS resolver in your DNS chain. If you currently have dnsmasq or unbound installed, you should move these services to an alternative port and have AGH use DNS port 53 with upstream DNS resolvers of your choice configured. This wiki recommends keeping dnsmasq/ | ||
| + | |||
| + | The rationale for this is due to resolvers like dnsmasq forking each DNS request when AGH is set as an upstream, this will have an impact on DNS latency which is can be viewed in the AGH dashboard. You will also not benefit from being able to see the DNS requests made by each client if AGH is not your primary DNS resolver as all traffic will appear from your router. | ||
| + | |||
| + | The install script in the setup section will move dnsmasq to port 5353 and set it for AGH to use as local PTR / reverse DNS lookups. | ||
| + | |||
| + | ==== Flash/ | ||
| + | |||
| + | The compiled '' | ||
| + | |||
| + | Currently (May 2022 edge build 108) a full install to the /opt folder you really require about 100mb of space. | ||
| + | * (70mb) 35mb x2 for the AGH binary and again for when it backups and upgrades. (that' | ||
| + | * 20mb for my filters. (Again you can raise or lower this depending on what lists you use) | ||
| + | * 2mb - 90 days of statistics. | ||
| + | * 53mb - 7 days of query logs. | ||
| + | |||
| + | You can tweak your logging to keep things smaller if required. | ||
| + | |||
| + | ==== Query/ | ||
| + | |||
| + | One of the main benefits of AGH is the detailed query and statistics data provided, however for many routers having long retention periods for this data can cause issues (see flash/ | ||
| ===== Installation ===== | ===== Installation ===== | ||
| Line 75: | Line 101: | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| uci add_list dhcp.@dnsmasq[0].server=" | uci add_list dhcp.@dnsmasq[0].server=" | ||
| - | #delete | + | |
| + | #Delete | ||
| + | uci -q delete dhcp.lan.dhcp_option | ||
| uci -q delete dhcp.lan.dns | uci -q delete dhcp.lan.dns | ||
| - | for OUTPUT in $(ip -json address | + | # DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution |
| + | uci add_list dhcp.lan.dhcp_option=' | ||
| + | |||
| + | #DHCP option 3: default router or last resort gateway for this interface | ||
| + | uci add_list dhcp.lan.dhcp_option=' | ||
| + | |||
| + | #Set IPv6 Announced DNS | ||
| + | for OUTPUT in $(ip -o -6 addr list br-lan | ||
| do | do | ||
| echo " | echo " | ||
| Line 104: | Line 139: | ||
| {{: | {{: | ||
| - | === LAN domain interception == | ||
| - | |||
| - | Adding the following to the Upstream DNS Server configuration will intercept any LAN domain request or requests without a FQDN and pass those requests to the appropriate resolver, which is mostly like your OpenWrt router but it doesn' | ||
| - | |||
| - | The default LAN domain configured by OpenWrt is " | ||
| - | |||
| - | **Settings** -> **DNS Settings** > **Upstream Servers** | ||
| - | |||
| - | < | ||
| - | [/ | ||
| - | [// | ||
| - | </ | ||
| - | |||
| - | === Reverse DNS (rDNS) === | ||
| - | |||
| - | To enable rDNS so AGH picks up your DHCP assignments from OpenWrt. | ||
| - | |||
| - | - From the AdGuard Home web interface **Settings** -> **DNS settings** | ||
| - | - Scroll to " | ||
| - | - Add '' | ||
| - | - Tick both "//Use private reverse DNS resolvers//" | ||
| - | |||
| - | {{: | ||
| ==== Manual installation ==== | ==== Manual installation ==== | ||
| Line 140: | Line 152: | ||
| Recommendations and best configuration practices for using AGH on OpenWrt. | Recommendations and best configuration practices for using AGH on OpenWrt. | ||
| - | === Web interface === | + | ==== Web interface |
| - | AdGuard Home has it's own web interface for configuration and management and is not managed through LuCI. There is no official LuCI application for managing AdGuard Home. By default the web interface will be on port TCP 3000. To access the web interface, use the IP of your router: http:// | + | AdGuard Home has it's own web interface for configuration and management and is not managed through LuCI. There is no official LuCI application for managing AdGuard Home. By default the web setup interface will be on port TCP 3000. To access the web interface, use the IP of your router: http:// |
| + | |||
| + | By default LuCI will be configured to use standard ports TCP 80/443, so AdGuard Home will need to use an alternative port for the web interface. You can use the default | ||
| + | |||
| + | Once AGH is active then [[https:// | ||
| Note: Some settings may not be editable via the web interface and instead will need to be changed by editing the '' | Note: Some settings may not be editable via the web interface and instead will need to be changed by editing the '' | ||
| - | === Nginx Reverse proxy through LuCI === | + | ==== Nginx Reverse proxy through LuCI ==== |
| If you already use [[: | If you already use [[: | ||
| Line 168: | Line 184: | ||
| If you have configured TLS on LuCI, there' | If you have configured TLS on LuCI, there' | ||
| - | === Debugging | + | ==== Reverse DNS (rDNS) ==== |
| - | If AdGuard Home won't start, you will want to view error logs to understand why. | + | To enable rDNS so AGH picks up your DHCP assignments from OpenWrt. |
| - | If using the opkg package you can view syslog for errors using '' | + | - From the AdGuard Home web interface **Settings** -> **DNS settings** |
| + | - Scroll to " | ||
| + | - Add '' | ||
| + | - Tick both "//Use private reverse DNS resolvers//" | ||
| - | <code bash> | + | {{: |
| - | logread -e AdGuardHome | + | |
| - | </ | + | |
| - | You can also run AdGuardHome from command line and see the output directly. | + | ==== LAN domain interception ==== |
| - | <code bash> | + | Adding the following to the Upstream DNS Server configuration will intercept any LAN domain request or requests without a FQDN and pass those requests to the appropriate resolver, which is mostly like your OpenWrt router but it doesn' |
| - | AdGuardHome -v -c / | + | |
| - | </ | + | |
| - | This example uses the defaults set in the init script with the extra addition of the verbose flag. | + | The default LAN domain configured by OpenWrt is " |
| - | * '' | + | (127.0.0.1) local loopback is used here to enable |
| - | * '' | + | |
| - | * '' | + | |
| - | * '' | + | |
| - | The most common reason for AdGuard Home not starting is due to syntax errors in the '' | + | **Settings** -> **DNS Settings** > **Upstream Servers** |
| - | === Flash/storage space requirements === | + | < |
| + | [/lan/ | ||
| + | [// | ||
| + | </ | ||
| - | The compiled '' | ||
| - | |||
| - | === Query/ | ||
| - | |||
| - | One of the main benefits of AGH is the detailed query and statistics data provided, however for many routers having long retention periods for this data can cause issues (see flash/ | ||
| - | |||
| - | === DNS latency/ | ||
| - | |||
| - | For the best performance and lowest latency on DNS requests, AGH should be your primary DNS resolver in your DNS chain. If you currently have dnsmasq or unbound installed, you should move these services to an alternative port and have AGH use DNS port 53 with upstream DNS resolvers of your choice configured. This wiki recommends keeping dnsmasq/ | ||
| - | |||
| - | The rationale for this is due to resolvers like dnsmasq forking each DNS request when AGH is set as an upstream, this will have an impact on DNS latency which is can be viewed in the AGH dashboard. You will also not benefit from being able to see the DNS requests made by each client if AGH is not your primary DNS resolver as all traffic will appear from your router. | ||
| - | === Creating ipset policies === | + | ==== Creating ipset policies |
| For users using ipset policies for purposes such as VPN split tunnelling, AGH provides ipset functionality similar to dnsmasq. The configuration/ | For users using ipset policies for purposes such as VPN split tunnelling, AGH provides ipset functionality similar to dnsmasq. The configuration/ | ||
| Line 243: | Line 247: | ||
| Like dnsmasq, an ipset policy in AGH can have one or more domains as well as be assigned to multiple ipset chains. Further information on ipset functionality can be found on the [[https:// | Like dnsmasq, an ipset policy in AGH can have one or more domains as well as be assigned to multiple ipset chains. Further information on ipset functionality can be found on the [[https:// | ||
| - | **Note:** The ipset chains must exist before being used or referenced | + | **Note:** The ipset chains must exist before being used or referenced |
| - | === AGH as a NextDNS client === | + | ==== AGH as a NextDNS client |
| AGH is recommended to be used with filtering disabled as a NextDNS client. [[https:// | AGH is recommended to be used with filtering disabled as a NextDNS client. [[https:// | ||
| - | === DNS interception | + | ===== DNS Interception ===== |
| - | Some devices will bypass DHCP provided DNS servers e.g. Google Chromecast. In order to make sure all DNS traffic goes through your primary DNS resolver. You can enforce this through | + | Some devices will bypass DHCP provided DNS servers e.g. Google Chromecast. |
| + | |||
| + | In order to make sure all DNS traffic goes through your primary DNS resolver, you can enforce this through firewall | ||
| + | |||
| + | ==== IPTables (firewall3) ==== | ||
| Copy and paste these iptables rules in **Network -> Firewall -> Custom Rules Tab** or directly to ''/ | Copy and paste these iptables rules in **Network -> Firewall -> Custom Rules Tab** or directly to ''/ | ||
| Line 277: | Line 285: | ||
| [[: | [[: | ||
| - | === Bypassing encrypted DNS for NTP === | + | ==== NFT Tables (firewall4) ==== |
| + | <code bash> | ||
| + | nft add rule nat pre udp dport 53 ip saddr 192.168.1.0/ | ||
| + | </ | ||
| + | This will redirect all DNS traffic from 192.168.1.0/ | ||
| + | |||
| + | ===== Bypassing encrypted DNS for NTP ===== | ||
| + | |||
| + | <WRAP important 100%> | ||
| + | In order for SSL to work the correct date/time MUST be set on the device. Not all routers have a Real Time Clock and thus must use NTP to update to the correct date/time on boot. As SSL will NOT work without the correct date/time you MUST bypass encrypted DNS to enable NTP updates to work. | ||
| + | </ | ||
| + | <WRAP important 100%> | ||
| + | Your router does NOT need encrypted DNS. Only your clients behind the router require filtering and encryption. Setting your router to use AGH as its DNS **WILL** result in failed NTP lookups unless you bypass encrypted lookups for NTP. This is **NOT** a recommended setup. Your router should have its own unencrypted upstream for NTP lookups. | ||
| + | </ | ||
| When using a upstream DNS setup that utilises DNS encryption e.g. DoT or DoH, you may come across a race condition on startup where communication to such DNS resolvers is not possible because of the NTP service not being able to establish a connection to a network time source and the set the correct time on your router. Given encrypted DNS relies on TLS/ | When using a upstream DNS setup that utilises DNS encryption e.g. DoT or DoH, you may come across a race condition on startup where communication to such DNS resolvers is not possible because of the NTP service not being able to establish a connection to a network time source and the set the correct time on your router. Given encrypted DNS relies on TLS/ | ||
| Line 294: | Line 315: | ||
| Click apply to enable these specific DNS rules. | Click apply to enable these specific DNS rules. | ||
| - | ===== Data Files ===== | + | ===== Debugging |
| - | The '' | + | If AdGuard Home won't start, you will want to view error logs to understand why. |
| - | < | + | |
| - | root@OpenWrt:/ | + | If using the opkg package you can view syslog for errors using '' |
| - | drwxr-xr-x | + | |
| - | drwxrwxrwx | + | < |
| - | drwxr-xr-x | + | logread -e AdGuardHome |
| - | -rw-r--r-- | + | |
| - | -rw-r--r-- | + | |
| - | -rw-r--r-- | + | |
| - | -rw-r--r-- | + | |
| </ | </ | ||
| - | querylog files : These are your DNS queries. Can be removed. | + | You can also run AdGuardHome from command line and see the output directly. |
| - | sessions.db : active logins to AGH currently. This can be deleted but you will need to relog back in. | + | <code bash> |
| + | AdGuardHome -v -c / | ||
| + | </ | ||
| - | stats.db : Your statistics database. can purge but you will lose your statistics data. | + | This example uses the defaults set in the init script with the extra addition of the verbose flag. |
| - | The filters folder contains all your filter downloads. Purge if it is full but AGH will re-download your filters. | + | * '' |
| - | If your filters are too large for your diskspace you will have to disable large filters | + | * '' |
| + | * '' | ||
| + | * '' | ||
| - | The '' | + | The most common reason for AdGuard Home not starting is due to syntax errors in the '' |
| ===== Uninstalling ===== | ===== Uninstalling ===== | ||
| Line 367: | Line 388: | ||
| Reconnect your clients to apply the changes. | Reconnect your clients to apply the changes. | ||
| + | |||
| + | ===== Data Files ===== | ||
| + | |||
| + | The '' | ||
| + | < | ||
| + | root@OpenWrt:/ | ||
| + | drwxr-xr-x | ||
| + | drwxrwxrwx | ||
| + | drwxr-xr-x | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | </ | ||
| + | |||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | |||
| + | The filters folder contains all your filter downloads. Purge if it is full but AGH will re-download your filters. | ||
| + | |||
| + | If your filters are too large for your diskspace you will have to disable large filters and restrict their usage. | ||
| + | |||
| + | The '' | ||
| ===== References ===== | ===== References ===== | ||
| * [[https:// | * [[https:// | ||
| - | * [[https:// | ||
| * [[https:// | * [[https:// | ||
| + | * [[https:// | ||
| + | * [[https:// | ||