Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:adguard-home [2022/06/25 22:22] – Moved sections for more logical layout. mercygroundabyssdocs:guide-user:services:dns:adguard-home [2022/06/25 22:41] – [Bypassing encrypted DNS for NTP] enhanced warning for NTP bypass for lookups. mercygroundabyss
Line 139: Line 139:
 {{:media:adguard_home_web_interface.gif?600|}} {{:media:adguard_home_web_interface.gif?600|}}
  
-==== Reverse DNS (rDNS) ==== 
- 
-To enable rDNS so AGH picks up your DHCP assignments from OpenWrt. 
- 
-  - From the AdGuard Home web interface **Settings** -> **DNS settings** 
-  - Scroll to "Private reverse DNS servers" 
-  - Add ''192.168.1.1:5353'' 
-  - Tick both "//Use private reverse DNS resolvers//" and "//Enable reverse resolving of clients' IP addresses//" boxes and click apply. 
- 
-{{:media:doc:howtos:rdns_agh.png?600|}} 
- 
-==== LAN domain interception ==== 
- 
-Adding the following to the Upstream DNS Server configuration will intercept any LAN domain request or requests without a FQDN and pass those requests to the appropriate resolver, which is mostly like your OpenWrt router but it doesn't have to be.  
- 
-The default LAN domain configured by OpenWrt is "lan", but if you have configured you own domain, you can use this in the example code below: 
- 
-(127.0.0.1) local loopback is used here to enable statistics tracking but you may also use your router ip (192.168.1.1) here too. 
- 
-**Settings** -> **DNS Settings** > **Upstream Servers** 
- 
-<code> 
-[/lan/]127.0.0.1:5353 
-[//]127.0.0.1:5353 
-</code> 
  
 ==== Manual installation ==== ==== Manual installation ====
Line 178: Line 153:
  
 ==== Web interface ==== ==== Web interface ====
- 
  
 AdGuard Home has it's own web interface for configuration and management and is not managed through LuCI. There is no official LuCI application for managing AdGuard Home. By default the web setup interface will be on port TCP 3000. To access the web interface, use the IP of your router: http://192.168.1.1:3000. If this is the first time you have installed AdGuard Home you will go through the setup process.  AdGuard Home has it's own web interface for configuration and management and is not managed through LuCI. There is no official LuCI application for managing AdGuard Home. By default the web setup interface will be on port TCP 3000. To access the web interface, use the IP of your router: http://192.168.1.1:3000. If this is the first time you have installed AdGuard Home you will go through the setup process. 
Line 184: Line 158:
 By default LuCI will be configured to use standard ports TCP 80/443, so AdGuard Home will need to use an alternative port for the web interface. You can use the default setup port TCP 3000 or change it to an alternative (8080 is the usual port 80 replacememt).  By default LuCI will be configured to use standard ports TCP 80/443, so AdGuard Home will need to use an alternative port for the web interface. You can use the default setup port TCP 3000 or change it to an alternative (8080 is the usual port 80 replacememt). 
  
-Once AGH is active then [[https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration|follow the official AdGuard Home wiki instructions]] to configure upstreams and filters.+Once AGH is active then [[https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration|follow the official AdGuard Home wiki instructions]] to configure upstreams and filters. A list of known DNS providers and settings is here : [[https://adguard-dns.io/kb/general/dns-providers/|Known DNS Providers]]
  
 Note: Some settings may not be editable via the web interface and instead will need to be changed by editing the ''adguardhome.yaml'' configuration file. Note: Some settings may not be editable via the web interface and instead will need to be changed by editing the ''adguardhome.yaml'' configuration file.
Line 210: Line 184:
 If you have configured TLS on LuCI, there's no need to use TLS on AdGuard Home. Set ''allow_unencrypted_doh'' to false in ''adguardhome.yaml'' to allow AdGuard Home respond to DoH requests without TLS encryption. If you have configured TLS on LuCI, there's no need to use TLS on AdGuard Home. Set ''allow_unencrypted_doh'' to false in ''adguardhome.yaml'' to allow AdGuard Home respond to DoH requests without TLS encryption.
  
-==== Debugging ====+==== Reverse DNS (rDNS) ====
  
-If AdGuard Home won't start, you will want to view error logs to understand why.+To enable rDNS so AGH picks up your DHCP assignments from OpenWrt.
  
-If using the opkg package you can view syslog for errors using ''logread''.+  - From the AdGuard Home web interface **Settings** -> **DNS settings** 
 +  - Scroll to "Private reverse DNS servers" 
 +  - Add ''192.168.1.1:5353'' 
 +  - Tick both "//Use private reverse DNS resolvers//" and "//Enable reverse resolving of clients' IP addresses//" boxes and click apply.
  
-<code bash> +{{:media:doc:howtos:rdns_agh.png?600|}}
-logread -e AdGuardHome +
-</code>+
  
-You can also run AdGuardHome from command line and see the output directly.+==== LAN domain interception ====
  
-<code bash> +Adding the following to the Upstream DNS Server configuration will intercept any LAN domain request or requests without a FQDN and pass those requests to the appropriate resolver, which is mostly like your OpenWrt router but it doesn't have to be
-AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update +
-</code>+
  
-This example uses the defaults set in the init script with the extra addition of the verbose flag.+The default LAN domain configured by OpenWrt is "lan", but if you have configured you own domain, you can use this in the example code below:
  
-  * ''-v --verbose'' - Enables verbose output (useful for debugging). +(127.0.0.1) local loopback is used here to enable statistics tracking but you may also use your router ip (192.168.1.1) here too
-  * ''-c --config'' - Path to the AdGuard Home YAML config. + 
-  * ''-w --work-dir'' - Path to the set working directory where data such as logs and statistics are stored+**Settings** -> **DNS Settings** > **Upstream Servers** 
-  ''--no-check-update'' - Disables the built in update checker.+ 
 +<code> 
 +[/lan/]127.0.0.1:5353 
 +[//]127.0.0.1:5353 
 +</code>
  
-The most common reason for AdGuard Home not starting is due to syntax errors in the ''adguardhome.yaml'' config. 
  
 ==== Creating ipset policies ==== ==== Creating ipset policies ====
Line 319: Line 295:
  
 <WRAP important 100%> <WRAP important 100%>
-In order for SSL to work the correct date/time MUST be set on the device. Not all routers have a Real Time Clock and thus must use NTP to update to the correct date/time on boot. As SSL will NOT work without the correct date/time you MUST bypass encrypted DNS to enable NTP updates to work.+In order for SSL to work the correct date/time MUST be set on the device. Not all routers have a Real Time Clock and thus must use NTP to update to the correct date/time on boot. As SSL will NOT work without the correct date/time you MUST bypass encrypted DNS to enable NTP updates to work.  
 +</WRAP> 
 +<WRAP important 100%> 
 +Your router does NOT need encrypted DNS. Only your clients behind the router require filtering and encryption. Setting your router to use AGH as its DNS **WILL** result in failed NTP lookups unless you bypass encrypted lookups for NTP. This is **NOT** a recommended setup. Your router should have its own unencrypted upstream for NTP lookups.
 </WRAP> </WRAP>
- 
 When using a upstream DNS setup that utilises DNS encryption e.g. DoT or DoH, you may come across a race condition on startup where communication to such DNS resolvers is not possible because of the NTP service not being able to establish a connection to a network time source and the set the correct time on your router. Given encrypted DNS relies on TLS/certificates, having accurate time is more important. To prevent this, you can allow NTP DNS requests to use plain DNS, regardless of the upstream DNS resolvers set. When using a upstream DNS setup that utilises DNS encryption e.g. DoT or DoH, you may come across a race condition on startup where communication to such DNS resolvers is not possible because of the NTP service not being able to establish a connection to a network time source and the set the correct time on your router. Given encrypted DNS relies on TLS/certificates, having accurate time is more important. To prevent this, you can allow NTP DNS requests to use plain DNS, regardless of the upstream DNS resolvers set.
  
Line 336: Line 314:
  
 Click apply to enable these specific DNS rules. Click apply to enable these specific DNS rules.
 +
 +===== Debugging =====
 +
 +If AdGuard Home won't start, you will want to view error logs to understand why.
 +
 +If using the opkg package you can view syslog for errors using ''logread''.
 +
 +<code bash>
 +logread -e AdGuardHome
 +</code>
 +
 +You can also run AdGuardHome from command line and see the output directly.
 +
 +<code bash>
 +AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update
 +</code>
 +
 +This example uses the defaults set in the init script with the extra addition of the verbose flag.
 +
 +  * ''-v --verbose'' - Enables verbose output (useful for debugging).
 +  * ''-c --config'' - Path to the AdGuard Home YAML config.
 +  * ''-w --work-dir'' - Path to the set working directory where data such as logs and statistics are stored.
 +  * ''--no-check-update'' - Disables the built in update checker.
 +
 +The most common reason for AdGuard Home not starting is due to syntax errors in the ''adguardhome.yaml'' config.
  
 ===== Uninstalling ===== ===== Uninstalling =====
  • Last modified: 2022/07/01 17:56
  • by mercygroundabyss