Adguard Home installation configuration and related matters needing attention

Original link: https://www.microcharon.top/tech/304.html

Adguard Home

I recently used Adguard Home to filter trackers and ads, and the effect is very good. Here are some installation and configuration steps and problems

GitHub project address: AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)

The general Wiki page is very detailed. Those who need various advanced configurations can check this Wiki: Home · AdguardTeam/AdGuardHome Wiki (github.com)

What is Adguard Home

AdGuard Home is a free and open-source DNS server that can be used to block ads, trackers, and malware on your network. It is easy to install and comes with a user-friendly web interface that allows you to configure it to your specific needs.

Briefly describe the installation steps

Most mainstream platforms support the deployment of Adguard Home. If you install from docker or source code, you can directly read the official installation tutorial. The following content uses Adguard Home as binary, and deploys it in the Linux 86_x64 environment as an example

automatic deployment

 #第一条命令通过curl 进行安装curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v #第二条命令通过wget 进行安装wget --no-verbose -O - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v #第三条命令通过fetch 进行安装fetch -o - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
  • -c <channel> switch to the corresponding (test) channel, as follows
  • -r reinstall Adguard Home
  • -u uninstall Adguard Home
  • -v verbose output

Note that -r and -u options are mutually exclusive. If you switch to the corresponding test channel, you can use the following command

 #第一条命令可切换安装至beta 通道curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c beta #第二条命令可切换安装至edge 通道curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge

Source code deployment method

AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)

Docker deployment method

adguard/adguardhome – Docker Image | Docker Hub

Briefly describe the configuration steps

set up

general settings

Check Use filters and host files to block specified domain names, the time interval is default, it is recommended to check “Use AdGuard [Browsing Security] web service” and “Use Safe Search”, if the family can check “Use AdGuard [Parental Control] 】Serve”

In the statistics configuration column, if the disk space of the machine configured with Adguard Home is small, the time interval can be reduced

DNS settings

The DNS setting is the focus, and the resolution speed and quality depend on whether the settings here are correct

Select the upstream server according to the network environment used by the machine used for deployment, and try to choose the one with the lowest delay. If you choose encryption such as HTTPS/DoH/DoQ/DoT, you must first configure it in the encryption mode

 #Adguard https://dns.adguard-dns.com/dns-query tls://dns.adguard-dns.com quic://dns.adguard-dns.com #Quad9 https://dns11.quad9.net/dns-query tls://dns11.quad9.net

The “Load Balance” mode is selected by default. If you need to speed up the resolution, you can choose the “Parallel Request” option. It is not recommended to choose the “Fastest IP Address” option.

The Bootstrap DNS server is the downstream server, which is used to resolve the IP address of the DoH/DoT resolver that you specify as the upstream, which varies according to the network environment you use locally. For example, in mainland China, you can choose the DNS IP of Ali and Tencent

The rate limit is a limit on the number of queries per second per client. A setting of 0 means no limit, the default is 20 per second. Unlimited speed can bring faster resolution speed, but it also brings the hidden danger of being DDoS. If you want to lift the speed limit when using the analysis service, you can see the other configuration and related issues below

encryption settings

If necessary, select the option ” Enable Encryption (HTTPS, DNS-over-HTTPS, DNS-over-TLS) “. If there are other services that temporarily use port 443, they must be changed to other ports. Choose one that is not temporarily used in 100-1000 The port is more appropriate, DoT and DoQ port default 853, you can not modify, DoT and DoQ port can be shared

client settings

It is mainly to set identifiers for devices using Adguard Home DNS, which is convenient for statistics usage or setting specific rules . If the client IP changes frequently, it can be set here. DoH, DoT and DoQ setting client identifier ID all need Adguard Home to support domain name access and require wildcard certificate

https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid

DHCP settings

This option is applicable when Adguard Home is deployed on a router. If it is deployed on a server, this option is generally not set

filter

DNS blacklist

You can add your own block list , or you can directly refer to the list officially recommended by Adguard or other custom lists, which need to conform to the adblock or hosts syntax, and support regular expressions

https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists

DNS whitelist

Domains from the whitelist will be allowed as opposed to the blacklist

DNS rewriting

Similar to the host of the host, rewrite the domain name to point to a valid IP

https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite

blocked service

Services that can block access to specific popular websites , such as BiliBili QQ TikTok , etc. The settings here are global settings and take effect on all clients. If you need to prevent access to a specific service for a specified client, you can set it in the client settings

Custom filter rules

Only enter one rule per line, and the user can add it according to the syntax

Other configuration and related issues

Advanced configuration can directly modify the yaml file, which is the yaml file generated during the first initial setting, that is, AdGuardHome.yaml in the Adguard running directory, and requires knowledge of the YAML format

[scode type=”yellow” size=””]The Adguard Home service needs to be restarted every time the configuration is changed through yaml[/scode]

 bind_host: 0.0.0.0 bind_port: 9000 users: - name: Microcharon password: $2a$10$.aJppmrRwhxX8ajTBqqlYekWeScXl.DIGjfmvOjVRta.Llmt23OdC - name: Team password: $2a$10$Z1z6TgA.V9KIy134G6rfCug4v4NWI6vNugOuxN0.pXH8dV6S6hnYy auth_attempts: 5 block_auth_min: 15 http_proxy: "" language: zh-cn theme: auto debug_pprof: false web_session_ttl: 720 dns: bind_hosts: - 0.0.0.0 port: 53 anonymize_client_ip: false protection_enabled: true blocking_mode: default blocking_ipv4: "" blocking_ipv6: "" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 ratelimit_whitelist: [] refuse_any: true upstream_dns: - '#Adguard' - https://dns.adguard-dns.com/dns-query - tls://dns.adguard-dns.com - quic://dns.adguard-dns.com - '#Quad9' - https://dns11.quad9.net/dns-query - tls://dns11.quad9.net upstream_dns_file: "" bootstrap_dns: - 9.9.9.10 - 149.112.112.10 - 2620:fe::10 - 2620:fe::fe:10 all_servers: false fastest_addr: false fastest_timeout: 1s allowed_clients: [] disallowed_clients: [] blocked_hosts: - version.bind - id.server - hostname.bind trusted_proxies: - 127.0.0.0/8 - ::1/128 cache_size: 20971520 cache_ttl_min: 0 cache_ttl_max: 0 cache_optimistic: true bogus_nxdomain: [] aaaa_disabled: false enable_dnssec: true edns_client_subnet: custom_ip: "" enabled: true use_custom: false max_goroutines: 300 handle_ddr: true ipset: [] ipset_file: "" filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: true safebrowsing_enabled: true safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 cache_time: 30 rewrites: [] blocked_services: [] upstream_timeout: 10s private_networks: [] use_private_ptr_resolvers: true local_ptr_upstreams: [] use_dns64: false dns64_prefixes: [] serve_http3: false use_http3_upstreams: false tls: enabled: true server_name: 38.59.243.18 force_https: true port_https: 455 port_dns_over_tls: 853 port_dns_over_quic: 853 port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false certificate_chain: "" private_key: "" certificate_path: /usr/local/nginx/conf/cert/fullchain.crt private_key_path: /usr/local/nginx/conf/cert/private.key strict_sni_check: false querylog: enabled: true file_enabled: true interval: 168h size_memory: 1000 ignored: [] statistics: enabled: true interval: 1 ignored: [] filters: - enabled: true url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt name: AdGuard DNS filter id: 1 - enabled: false url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt name: AdAway Default Blocklist id: 2 - enabled: true url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt name: 'CHN: anti-AD' id: 1676202984 - enabled: true url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt name: Dandelion Sprout's Anti-Malware List id: 1676536918 whitelist_filters: [] user_rules: - "" dhcp: enabled: false interface_name: "" local_domain_name: lan dhcpv4: gateway_ip: "" subnet_mask: "" range_start: "" range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 options: [] dhcpv6: range_start: "" lease_duration: 86400 ra_slaac_only: false ra_allow_slaac: false clients: runtime_sources: whois: true arp: true rdns: true dhcp: true hosts: true persistent: [] log_file: "" log_max_backups: 0 log_max_size: 100 log_max_age: 3 log_compress: false log_localtime: false verbose: false os: group: "" user: "" rlimit_nofile: 0 schema_version: 17

command line parameters

Execute in the current directory of Adguard Home

 $ ./AdGuardHome --help Usage: ./AdGuardHome [options] Options: -c, --config VALUE Path to the config file. -w, --work-dir VALUE Path to the working directory. -h, --host VALUE Host address to bind HTTP server on. -p, --port VALUE Port to serve HTTP pages on. -s, --service VALUE Service control action: status, install, uninstall, start, stop, restart, reload (configuration). -l, --logfile VALUE Path to log file. If empty: write to stdout; if 'syslog': write to system log. --pidfile VALUE Path to a file where PID is stored. --check-config Check configuration and exit. --no-check-update Don't check for updates. --update Update the current binary and restart the service in case it's installed. --no-mem-optimization Deprecated. Disable memory optimization. --no-etc-hosts Deprecated. Do not use the OS-provided hosts. --local-frontend Use local frontend directories. -v, --verbose Enable verbose output. --glinet Run in GL-Inet compatibility mode. --version Show the version and exit. Show more detailed version description with -v. --help Print this help.

How to add multiple users or change password

The Web UI interface of Adguard Home currently does not support adding multiple management users, but you can add other management users by modifying the yaml file

The user password of Adguard Home is encrypted with Bcrypt. When resetting or adding a new user password, it is necessary to perform Bcrypt encryption before proceeding to the next step of configuration.

 users: - name: Microcharon password: $2a$10$.aJppmrRwhxX8ajTBqqlYekWeScXl.DIGjfmvOjVRta.Llmt23OdC - name: Team password: $2a$10$Z1z6TgA.V9KIy134G6rfCug4v4NWI6vNugOuxN0.pXH8dV6S6hnYy

Bcrypt Password Generator | Create Valid Bcrypt Password Hashes! (purecalculators.com)

Set shortcut path

Using the existing Linux method alias, set the alias as follows, which can save you the trouble of filling in the path every time. Of course, you can change the alias to other names, such as adg adguard , etc.

 #设置别名为AdguardHome alias AdGuardHome=/opt/AdGuardHome/AdGuardHome #取消别名unalias AdGuardHome

Lift the speed limit

Configure ratelimit_whitelist whitelist parameter in AdguardHome.yml , and put the IPs that need to be excluded from the speed limit here

DNScrypt

The main thing is that there is no need, and the official website wiki also explains it in great detail. Let me briefly talk about it below.

Download and decompress DNScrypt, you can enter the release page to find the corresponding version

 wget https://github.com/ameshkov/dnscrypt/releases/download/v2.2.6/dnscrypt-linux-amd64-v2.2.6.tar.gz tar -f ./dnscrypt-linux-amd64-v2.2.6.tar.gz -v -x -z

Generate the key and output it as yaml, provide-name followed by the parameter is the domain name of your Adguard Home

 ./dnscrypt generate --provider-name '2.dnscrypt-cert.your-domain.com'\ --out ./dnscrypt.yaml

It is recommended to move or copy dnscrypt.yaml to the Adguard Home directory, and modify the content of the tls section in the configuration file of Adguard Home, then restart Adguard Home systemctl restart AdGuardHome

 tls: enabled: true server_name: your-domain.com force_https: true port_https: 455 port_dns_over_tls: 853 port_dns_over_quic: 853 port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false certificate_chain: "" private_key: "" certificate_path: /usr/local/nginx/conf/cert/fullchain.crt private_key_path: /usr/local/nginx/conf/cert/private.key strict_sni_check: false

Check if dnscrypt is installed normally

 ./dnscrypt lookup-stamp\ --domain 'your-domain.com'\ --stamp 'sdns://AQcAAAAAAAAAETM4LjU5LjI1Ni4yNDo1NDQzIL_6TboCdS9c9eFzuAB3Y2HKmQCQGIThHAznqb8N_RGhHDIuZG5zY3J5cHQtY2VydC4zOC41OS4yNTYuMjQ'\ --type 'a'

The output is as follows

 { "certificate": { "serial": 1679480711, "encryption": "XSalsa20Poly1300", "not_after": "2024-03-21T10:27:02Z", "not_before": "2023-03-22T10:27:02Z" }, "reply": { "Id": 17960, "Response": true, "Opcode": 0, "Authoritative": false, "Truncated": false, "RecursionDesired": true, "RecursionAvailable": true, "Zero": false, "AuthenticatedData": false, "CheckingDisabled": false, "Rcode": 3, "Question": [ { "Name": "your-domain.com.", "Qtype": 1, "Qclass": 1 } ], "Answer": null, "Ns": [ { "Hdr": { "Name": ".", "Rrtype": 6, "Class": 1, "Ttl": 3600, "Rdlength": 64 }, "Ns": "a.root-servers.net.", "Mbox": "nstld.verisign-grs.com.", "Serial": 2023032102, "Refresh": 1800, "Retry": 900, "Expire": 604800, "Minttl": 86400 } ], "Extra": [ { "Hdr": { "Name": ".", "Rrtype": 41, "Class": 4096, "Ttl": 0, "Rdlength": 0 }, "Option": null } ] } }

Of course, dnscrypt uses port customization, here 5443 is selected by default

 tls: enabled: true server_name: your-domain.com port_dnscrypt: 5443 dnscry_config_file: "./dnscrypt.yaml"

Get stamp on DNSCrypt

DNS Stamp

Then add the sdns link to the upstream DNS, save it after the test is successful

DNSCrypt – DNS Stamps online calculator

DNSCrypt · AdguardTeam/AdGuardHome Wiki (github.com)

References

AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)

Home · AdguardTeam/AdGuardHome Wiki (github.com)

This article is transferred from: https://www.microcharon.top/tech/304.html
This site is only for collection, and the copyright belongs to the original author.