How it works
AdGuard designs a special DNS to block ads, trackers, phishing, and malware domains.
When a client asks the route for a domain, it will be compared to existing filter rules. If being matched, it will be routed to a DNS sinkhole. Nothing is retrived from the real server. This saves bandwidth, too.
The limitiation: it cannot drop ads which shares the same domain with the content . You will still see ads on YouTube, Facebook, and etc. They can only be blocked by content proxy.
This thread discussed the AdGuard DNS security and is worth to read.
AdGuard Home and AdGuard DNS
AdGuard Home can be installed in a virtualization environment and on a Raspery Pi / x86 computer. More customization and reports are available.
AdGuard DNS is a public service. It’s not customizable.
Use in a Router
There are WAN DNS and LAN DHCP DNS in a router. If AdGuard DNS is assigned in the WAN DNS, both the router and its DNS clients will use this service. If it is in the DHCP DNS, only the DHCP clients will.
Some routers can act as DNS proxy. It caches the DNS result for faster response. Assign AdGuard DNS in WAN DNS can benefit from proxy and protection at the same time.
The following table shows the relationship between DNS combination and protection. When the client may access a non-AdGuard DNS, it won’t be protected.
| Assigned WAN DNS | Assigned DHCP DNS | DHCP Client DNS Info | Protected |
|---|---|---|---|
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | No |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | Yes |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Non-AdGuard DNS #2 AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | Yes |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | Yes |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Non-AdGuard DNS #2 Non-AdGuard DNS | No |
DNS combination and client protection
If the router doesn’t work as expected, it would be a hidden DNS or something wrong in the firmware. See my experience with Asus RT-AC1200G+.
Use in Asus RT-AC1200G+
On 2021/5/11, I found neither WAN DNS nor LAN DHCP DNS in firmware 3.0.0.4.382_52272 work as expected. The WAN DNS doesn’t apply correctly and there is no way to remove the hidden DHCP DNS on the web interface. I need to use SSH to connect to the router and execute several commands to set the LAN DHCP DNS.
When AdGuard DNS are set in the DNS Server1 and DNS Server2 in Advanced Settings ➞ WAN ➞ Internet Connection ➞ WAN DNS Setting ➞ Connect to DNS Server automatically, there is no protection at all. I run ‘ nmcli dev show ‘ in the client terminal. Both IP4.DNS[1] and IP4.DNS[2] are the router itself. The router doesn’t use AdGuard DNS as the showed configuration.
When AdGuard DNS is set in the DNS Server in Advanced Settings ➞ LAN ➞ DHCP Servers ➞ DNS and WINS Server Setting, IP4.DNS[1] points to AdGuard DNS but IP4.DNS[2] is to the router. It still doesn’t work. And there is no way to change the value in IP4.DNS[2] in the configuration page.
I found this thread and execute the router commands ‘ nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq ‘ to change the DHCP DNS. After reissuing DHCP, the client finally get protected.
When there is any change in DHCP configuration, all clients need to reissue again to apply the new settings.
$ ssh -l asusrouterad 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts. asusrouterad@192.168.1.1's password: asustouterad@RT-AC1200G+:/tmp/home/root# nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq Done. asusrouterad@RT-AC1200G+:/tmp/home/root#
When RT-1200G+ uses USB tethering to share mobile connection, the AdGuard DNS in Android won’t used by the clients automatically. It’s just a network card.
Use in Huawei B311 As-853
Enable Set DNS server manually and assign AdGuard DNS in Primary DNS server and Secondary DNS server in Advanced ➞ Router ➞ DHCP.
When RT-1200G+ use it as the WAN, AdGuard DNS will be used by the clients automatically. Keep the default in WAN DNS and DHCP DNS in RT-1200G+.
Use in Android Devices
For Samsung devices with Android 8.x and before, install AdGuard is the easiest way. Others will need to create a VPN or use a static IP while connecting to WiFi. Check this article for detail instructions.
For the rest with Android 9.0 and newer, fill ‘dns.guard.com’ in AdGuard Protected DNS-over-TLS in Settings ➞ Wireless & networks ➞ Private DNS ➞ Configure Private DNS.
Use in iOS Devices
For use with WiFi, fill AdGuard DNS in Settings ➞ WiFi ➞ (i) ➞ DNS ➞ Configure DNS ➞ Manual ➞ DNS SERVERS.
I haven’t found any solution on the go yet.
Reference
- AdGuard DNS
- Wiki: DNS sinkhole
- reddit: Is AdGuard dns safe
- GitHub: AdguardTeam / AdGuardHome
- SNB Forums: What does “WAN DNS Setting” do?
- SNB Forum: WAN DNS or LAN DNS – Asus Router
- ask ubuntu: How to view the DNS address assigned by DHCP?
- SNB Forum: Is it possible to change a routers settings via ssh?
- GooglePlay: AdGuard: Content Blocker for Samsung and Yandex
- Android Police: How to make Android use the DNS server of your choice
- Facebook Group: NAS 網路磁碟伺服器 使用者俱樂部
- GitHub: 0xERR0R / blocky
- NextDNS
- Wiki: DNS over HTTPS
- Wiki: DNS over TLS
- Alibaba Cloud: .CYOU Domain names
- Cloudflare: DNS
- Let’s Encrypt
- Wiki: Dynamic DNS
Продолжаем фиксить 0x80a40401
2. Нажимаете на ПОДКЛЮЧИТЬ НОВОЕ УСТРОЙСТВО (большая синяя кнопка).
3. Выбираете в окне РОУТЕР, а в нижнем окне выбираете свой роутер или пишите его модель и нажимаете ДОБАВИТЬ.
4. На следующей странице идете вниз и находите надпись жирным шрифтом ПРИВЯЗАННЫЙ IPv4-адрес, ниже нее есть два адреса, копируете первый.
5. В настройках роутера добавляете этот адрес в окно ПРЕДПОЧИТАЕМЫЙ DNS сервер. Копируете второй адрес и добавляете его уже в следующее нижнее окно, где написано АЛЬТЕРНАТИВНЫЙ DNS-сервер.
6. Возвращайтесь на сайт AdGuard и жмёте чуть ниже этих IP адресов на маленькую синюю надпись ПРИВЯЗАТЬ IP-АДРЕС и нажимаете на большую синюю кнопку ГОТОВО.ПОДКЛЮЧЕНО.
7. На следующей странице идете вниз и находите надпись: ПРАВИЛА ПОЛЬЗОВАТЕЛЯ В открывшемся окне в поле как есть копируете: «||user.auth.xboxlive.com^$dnsrewrite=50.7.87.83» без кавычек. Верху нужно выбрать ДОБАВИТЬ СВОЕ ПРИВИЛО. Важно перед добавлением ссылки в поле выкл ючать Google переводчик если вы используете Chrome на телефоне.
8. Делаете всё как в пункте 7 но добавляете вот это: «||xsts.auth.xboxlive.com^$dnsrewrite=50.7.87.83» без кавычек.
9. Ставите на косноли автоматический выбор ДНС (убирает ДНС с консоли и пользуетесь).
У кого сработал данный способ, отпишитесь в комменты, если у большинства сработает оставим, нет — снесу.