Selfhosted Adguard Home - use as private DNS like NextDNS?
I am using Adguard Home for some time now. Running under Proxmox in its own LXC container. It is set as primary DNS on my Mikrotik router so DNS requests from all devices goes over it. For the devices I must block specific services I use DHCP reservations so IP does not change and set per client specific settings in Adguard GUI.
For my Android phone I used to have also Adguard Home application, but it was too unreliable as it created VPN and my phone provider did not like it and sometimes it lost internet access until I killed Adguard app.
I have switched to NextDNS as private DNS provider on my phone and like it a lot, but for two phones I am gonna hit the free 300.000 DNS queries per month soon. What I like about NextDNS is having multiple settings so I can make one for kids and one for server and also one for parents. And of course block different things per each setting.
Since I am selfhosting Adguard Home I wish to use it as privete DNS (over SSL) with same functionality as NextDNS. So I could tell in URL the specific client name, to see it in logs. And different blocking settings per client.
Can this be done with Adguard Home or anyone can suggest different selfhosted private DNS service?
Comments Section
I see you're up and running now but this is a lovely little project I found recently:
https://github.com/serverless-dns/serverless-dns
Run your own adblocking secure DNS on free-tier Cloud services. Not found a use for it myself but might be something you find interesting.
Way over my desired results. Do not need additonal DNS server. I just wish to have my own, selfhosted that blocks ads in internal and public connected devices.
Yet another update. To help others with same situation as I was. DoT (using port 853) works great with setup I mention in my early post. But port 853 is not allowed on all networks. For example at office WiFi and also on public WiFi AP that are available in the area or educational facilities.
Now I tried DoH (port 443). Using nginx reverse proxy again to proxy the /dns-query URL to AdGuard Home instance and to handle SSL using my Acme.sh wildcard certificate. Blocking works great, but major problem is that I need additional Android application to make again internal VPN tunnel that enables DoH. I read that Android 13 will most likely get native DoH support, but my and wifes phones is too old to receive it.
So I installed Nebulo client and added my home DoH AdGuard Home URL. So far so good. Will need more days to test stability. I have now closed the 853 port on my router.
Any suggestions on better client than Nebulo. I would like if I can mix DoT and DoH. So if DoT is not available client will switch do DoH instead. I can not find this option in Nebulo.
I use self-hosted ( hosted in Oracle cloud ) Adguard home and it works fine. I have wireguard VPN server running my home router and VPN client on the cloud machine. DNS Communication between client and server happens over Wireguard tunnel.
What you could do is simply install a WireGuard server and use your local AdGuard as your DNS. That’s how I use it and I don’t have any noticeable slower speeds on mobile. Works like a charm.
Great advice, this is my setup as well. One caveat: My battery drains significantly faster when tunneling through Wireguard. Maybe because of the encryption that needs to be done for the Wireguard tunnel. As with many VPNs.
After many trial and error attempts I have figured out I can not proxy the DNS-Over-TLS over Cloudflare. It seems post 853 can not be proxied. Can anyone confirm this?
I'm not sure on what i'm about to say.
A reverse proxy is usually for HTTP traffic. Yes, some like nginx can also "reverse proxy" a stream/connection , but i'm not sure about Cloudflare here.
My setup:
I have a server running proxmox , in France. I setup a LXC, and inside it i setup AGH. On another LXC, i setup nginx
Ports 80 and 443 are forwarded (iptables) to the LXC running the Reverse Proxy, nginx. Here i setup a virtual host to proxy port 443 to the container running ADH. This grant's me access to the WebUI, and makes DNS-over-HTTPS work. (Chromebooks use DoH)
Port 53 is not forwarded (so not to become a open DNS).
Port 853 is forwarded via iptables directly to the LXC of AGH (not the reverse proxy). This makes DNS-over-TLS work (Android use DoT)
Both nginx and ADH have access to the same letsencrypt cert, so DoT and DoH share the same cert (although on DoH, the cert is served by nginx, and not AGH)
I can confirm this myself. Port 853 just isn't in the Cloudflare allowed list.
Final update. I disabled proxy on Cloudflare. On my Mikrotik router I have forwarded port 853 to AdGuarde Home server. This of course is huge risk as only I wish to use it. So I added an access list to the IP addresses of my ISP. Better then nothing. Any suggestions how else to protect it?
Then I added *.domain.name as A record in DNS management. This way all subdomains are redirected to me like myphone.domain.name.
In AdGuard I can now see the clients and set per client settings. So far so good. It is blocking and it works in my LAN and WAN. Will change from NextDNS to AdGuard also on wifes phone and see if she notices any changes.