Encryption
We are proud to say that AdGuard Home supports all modern DNS encryption protocols out-of-the-box:
- DNS-over-HTTPS
- DNS-over-TLS
- DNSCrypt (upstreams only)
In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.
- Install AdGuard Home on your server
- Register a domain name
- Get an SSL certificate
- Configure AdGuard Home
- Configure your devices
It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP.
It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: DigitalOcean, Vultr, Linode, etc. Just choose one, create a cloud server there, and install AdGuard Home on your server.
First of all, you need a domain name. If you have never registered one, here is a simple instruction that will help you with that.
Both DNS-over-HTTPS and DNS-over-TLS are based on TLS encryption so in order to use them, you will need to acquire an SSL certificate.
An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.
Alternatively, you can get the certificate for free from "Let's Encrypt" CA, a free certificate authority developed by the Internet Security Research Group (ISRG).
In this guide I'll explain how to get a certificate from them.
Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt.
- Go to https://certbot.eff.org/ and choose "None of the above" software and your operating system.
- Follow the installation instructions, and stop there - don't get to the "Get Started" section.
You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate.
Run this command and follow the certbot's instructions:
sudo certbot certonly --manual --preferred-challenges=dnsIn the end you'll get two files:
-
fullchain.pem-- your PEM-encoded SSL certificate -
privkey.pem-- your PEM-encoded private key
Both will be necessary to configure AdGuard Home.
You will need to use the very same procedure to renew the existing certificate.
- Open AdGuard Home web interface and go to settings.
- Scroll down to the "Encryption" settings
- Copy/paste the contents of the
fullchain.pemfile to "Certificates" - Copy/paste the contents of the
privkey.pemfile to "Private key" - Enter your domain name to "Server name"
- Click "Save settings".
Please note that encrypted DNS protocols are supported only on Android 9. So you need to install additional software for other operating systems.
Here's a list of software you can use.
- Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
-
AdGuard for Android supports
DNS-over-HTTPSandDNS-over-TLS. -
Intra adds
DNS-over-HTTPSsupport to Android.
-
DNSCloak supports
DNS-over-HTTPSbut in order to configure it to use your own server, you'll need to generate a DNS Stamp for it. -
AdGuard for iOS supports
DNS-over-HTTPSandDNS-over-TLS.
- AdGuard Home itself can be a secure DNS client on any platform.
- dnsproxy supports all known secure DNS protocols.
-
dnscrypt-proxy supports
DNS-over-HTTPS. -
Mozilla Firefox supports
DNS-over-HTTPS. - You will find more implementations here and here.