Skip to content

Encryption

Jump to bottom
Ainar Garipov edited this page Dec 7, 2020 · 17 revisions

AdGuard Home - Encryption

We are proud to say that AdGuard Home supports all modern DNS encryption protocols out-of-the-box:

AdGuard Home also supports DNSCrypt (both client-side and server-side). Read this to learn about configuring AdGuard Home as a DNSCrypt server.

In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.

  1. Install AdGuard Home on your server
  2. Register a domain name
  3. Get an SSL certificate
  4. Configure AdGuard Home
  5. Configure your devices

Install AdGuard Home on your server

It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP.

It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: DigitalOcean, Vultr, Linode, etc. Just choose one, create a cloud server there, and install AdGuard Home on your server.

Register a domain name

First of all, you need a domain name. If you have never registered one, here is a simple instruction that will help you with that.

Get an SSL certificate

Both DNS-over-HTTPS and DNS-over-TLS are based on TLS encryption so in order to use them, you will need to acquire an SSL certificate.

An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.

Alternatively, you can get the certificate for free from "Let's Encrypt" CA, a free certificate authority developed by the Internet Security Research Group (ISRG).

In this guide I'll explain how to get a certificate from them.

Install CertBot

Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt.

  1. Go to https://certbot.eff.org/ and choose "None of the above" software and your operating system.
  2. Follow the installation instructions, and stop there - don't get to the "Get Started" section.

Get a certificate using DNS challenge

You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate.

Run this command and follow the certbot's instructions:

sudo certbot certonly --manual --preferred-challenges=dns

In the end you'll get two files:

  • fullchain.pem -- your PEM-encoded SSL certificate
  • privkey.pem -- your PEM-encoded private key

Both will be necessary to configure AdGuard Home.

You will need to use the very same procedure to renew the existing certificate.

Alternative to CertBot: Lego

There's also a really nice and easy-to-use alternative to CertBot called lego.

  1. Install it using an appropriate method.
  2. Choose your DNS provider from the list and follow the instruction to obtain a certificate.

Configure AdGuard Home

  1. Open AdGuard Home web interface and go to settings.
  2. Scroll down to the "Encryption" settings
  3. Copy/paste the contents of the fullchain.pem file to "Certificates"
  4. Copy/paste the contents of the privkey.pem file to "Private key"
  5. Enter your domain name to "Server name"
  6. Click "Save settings".

Configure your devices

Android

  • Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
  • AdGuard for Android supports DNS-over-HTTPS, DNS-over-TLS, DNSCrypt and DNS-over-QUIC.
  • Intra adds DNS-over-HTTPS support to Android.

iOS

  • iOS 14 and higher support DNS-over-TLS and DNS-over-HTTPS natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
  • AdGuard for iOS supports DNS-over-HTTPS, DNS-over-TLS, DNSCrypt and DNS-over-QUIC.
  • DNSCloak supports DNS-over-HTTPS but in order to configure it to use your own server, you'll need to generate a DNS Stamp for it.

Windows

  • Windows 10 Build 19628 and higher support DNS-over-HTTPS natively.
  • AdGuard for Windows supports DNS-over-HTTPS, DNS-over-TLS, DNSCrypt and DNS-over-QUIC.

MacOS

  • MacOS Big Sur and higher support DNS-over-TLS and DNS-over-HTTPS natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.

Other implementations

  • AdGuard Home itself can be a secure DNS client on any platform.
  • dnsproxy supports all known secure DNS protocols.
  • dnscrypt-proxy supports DNS-over-HTTPS.
  • Mozilla Firefox supports DNS-over-HTTPS.

You can find more implementations here and here.

Guides

Clone this wiki locally