You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AdGuard Home & Pi-hole both does a great job for it's main purpose which is blocking ads. AdGuard Home has features out of the box unlike Pi-hole which need third party software. I choose to stick with AdGuard Home cause of it's simple modern UI look and built-in option to upstream multiple DNS servers. Use either to your liking.
See comparison in Adguard Home wiki
Opinions on reddit forums
AdGuard vs other Adblockers ?
AdGuard advantages are largely due to the limitations that are imposed on browser-based extensions. Adblock and Adblock Plus, technologically, are not able to remove all the ads on the page. That’s because AdGuard processes a page even before it is loaded into the browser, removing all advertising elements. Extensions work on a different principle based on the ad-blocking capabilities of a browser.
oDoh:
The DNSCrypt-Proxy supports oDoH from its provided servers.
AdGuard vs Unbound caching ?
Unbound and AdGuard Home serve different purposes, even though they both offer a caching option.
AdGuard Home is primarily a DNS server that filters and blocks requests to known malicious or unwanted domains. It has a caching option that stores DNS responses for a certain amount of time, reducing the time it takes to retrieve the same data again in the future. This caching feature can help speed up DNS resolution and reduce network traffic by reducing the number of queries that need to be sent to other DNS servers.
Unbound, on the other hand, is a full-featured recursive DNS server that can act as a resolver for all DNS queries, not just those related to ad-blocking. It also has a caching feature that stores responses for a certain amount of time, reducing the time it takes to retrieve the same data again in the future. In addition to caching, Unbound has features like DNSSEC validation and support for DNS over TLS, making it a more comprehensive solution for DNS resolution.
So while AdGuard Home's caching option can help speed up DNS resolution and reduce network traffic, Unbound's caching and additional features make it a more powerful DNS server overall.
How is multiple DNS servers resolving ?
AdGuard Home basically has a smart DNS proxy system that sends your DNS queries to the upstream servers.You can specify multiple upstream servers from different stub resolvers in AdGuard Home settings, or you can even specify a DNS server that will be used to resolve specific domains. More details
How does this access anywhere ?
With WireGuard VPN port forwarding, it allows a device’s local IP address to be shown to the public using a secure tunnel into your network and sends the traffic through it. It is a move that bypasses the NAT firewall, which enables the device to receive incoming data packets directly. It allows incoming connections from the internet to reach specific devices and programs on a private network.
With this feature you can use with AdGuard Home adblocking on the go.
Does this work on a VPS ?
This setup was tested and working on Amazon EC2 and Vultr (discussions#14).
How does DNS name servers affect website speed ?
DNS servers or DNS name servers affect your website speed because they need to tell where the website for any particular domain name is located on the internet. And the time they take in doing so adds up to your website load time
The Domain Name System (DNS) maps, or 'resolves,' domain names to IP addresses, and because this has to be done before a browser can navigate to and display a website, DNS resolution affects how quickly websites load. For most consumers, their ISP (Internet service provider) assigns DNS resolvers by default, and if the ISP's DNS servers are performing slowly, this slows down Internet speed for that ISP's users.
What makes 1.1.1.1 more secure than other public DNS services ?
A variety of DNS services support DNSSEC. While this is a good security practice, it does not protect users’ queries from the DNS companies themselves. Many of these companies collect data from their DNS customers to use for commercial purposes, such as selling to advertisers.
By contrast, 1.1.1.1 does not mine user data. Logs are kept for 24 hours for debugging purposes, then they are purged.1.1.1.1 also offers security features not available from many other public DNS services, such as query name minimization. Query name minimization improves privacy by only including in each query the minimum number of information required for that step in the resolution process.
What is port 53 ?
DNS port is the port assigned to the domain name system. The most frequently used DNS Port is UDP 53. It is the default which is nearly always open on systems, firewalls, and clients to transmit all DNS queries. The UDP protocol is used when a client sends a query to the DNS server and TCP Port 53 for zone transfers, for maintaining coherence between the DNS database and the server.
Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports.
The Well Known Ports (0-1023) – which are reserved for the operating system and core services.
The Registered Ports (1024-49151) – which can be used by applications, specific services, and users.
The Dynamic and/or Private Ports (49152-65535)
Public DNS servers vs A DNS Proxy ?
Public DNS :
Public 1.1.1.1 does not block any DNS query. When a browser requests for example.com, 1.1.1.1 simply looks up the answer either in cache or by performing a full recursive DNS query.
Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks.
DNS proxy :
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. A DNS client sends a DNS request to the DNS proxy, which forwards the request to the designated DNS server, and conveys the reply from the DNS server to the client. The DNS proxy simplifies network management.
A DNS proxy allows you to transmit selected DNS queries through a tunnel interface, which prevents malicious users from learning about the internal configuration of a network.
What is the difference with DNS query & lookups ?
A DNS query (also known as a DNS request) is a demand for information sent from a user's computer (DNS client) to a DNS server. In most cases a DNS request is sent, to ask for the IP address associated with a domain name. An attempt to reach a domain, is actually a DNS client querying the DNS servers to get the IP address, related to that domain.
A DNS lookup is initiated when an end user enters a domain name and the resolver translates it into the corresponding identifier (the IP address). A reverse DNS lookup or reverse IP lookup is an opposite process that starts with an IP address and ends with the associated domain name or hostname's lookup.
Technical questions
What is the DNS (Domain Name System) ?
The Domain Name System (DNS) is used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services and devices using the underlying network protocols.
Every device on an IPv4/IPv6 network has a unique identifier, an address called IP address (Internet Protocol address), this address is useful for the device to be identified and reached by other devices. Users familiarized with IPv4 know IP addresses consists of 4 octets ranging between 0 and 255, like 123.221.200.3.
What is a DNS resolver ?
The client side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately lead to a full resolution of the resource sought, e.g. translation of a domain name into an IP address. DNS resolvers are classified by a variety of query methods, such as recursive, non-recursive, and iterative. A resolution process may use a combination of these methods
It manages the “name to address” translation, in which an IP address is matched to domain name and sent back to the computer that requested it. DNS resolvers are also known as recursive resolvers. Computers are configured to talk to specific DNS resolvers, identified by IP address.
What is a stub resolver ?
The stub resolver simply serves as an intermediary between the application requiring DNS resolution, and a recursive DNS resolver. The recursive resolver typically performs a number of successive queries to the DNS, to obtain the answer to the query sent by the stub resolver. It is a component of the DNS that is accessed by application programs when using the DNS for e.g. resolving domain names to IP addresses
How Stubby works ?
Stubby runs as a daemon on the local machine sending DNS queries to resolvers over an encrypted TLS connections providing increased privacy for the user. Passive observers on the network can therefore no longer see the DNS queries made by the client. It listens on loopback address to send all outgoing DNS queries received on that address out over TLS using a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers.
How Unbound works ?
Unbound will recursively query any hostname from the root DNS servers it does not have a cached copy of. It will validate the queries using DNSSEC and 0x20-encoded random bits to foil spoof attempts. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers.
How caching name server works ?
Every DNS query must start with recursive queries at the root zone of the Domain Name System and each user system would have to implement resolver software capable of recursive operation.
To improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications, the Domain Name System supports DNS cache servers which store DNS query results for a period of time determined in the configuration (time-to-live) of the domain name record in question. Typically, such caching DNS servers also implement the recursive algorithm necessary to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain. With this function implemented in the name server, user applications gain efficiency in design and operation.
What is recursive DNS ?
A recursive DNS lookup is where one DNS server communicates with several other DNS servers to hunt down an IP address and return it to the client. This is in contrast to an iterative DNS query, where the client communicates directly with each DNS server involved in the lookup. While this is a very technical definition, a closer look at the DNS system and the difference between recursion and iteration should help clear things up.
How does Windows/Linux/Android reslove DNS(Advanced) ?
All system have their own technical way of resolving DNS.
See full details for Windows
See full details for Linux
See full details for Android
What is DNS forwarding ?
DNS forwarding is the process by which particular sets of DNS queries are forwarded to a designated server for resolution according to the DNS domain name in the query rather than being handled by the initial server that was contacted by the client.
In other words it passes the DNS query to another DNS server (e.g. your ISP's). Home routers use forwarding to pass DNS queries from your home network's clients to your ISP's DNS servers. When visiting a website, a forwarding DNS server would first check its cache (did it already ask this question before), and if the answer is not in its cache, it would ask its forwarder (your ISP's DNS server) for the answer, which would respond with either a cached response, or would perform recursion until it figured out the answer.
What is 1.1.1.1 ?
1.1.1.1 is a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available.
It offers a fast and private way to browse the Internet. DNS resolvers translate domains like cloudflare.com into the IP addresses necessary to reach the website (like 104.16.123.96).
What is DNS over TLS ?
DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.
What is DNS over HTTPS ?
DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.
In February 2020, the Mozilla Firefox browser began enabling DoH for U.S. users by default. DNS queries from the Firefox browser are encrypted by DoH and go to either Cloudflare or NextDNS. Several other browsers also support DoH, although it is not turned on by default.
What is DNSSEC ?
DNSSEC is a mechanism to protect DNS data. It uses digital signatures that adds a layer of trust on top of DNS by providing authentication. When a DNS resolver is looking for whatever domain, the .com name servers help the resolver verify the records returned for cloudflare, and cloudflare helps verify the records returned for blog. The root DNS name servers help verify .com, and information published by the root is vetted by a thorough security procedure, including the Root Signing Ceremony.
What is Cloudflared tunneling client daemon service ?
Cloudflare daemon proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
You can also use cloudflared to access Tunnel origins (that are protected with cloudflared tunnel) for TCP traffic at Layer 4.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Commonly asked
AdGuard Home vs Pi-hole ?
AdGuard Home & Pi-hole both does a great job for it's main purpose which is blocking ads. AdGuard Home has features out of the box unlike Pi-hole which need third party software. I choose to stick with AdGuard Home cause of it's simple modern UI look and built-in option to upstream multiple DNS servers. Use either to your liking.
https://en.wikipedia.org/wiki/AdGuard
https://en.wikipedia.org/wiki/Pi-hole
See comparison in Adguard Home wiki
Opinions on reddit forums
AdGuard vs other Adblockers ?
AdGuard advantages are largely due to the limitations that are imposed on browser-based extensions. Adblock and Adblock Plus, technologically, are not able to remove all the ads on the page. That’s because AdGuard processes a page even before it is loaded into the browser, removing all advertising elements. Extensions work on a different principle based on the ad-blocking capabilities of a browser.
More from AdGuard docs and blog page
How is Cloudflare used in this guide ?
DoH:
The Cloudflared daemon uses the 1.1.1.1 DNS proxy address and port.
The DNSCrypt-Proxy also supports DoH out of the box
DoT:
Uses Cloudflare DoT client address forwarded in unbound configuration.
oDoh:
The DNSCrypt-Proxy supports oDoH from its provided servers.
AdGuard vs Unbound caching ?
Unbound and AdGuard Home serve different purposes, even though they both offer a caching option.
AdGuard Home is primarily a DNS server that filters and blocks requests to known malicious or unwanted domains. It has a caching option that stores DNS responses for a certain amount of time, reducing the time it takes to retrieve the same data again in the future. This caching feature can help speed up DNS resolution and reduce network traffic by reducing the number of queries that need to be sent to other DNS servers.
Unbound, on the other hand, is a full-featured recursive DNS server that can act as a resolver for all DNS queries, not just those related to ad-blocking. It also has a caching feature that stores responses for a certain amount of time, reducing the time it takes to retrieve the same data again in the future. In addition to caching, Unbound has features like DNSSEC validation and support for DNS over TLS, making it a more comprehensive solution for DNS resolution.
So while AdGuard Home's caching option can help speed up DNS resolution and reduce network traffic, Unbound's caching and additional features make it a more powerful DNS server overall.
How is multiple DNS servers resolving ?
AdGuard Home basically has a smart DNS proxy system that sends your DNS queries to the upstream servers.You can specify multiple upstream servers from different stub resolvers in AdGuard Home settings, or you can even specify a DNS server that will be used to resolve specific domains. More details
How does this access anywhere ?
With WireGuard VPN port forwarding, it allows a device’s local IP address to be shown to the public using a secure tunnel into your network and sends the traffic through it. It is a move that bypasses the NAT firewall, which enables the device to receive incoming data packets directly. It allows incoming connections from the internet to reach specific devices and programs on a private network.
With this feature you can use with AdGuard Home adblocking on the go.
Does this work on a VPS ?
This setup was tested and working on Amazon EC2 and Vultr (discussions#14).
How does DNS name servers affect website speed ?
DNS servers or DNS name servers affect your website speed because they need to tell where the website for any particular domain name is located on the internet. And the time they take in doing so adds up to your website load time
The Domain Name System (DNS) maps, or 'resolves,' domain names to IP addresses, and because this has to be done before a browser can navigate to and display a website, DNS resolution affects how quickly websites load. For most consumers, their ISP (Internet service provider) assigns DNS resolvers by default, and if the ISP's DNS servers are performing slowly, this slows down Internet speed for that ISP's users.
What makes 1.1.1.1 more secure than other public DNS services ?
A variety of DNS services support DNSSEC. While this is a good security practice, it does not protect users’ queries from the DNS companies themselves. Many of these companies collect data from their DNS customers to use for commercial purposes, such as selling to advertisers.
By contrast, 1.1.1.1 does not mine user data. Logs are kept for 24 hours for debugging purposes, then they are purged.1.1.1.1 also offers security features not available from many other public DNS services, such as query name minimization. Query name minimization improves privacy by only including in each query the minimum number of information required for that step in the resolution process.
What is port 53 ?
DNS port is the port assigned to the domain name system. The most frequently used DNS Port is
UDP 53. It is the default which is nearly always open on systems, firewalls, and clients to transmit all DNS queries. The UDP protocol is used when a client sends a query to the DNS server and TCP Port 53 for zone transfers, for maintaining coherence between the DNS database and the server.Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports.
Public DNS servers vs A DNS Proxy ?
Public 1.1.1.1 does not block any DNS query. When a browser requests for example.com, 1.1.1.1 simply looks up the answer either in cache or by performing a full recursive DNS query.
Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks.
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. A DNS client sends a DNS request to the DNS proxy, which forwards the request to the designated DNS server, and conveys the reply from the DNS server to the client. The DNS proxy simplifies network management.
A DNS proxy allows you to transmit selected DNS queries through a tunnel interface, which prevents malicious users from learning about the internal configuration of a network.
What is the difference with DNS query & lookups ?
A DNS query (also known as a DNS request) is a demand for information sent from a user's computer (DNS client) to a DNS server. In most cases a DNS request is sent, to ask for the IP address associated with a domain name. An attempt to reach a domain, is actually a DNS client querying the DNS servers to get the IP address, related to that domain.
A DNS lookup is initiated when an end user enters a domain name and the resolver translates it into the corresponding identifier (the IP address). A reverse DNS lookup or reverse IP lookup is an opposite process that starts with an IP address and ends with the associated domain name or hostname's lookup.
Technical questions
What is the DNS (Domain Name System) ?
The Domain Name System (DNS) is used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services and devices using the underlying network protocols.
Every device on an IPv4/IPv6 network has a unique identifier, an address called IP address (Internet Protocol address), this address is useful for the device to be identified and reached by other devices. Users familiarized with IPv4 know IP addresses consists of 4 octets ranging between 0 and 255, like 123.221.200.3.
What is a DNS resolver ?
The client side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately lead to a full resolution of the resource sought, e.g. translation of a domain name into an IP address. DNS resolvers are classified by a variety of query methods, such as recursive, non-recursive, and iterative. A resolution process may use a combination of these methods
It manages the “name to address” translation, in which an IP address is matched to domain name and sent back to the computer that requested it. DNS resolvers are also known as recursive resolvers. Computers are configured to talk to specific DNS resolvers, identified by IP address.
What is a stub resolver ?
The stub resolver simply serves as an intermediary between the application requiring DNS resolution, and a recursive DNS resolver. The recursive resolver typically performs a number of successive queries to the DNS, to obtain the answer to the query sent by the stub resolver. It is a component of the DNS that is accessed by application programs when using the DNS for e.g. resolving domain names to IP addresses
How Stubby works ?
Stubby runs as a daemon on the local machine sending DNS queries to resolvers over an encrypted TLS connections providing increased privacy for the user. Passive observers on the network can therefore no longer see the DNS queries made by the client. It listens on loopback address to send all outgoing DNS queries received on that address out over TLS using a default configuration which provides Strict Privacy and uses a subset of the available DNS Privacy servers.
How Unbound works ?
Unbound will recursively query any hostname from the root DNS servers it does not have a cached copy of. It will validate the queries using DNSSEC and 0x20-encoded random bits to foil spoof attempts. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers.
How caching name server works ?
Every DNS query must start with recursive queries at the root zone of the Domain Name System and each user system would have to implement resolver software capable of recursive operation.
To improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications, the Domain Name System supports DNS cache servers which store DNS query results for a period of time determined in the configuration (time-to-live) of the domain name record in question. Typically, such caching DNS servers also implement the recursive algorithm necessary to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain. With this function implemented in the name server, user applications gain efficiency in design and operation.
What is recursive DNS ?
A recursive DNS lookup is where one DNS server communicates with several other DNS servers to hunt down an IP address and return it to the client. This is in contrast to an iterative DNS query, where the client communicates directly with each DNS server involved in the lookup. While this is a very technical definition, a closer look at the DNS system and the difference between recursion and iteration should help clear things up.
How does Windows/Linux/Android reslove DNS(Advanced) ?
All system have their own technical way of resolving DNS.
See full details for Windows
See full details for Linux
See full details for Android
What is DNS forwarding ?
DNS forwarding is the process by which particular sets of DNS queries are forwarded to a designated server for resolution according to the DNS domain name in the query rather than being handled by the initial server that was contacted by the client.
In other words it passes the DNS query to another DNS server (e.g. your ISP's). Home routers use forwarding to pass DNS queries from your home network's clients to your ISP's DNS servers. When visiting a website, a forwarding DNS server would first check its cache (did it already ask this question before), and if the answer is not in its cache, it would ask its forwarder (your ISP's DNS server) for the answer, which would respond with either a cached response, or would perform recursion until it figured out the answer.
What is 1.1.1.1 ?
1.1.1.1 is a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available.
It offers a fast and private way to browse the Internet. DNS resolvers translate domains like cloudflare.com into the IP addresses necessary to reach the website (like 104.16.123.96).
What is DNS over TLS ?
DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.
What is DNS over HTTPS ?
DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.
What is DNSSEC ?
DNSSEC is a mechanism to protect DNS data. It uses digital signatures that adds a layer of trust on top of DNS by providing authentication. When a DNS resolver is looking for whatever domain, the .com name servers help the resolver verify the records returned for cloudflare, and cloudflare helps verify the records returned for blog. The root DNS name servers help verify .com, and information published by the root is vetted by a thorough security procedure, including the Root Signing Ceremony.
What is Cloudflared tunneling client daemon service ?
Cloudflare daemon proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
You can also use cloudflared to access Tunnel origins (that are protected with cloudflared tunnel) for TCP traffic at Layer 4.
Beta Was this translation helpful? Give feedback.
All reactions