Table of Contents
- Quick Guide
- Feedback from Communities
- How it works
- AdGuard Home and AdGuard DNS
- Use in a Router
- Use in Asus RT-AC1200G+
- Use in Huawei B311As-853
- Use in Android Devices
- Use in iOS Devices
- Reference
Quick Guide
- AdGuard Protected DNS: 94.140.14.14, 94.140.15.15.
- AdGuard Protected DNS-over-TLS: dns.adguard.com
- The WAN DNS is the DNS used by the router.
- The DHCP DNS is the DNS assigned to the DHCP client.
- SSH login and run ‘
nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq‘ to change the DHCP DNS in RT-AC1200G+ - On Android, create a Private DNS with the DNS-over-TLS in Android 9 and newer.
- On iOS, assign the DNS SERVERS in the WiFi connection.
Feedback from Communities
Facebook Group: NAS 網路磁碟伺服器 使用者俱樂部
- Long latency in some region.
- Not always returns the fastest router to download a file.
- Family protection is useful with kids.
- blocky is easier and NextDNS is faster than AdGuard DNS.
- If AdGuard Home is open to public, use DoH or DoT, not the port 53.
- For running AdGuard Home, get the best price of .CYOU domain name on Alibaba Cloud, host on Cloudflare, and a SSL on Let’s Encrypt. DDNS and SSL can be updated automatically.
How it works
AdGuard designs a special DNS to block ads, trackers, phishing, and malware domains.
When a client asks the route for a domain, it will be compared to existing filter rules. If being matched, it will be routed to a DNS sinkhole. Nothing is retrived from the real server. This saves bandwidth, too.
The limitiation: it cannot drop ads which shares the same domain with the content. You will still see ads on YouTube, Facebook, and etc. They can only be blocked by content proxy.
This thread discussed the AdGuard DNS security and is worth to read.
AdGuard Home and AdGuard DNS
AdGuard Home can be installed in a virtualization environment and on a Raspery Pi / x86 computer. More customization and reports are available.
AdGuard DNS is a public service. It’s not customizable.
Use in a Router
There are WAN DNS and LAN DHCP DNS in a router. If AdGuard DNS is assigned in the WAN DNS, both the router and its DNS clients will use this service. If it is in the DHCP DNS, only the DHCP clients will.
Some routers can act as DNS proxy. It caches the DNS result for faster response. Assign AdGuard DNS in WAN DNS can benefit from proxy and protection at the same time.
The following table shows the relationship between DNS combination and protection. When the client may access a non-AdGuard DNS, it won’t be protected.
| Assigned WAN DNS | Assigned DHCP DNS | DHCP Client DNS Info | Protected |
|---|---|---|---|
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | No |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 Non-AdGuard DNS | No |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | Yes |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | #1 Router DNS Proxy #2 AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Non-AdGuard DNS #2 AdGuard DNS | #1 Non-AdGuard DNS #2 AdGuard DNS | No |
| #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | Yes |
| #1 Non-AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | #1 AdGuard DNS #2 AdGuard DNS | Yes |
| #1 AdGuard DNS #2 AdGuard DNS | #1 Non-AdGuard DNS #2 Non-AdGuard DNS | #1 Non-AdGuard DNS #2 Non-AdGuard DNS | No |
If the router doesn’t work as expected, it would be a hidden DNS or something wrong in the firmware. See my experience with Asus RT-AC1200G+.
Use in Asus RT-AC1200G+
On 2021/5/11, I found neither WAN DNS nor LAN DHCP DNS in firmware 3.0.0.4.382_52272 work as expected. The WAN DNS doesn’t apply correctly and there is no way to remove the hidden DHCP DNS on the web interface. I need to use SSH to connect to the router and execute several commands to set the LAN DHCP DNS.
When AdGuard DNS are set in the DNS Server1 and DNS Server2 in Advanced Settings ➞ WAN ➞ Internet Connection ➞ WAN DNS Setting ➞ Connect to DNS Server automatically, there is no protection at all. I run ‘nmcli dev show‘ in the client terminal. Both IP4.DNS[1] and IP4.DNS[2] are the router itself. The router doesn’t use AdGuard DNS as the showed configuration.
When AdGuard DNS is set in the DNS Server in Advanced Settings ➞ LAN ➞ DHCP Servers ➞ DNS and WINS Server Setting, IP4.DNS[1] points to AdGuard DNS but IP4.DNS[2] is to the router. It still doesn’t work. And there is no way to change the value in IP4.DNS[2] in the configuration page.
I found this thread and execute the router commands ‘nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq‘ to change the DHCP DNS. After reissuing DHCP, the client finally get protected.
When there is any change in DHCP configuration, all clients need to reissue again to apply the new settings.
$ ssh -l asusrouterad 192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
asusrouterad@192.168.1.1's password:
asustouterad@RT-AC1200G+:/tmp/home/root# nvram set dhcp_dns1_x=94.140.14.14 ; nvram set
dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq
Done.
asusrouterad@RT-AC1200G+:/tmp/home/root#
When RT-1200G+ uses USB tethering to share mobile connection, the AdGuard DNS in Android won’t used by the clients automatically. It’s just a network card.
Use in Huawei B311 As-853
Enable Set DNS server manually and assign AdGuard DNS in Primary DNS server and Secondary DNS server in Advanced ➞ Router ➞ DHCP.
When RT-1200G+ use it as the WAN, AdGuard DNS will be used by the clients automatically. Keep the default in WAN DNS and DHCP DNS in RT-1200G+.
Use in Android Devices
For Samsung devices with Android 8.x and before, install AdGuard is the easiest way. Others will need to create a VPN or use a static IP while connecting to WiFi. Check this article for detail instructions.
For the rest with Android 9.0 and newer, fill ‘dns.guard.com’ in AdGuard Protected DNS-over-TLS in Settings ➞ Wireless & networks ➞ Private DNS ➞ Configure Private DNS.
Use in iOS Devices
For use with WiFi, fill AdGuard DNS in Settings ➞ WiFi ➞ (i) ➞ DNS ➞ Configure DNS ➞ Manual ➞ DNS SERVERS.
I haven’t found any solution on the go yet.
Reference
- AdGuard DNS
- Wiki: DNS sinkhole
- reddit: Is AdGuard dns safe
- GitHub: AdguardTeam / AdGuardHome
- SNB Forums: What does “WAN DNS Setting” do?
- SNB Forum: WAN DNS or LAN DNS – Asus Router
- ask ubuntu: How to view the DNS address assigned by DHCP?
- SNB Forum: Is it possible to change a routers settings via ssh?
- GooglePlay: AdGuard: Content Blocker for Samsung and Yandex
- Android Police: How to make Android use the DNS server of your choice
- Facebook Group: NAS 網路磁碟伺服器 使用者俱樂部
- GitHub: 0xERR0R / blocky
- NextDNS
- Wiki: DNS over HTTPS
- Wiki: DNS over TLS
- Alibaba Cloud: .CYOU Domain names
- Cloudflare: DNS
- Let’s Encrypt
- Wiki: Dynamic DNS
Amigo's Technical Notes 