How to Use AdGuard Protected Public DNS on Routers and Mobile Devices


Table of Contents

  1. Quick Guide
  2. Feedback from Communities
  3. How it works
  4. AdGuard Home and AdGuard DNS
  5. Use in a Router
  6. Use in Asus RT-AC1200G+
  7. Use in Huawei B311As-853
  8. Use in Android Devices
  9. Use in iOS Devices
  10. Reference

Quick Guide

  1. AdGuard Protected DNS: 94.140.14.14, 94.140.15.15.
  2. AdGuard Protected DNS-over-TLS: dns.adguard.com
  3. The WAN DNS is the DNS used by the router.
  4. The DHCP DNS is the DNS assigned to the DHCP client.
  5. SSH login and run ‘nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq‘ to change the DHCP DNS in RT-AC1200G+
  6. On Android, create a Private DNS with the DNS-over-TLS in Android 9 and newer.
  7. On iOS, assign the DNS SERVERS in the WiFi connection.

Feedback from Communities

Facebook Group: NAS 網路磁碟伺服器 使用者俱樂部

  1. Long latency in some region.
  2. Not always returns the fastest router to download a file.
  3. Family protection is useful with kids.
  4. blocky is easier and NextDNS is faster than AdGuard DNS.
  5. If AdGuard Home is open to public, use DoH or DoT, not the port 53.
  6. For running AdGuard Home, get the best price of .CYOU domain name on Alibaba Cloud, host on Cloudflare, and a SSL on Let’s Encrypt. DDNS and SSL can be updated automatically.

How it works

AdGuard designs a special DNS to block ads, trackers, phishing, and malware domains.

When a client asks the route for a domain, it will be compared to existing filter rules. If being matched, it will be routed to a DNS sinkhole. Nothing is retrived from the real server. This saves bandwidth, too.

The limitiation: it cannot drop ads which shares the same domain with the content. You will still see ads on YouTube, Facebook, and etc. They can only be blocked by content proxy.

This thread discussed the AdGuard DNS security and is worth to read.

AdGuard Home and AdGuard DNS

AdGuard Home can be installed in a virtualization environment and on a Raspery Pi / x86 computer. More customization and reports are available.

AdGuard DNS is a public service. It’s not customizable.

Use in a Router

There are WAN DNS and LAN DHCP DNS in a router. If AdGuard DNS is assigned in the WAN DNS, both the router and its DNS clients will use this service. If it is in the DHCP DNS, only the DHCP clients will.

Some routers can act as DNS proxy. It caches the DNS result for faster response. Assign AdGuard DNS in WAN DNS can benefit from proxy and protection at the same time.

The following table shows the relationship between DNS combination and protection. When the client may access a non-AdGuard DNS, it won’t be protected.

Assigned WAN DNSAssigned DHCP DNSDHCP Client DNS InfoProtected
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
No
#1 Non-AdGuard DNS
#2 AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
No
#1 Non-AdGuard DNS
#2 AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
No
#1 AdGuard DNS
#2 AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
#1 Router DNS Proxy
#2 Non-AdGuard DNS
No
#1 AdGuard DNS
#2 AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
Yes
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
#1 Router DNS Proxy
#2 AdGuard DNS
No
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
#1 Non-AdGuard DNS
#2 AdGuard DNS
#1 Non-AdGuard DNS
#2 AdGuard DNS
No
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
#1 AdGuard DNS
#2 AdGuard DNS
#1 AdGuard DNS
#2 AdGuard DNS
Yes
#1 Non-AdGuard DNS
#2 AdGuard DNS
#1 AdGuard DNS
#2 AdGuard DNS
#1 AdGuard DNS
#2 AdGuard DNS
Yes
#1 AdGuard DNS
#2 AdGuard DNS
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
#1 Non-AdGuard DNS
#2 Non-AdGuard DNS
No
DNS combination and client protection

If the router doesn’t work as expected, it would be a hidden DNS or something wrong in the firmware. See my experience with Asus RT-AC1200G+.

Use in Asus RT-AC1200G+

On 2021/5/11, I found neither WAN DNS nor LAN DHCP DNS in firmware 3.0.0.4.382_52272 work as expected. The WAN DNS doesn’t apply correctly and there is no way to remove the hidden DHCP DNS on the web interface. I need to use SSH to connect to the router and execute several commands to set the LAN DHCP DNS.

When AdGuard DNS are set in the DNS Server1 and DNS Server2 in Advanced SettingsWANInternet ConnectionWAN DNS SettingConnect to DNS Server automatically, there is no protection at all. I run ‘nmcli dev show‘ in the client terminal. Both IP4.DNS[1] and IP4.DNS[2] are the router itself. The router doesn’t use AdGuard DNS as the showed configuration.

When AdGuard DNS is set in the DNS Server in Advanced SettingsLANDHCP ServersDNS and WINS Server Setting, IP4.DNS[1] points to AdGuard DNS but IP4.DNS[2] is to the router. It still doesn’t work. And there is no way to change the value in IP4.DNS[2] in the configuration page.

I found this thread and execute the router commands ‘nvram set dhcp_dns1_x=94.140.14.14 ; nvram set dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq‘ to change the DHCP DNS. After reissuing DHCP, the client finally get protected.

When there is any change in DHCP configuration, all clients need to reissue again to apply the new settings.

$ ssh -l asusrouterad 192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
asusrouterad@192.168.1.1's password: 
asustouterad@RT-AC1200G+:/tmp/home/root# nvram set dhcp_dns1_x=94.140.14.14 ; nvram set
 dhcp_dns2_x=94.140.15.15 ; nvram commit ; service restart_dnsmasq

Done.
asusrouterad@RT-AC1200G+:/tmp/home/root#

When RT-1200G+ uses USB tethering to share mobile connection, the AdGuard DNS in Android won’t used by the clients automatically. It’s just a network card.

Use in Huawei B311 As-853

Enable Set DNS server manually and assign AdGuard DNS in Primary DNS server and Secondary DNS server in AdvancedRouterDHCP.

When RT-1200G+ use it as the WAN, AdGuard DNS will be used by the clients automatically. Keep the default in WAN DNS and DHCP DNS in RT-1200G+.

Use in Android Devices

For Samsung devices with Android 8.x and before, install AdGuard is the easiest way. Others will need to create a VPN or use a static IP while connecting to WiFi. Check this article for detail instructions.

For the rest with Android 9.0 and newer, fill ‘dns.guard.com’ in AdGuard Protected DNS-over-TLS in SettingsWireless & networksPrivate DNSConfigure Private DNS.

Use in iOS Devices

For use with WiFi, fill AdGuard DNS in SettingsWiFi(i)DNSConfigure DNSManualDNS SERVERS.

I haven’t found any solution on the go yet.

Reference

  1. AdGuard DNS
  2. Wiki: DNS sinkhole
  3. reddit: Is AdGuard dns safe
  4. GitHub: AdguardTeam / AdGuardHome
  5. SNB Forums: What does “WAN DNS Setting” do?
  6. SNB Forum: WAN DNS or LAN DNS – Asus Router
  7. ask ubuntu: How to view the DNS address assigned by DHCP?
  8. SNB Forum: Is it possible to change a routers settings via ssh?
  9. GooglePlay: AdGuard: Content Blocker for Samsung and Yandex
  10. Android Police: How to make Android use the DNS server of your choice
  11. Facebook Group: NAS 網路磁碟伺服器 使用者俱樂部
  12. GitHub: 0xERR0R / blocky
  13. NextDNS
  14. Wiki: DNS over HTTPS
  15. Wiki: DNS over TLS
  16. Alibaba Cloud: .CYOU Domain names
  17. Cloudflare: DNS
  18. Let’s Encrypt
  19. Wiki: Dynamic DNS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.