4 May 2022

Install AdGuard-Home on RaspberryPi

I’ve used Pi-Hole for longer than I can remember, so it’s time to test drive another solution, AdGuard Home, to see how it compares on my network.

To start, as the title suggests you’ll need a RaspberryPi. While not required, I recommend starting with a new fresh image of the RaspbianOS on it. The next thing you’ll want to do, which I won’t cover in this article, is set up your RaspberryPi with a static IP address and then enable SSH on it so that you can connect to it.

Install AdGuard Home

Before you get started make sure to update your RaspberryPi using these two commands. After that you will be ready to get started.

sudo apt-get -y update
sudo apt-get -y upgrade 

The easiest way to begin the installation of AdGuard Home and get it ready to go is to copy and paste the command below and then run it. It will take care of everything; downloading the proper version for your RaspberryPi, installing it, starting it as a service on boot.

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

After a few minutes, the installation completes and you are ready to proceed. Towards the bottom of the output from the install, there are a few lines that tell us what IP the RPi is listening on, on port 3000. Open your browser and go to the third entry which should be the same as the static IP address you applied to your RaspberryPi before we got started. Referencing the example in my image above, I would be going to: http://192.168.1.2:3000. You should be greeted by a five-step getting started wizard.

Using my RaspberryPi 3, I prefer to only use my wired ethernet connection. I usually go into the OS and disable the WiFi. So on this page, I will select my ‘eth0’ interface as the one that I want to listen to for DNS calls on.

Create your username and a password.

Time to set up your devices to point their DNS to your “new” AdGuard Home.
At this point, this is when you should be repointing the DNS in your router to now be pointing at your RaspberryPi’s IP address. This will make all of the devices on your network that is pulling a DHCP address from your router start to use AdGuard Home.

Note: This is also when I like to go back into my RaspberryPi’s NIC to statically repoint it’s DNS setting to its own IP address since it is now able to resolve DNS.

The last step is to open the dashboard and login.

Dashboard

The dashboard is what you see as soon as you log into your AdGuard Home. It is where you get to see at a single glance the summary of all of the statistics it has collected. From the number of allowed and blocked DNS queries, to what the top queried and blocked domains are, you can even see which clients are being the “chattiest” and making the most DNS requests. Being the summary page, you can use it as the launchpad to click around and dive deeper into what the devices on your network are doing and who they are talking to.

The only other thing really worth mentioning on the dashboard is the “Disable Protection” button that is near the top of the page next to the ‘Dashboard’ title. If you ever need to troubleshoot an issue with one of the devices on your network, this is how you can easily disable all of the DNS blocking/filters that AdGuard Home is doing so that you can [hopefully] rule it out as the culprit.

Settings

Under ‘General Settings’ I like to enable the longest log and statistic retention. Being that this is for a home network, I’m not too concerned about anonymizing the client IP info.

Under the ‘DNS Settings’ I like to set my upstream DNS servers. I personally use Cisco’s OpenDNS. Here is a link to known DNS providers that you could choose from if you don’t want to use Cisco. I also have it run the requests in parallel for faster results. However, I tend to leave almost everything else set to its default values.

Examples you can set as your Upstream DNS Servers:

  • regular DNS (over UDP) –
    • 94.140.14.140
  • regular DNS (over TCP) –
    • tcp://94.140.14.140
  • encrypted DNS-over-TLS
    • tls://dns-unfiltered.adguard.com
  • encrypted DNS-over-HTTPS
    • https://dns-unfiltered.adguard.com/dns-query
  • encrypted DNS-over-QUIC (experimental) –
    • quic://dns-unfiltered.adguard.com:784
  • DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers –
    • sdns://...
  • an upstream for specific domains
    • [/example.local/]94.140.14.140
  • a comment –
    • #comment

One of the final ‘DNS Settings’ I like to apply is at the very bottom of the page. I want to limit the use of my DNS to only machines that are on my home network. To do this, under “Allowed clients” I’m adding the CIDR notation for my home network.

I’m adding “192.168.0.0/16” so that it will apply to every address from 192.168.0.0 thru 192.168.255.255. However, while not wrong, this is probably going to be overkill for most home networks that only use a single subnet.

So depending on your home network’s IP address space, you could probably choose to just use a /24 – so it would look more like 192.168.0.0/24. In this example, it would allow all the addresses from 192.168.0.0 thru 192.168.0.255. Again, match up that address space (ie the third octet) to what is in use on your network if you use the /24. If your home network uses a different

Filters

Filters are an easy way to quickly block or allow, many different popular sites and services. For example, if you had a hatred for social media, by flipping a toggle in this menu, you could completely cut off and block all services from Facebook on your network.

Note this is not blocking applications, aka Layer 7, it is simply blocking a list of know domains that are owned and/or used by the specific service or website.

The ‘Filters’ is also where you can add/remove DNS blocklists. AdGuard Home comes with quite a few pre-defined lists that you can choose to enable if desired. To get there, click on ‘Filters’, then ‘DNS blocklists’, then click on the ‘Add blocklist’ at the bottom of the page.

Next, you will click ‘Choose from the list’ to start adding the pre-defined blocklists. Alternatively, if you had a custom list you wanted to add, you could do so right here using the ‘Add a custom list’ button.

Here is where the magic happens. This is where you can select any or all of the pre-defined block lists. When you are done, click the save button.

Query Log

This page is a comprehensive log of everything that AdGuard is doing. You can see what client on your network is making what DNS query. You can filter to see what DNS queries are getting processed or blocked. It is also here that you can see what external resolver answered a particular DNS query. It’s not as snazzy or flashy as the graphs and top charts on the dashboard, but if you are trying to look for the dirty details of whats going on, then your answer is definitely going to be here in this query log.

AdGuard Home service – Start/Stop/Restart/Status

To control the AdGuard Home service and manage it from the command line of your RaspberryPi you can use the following commands.

sudo /opt/AdGuardHome/AdGuardHome -s status
sudo /opt/AdGuardHome/AdGuardHome -s start
sudo /opt/AdGuardHome/AdGuardHome -s stop
sudo /opt/AdGuardHome/AdGuardHome -s restart

Likewise, if you need to you could also uninstall or re-install the AGH service.

sudo /opt/AdGuardHome/AdGuardHome -s uninstall
sudo /opt/AdGuardHome/AdGuardHome -s install

Test if AdGuard Home is working

So your devices should be pointing to AdGuard Home. To test if the ad-blocking is working you have a couple of options.

On your Windows machine open a command prompt, then type this command.

nslookup doubleclick.net

If AdGuard Home is working, it should return “0.0.0.0” as the answer. Meaning that it can not lookup the IP address of the domain “doubleclick.net”.

The other way that you can test your new ad-blocking abilities is by going to a URL and checking how well it blocks ads. A quick google search returned this site as one option to test ad-blocking: https://adblock-tester.com/ I’m sure you can find others…

What is AdGuard Home missing

  • No Layer 7 Application filtering capabilities

AdGuard does not have any packet inspection capability. Because it can not inspect packets it can not actually block or filter based on content or applications. AdGuard relies completely on DNS and the reputation of the actual domain/URL that is being called. Instead of blocking the content itself, it blocks the IP address lookup for the domain being requested. If you need to block/filter content you will need to look into some sort of Next-Gen Firewall as a solution.

  • Blocking all Ads

AdGuard and Pi-Hole both suffer from the inability to block ALL ads. This is because sometimes the advertisements, and the content you are actually wanting, come from the same domain. Because they are coming from the same place we are unable to block the actual domain name.

Some examples of a few sites that serve ads and content from the same domain name include:

  • YouTube
  • Twitter
  • Facebook
  • Instagram.
2 December 2020

DNS Tools

Here are a few handy sites to help with DNS-related things…

IP Chicken – Check your IP address
WhatsMyIP – Another check your IP address

DuckDNS – free dynamic DNS service

DNS Traveral Checker – detailed DNS propagation
WhatsMyDNS – Check your DNS propagation
DNSmap – Another global DNS propagation tool

MXToolbox – “swiss army knife” of DNS Tools
DNSChecker – Another DNS “swiss army knife”
ViewDNS – Yet another DNS “swiss army knife”
Google’s Dig – DNS record lookup tool

Dmarcian SPF – SPF record tools
SPF Query Tool – more SPF record tools
DMARC Analyzer SPF checker – even SPF record tools

SecurityTrails DNS history – View DNS history
CompleteDNS DNS history – Another DNS history site
DNSSpy DNS scan – Just another DNS history site

26 May 2020

DuckDNS on UDM

Updated on 4/09/2022: There was a change in the way the DuckDNS settings get entered in the UDM.


I have set up my Ubiquiti Dream Machine (UDM) and I am loving it. I’m diving into all of the settings that I can configure on my home network and one of the first things I’m setting up is Dynamic DNS (DDNS). This will allow me to reach my device/network remotely, regardless of the IP address that it has been assigned by my ISP.

The UDM can work with lots of different DDNS providers to accomplish this. Some DDNS services are free, whereas many are paid services. A quick google search will show you all the various sites that offer DDNS services. In this article, I am only going to cover how to use DuckDNS which is a free DDNS provider. Note: If you do use their service, I encourage you to support and donate to DuckDNS through any of the links at the bottom of their site.


Open your web browser and go to: https://www.duckdns.org/

Log into their site using your credentials from one of these sites: Twitter, GitHub, Reddit, or Google.

In the center of the page there is a spot to create a DuckDNS subdomain. This is where you will enter the unique name that you would like to use for your network, then click the green “add domain” button.

You will see your subdomain listed below.

In the upper part of the DuckDNS page, you should see a token listed.
Copy this token for later.

In your browser, open up your Unifi Contoller.

On your controller go to “Settings” -> “Advanced Features” -> “Advanced Gateway Settings” -> “Dynamic DNS”

UDM Dynamic DNS

Click on the button to “Create New Dynamic DNS”.
Enter the following settings:

  • interface: WAN
  • service: dyndns
  • hostname: <YourSubdomain>
  • username: nouser
  • password: nopassword
  • server: www.duckdns.org/update?domains=%h&token=<YourDuckDNStoken>

–For hostname, it is just going to be the subdomain name you created on DuckDNS. This field will not include the ‘.duckdns.org’ part at the end.
–For server, replace <YourDuckDNStoken> with your own token from your DuckDNS page.

Then click on “Done” button to save your settings.

UDM Dynamic DNS settings
5 April 2020

Installing Pi-Hole



Installing Pi-Hole is really simple. In fact it only takes entering one line to setup.

curl -sSL https://install.pi-hole.net | bash

By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.

A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!

You’ll see it start to load

Then you’ll have a few informational screens to click “Ok” through.

Note: Consider donating to Pi-Hole to keep the Pi-Hole project going – https://pi-hole.net/donate/

https://pi-hole.net/donate/

On this screen you choose the upstream DNS provider we want to use.
I’m going with Cisco’s OpenDNS, but can choose which ever you want.

Any of them are better then using your default ISP’s DNS. Regardless of what anyone tells you, none of them on this list are really that much better than any other. Yes, they each have a few different features that you’ll need to look into. But, let me be truthful with you, whichever one you do decide to choose it really just boils down to your personal preference. And… the best part is that you can easily change it anytime you want to use a different upstream DNS provider in the admin console, post-install.

Come back revisit this after you’ve gotten Pi-Hole up and running:
When you are ready to dive deeper down into the DNS hole, take a look at Steve Gibson’s DNS benchmark. Apparently one of the biggest considerations to take into account when choosing “the best” DNS is speed, and that is a metric which IS totally location dependent. He has an interesting tool that can help you run benchmarks against multiple DNS providers to see whom is “the best” for you.

Select the block lists you want to use.
I’m just leaving it default with all of the lists selected. These can all be changed (enabled/disable) later in the web admin interface.

Select which protocols (IPv4 and/or IPv6) that you wish to block ads on.
I’m leaving them both selected, which is the defaulted selection. These values can be changes later.

The next screen shows the RPi’s current IP address.
Mine is currently using a DHCP IP address, but we want set it to a static address. So I am going to click “No” here.

This screen is where the desired static IP address, and subnet mask (in CIDR format) gets set.
Your network will likely be different than mine, I’m setting mine to use the IP address 192.168.1.254.
As for the subnet mask, in most scenarios you can just use “/24”. That is CIDR shorthand for 255.255.255.0 and is basically saying that this subnet has 256 addresses in it; 192.168.1.0 to 192.168.1.255.

On this screen we enter the gateway.
This will most likely be your router’s IP address.
Mine is 192.168.1.1.

This screen shows us our updated settings.
Click “Yes” to accept the values you have entered.

Yes, we wish to install the web admin interface.

Yes, we wish for the web server to be installed and enabled.

Yes, we wish to log queries.

I want to see EVERYTHING!
You can change this to what you prefer. These will be the statistics you can see on the web admin interface. This value can get changed later from the web admin interface.
More info about this at: https://docs.pi-hole.net/ftldns/privacylevels

Pi-Hole will finish applying all of the settings it’s collected…

And then you are done. You did it!

The last screen of the Pi-Hole setup will show you the IP address and the URL for the web admin interface, as well as the admin password.

Press “Enter” to exit the installer and return to the command line.


Make your Pi-Hole the DNS of your network

Log into your router.

Navigate to it’s settings and clear any values that are currently set as it’s DNS.

Now enter the IP address of your Pi-Hole.

That’s it. Your network is now using Pi-Hole for all of it’s DNS queries.


Viewing your Network DNS Queries

Open a web browser and go to either the IP address of your RPi, or enter “pi.hole” as the URL.
In my example, I am either going to enter either “192.168.1.254/admin” or “pi.hole/admin”

That will load the Pi-Hole Web Admin Interface. Go ahead and click that login button. You’ll get even more details about what devices are doing on your network.

Pi-Hole does have some more advances features available in it that can allow it to act as your network’s DHCP server, on top of already serving up DNS. However I’ll save that for another time though…. For now, just sit back and enjoy fewer ads.


If you happened to this post by following my series about PiVPN, then click the following link to go to the next step: Part 3: Installing PiVPN

30 November 2019

Stop the Ads @ Home – Pi-Hole

Advertising, love it or hate it, truly drives the internet. It is scary the amount of data companies skim about you from the ads that get served to and what you click onto. But with the right tools, you can do a lot to protect your privacy. One of the best thing you can do at home to protect your privacy and those stop unwanted ads, is to deploy Pi-hole.

As described on their homepage Pi-hole is “A black hole for Internet ads”, that is “Easy-to-install”, and “is a DNS sinkhole that protects your devices from unwanted content”. All of which can be done in a one-time setup, usually on a RaspberryPi, without installing any software on your devices.

Pi-hole acts upon your network. It takes on the role of serving as the DNS on your network, and optionally role of a DHCP server.

In most homes today, both of these roles are usually preform by your router/wifi access point. DNS, in its’ most simplistic terms, acts as the whitepages that helps your devices translate a URL to an IP addresses. DHCP allows your device to get a ‘dynamically’ assigned address on the network so that it can communicate with everythign else. So by utilizing some whitelists and blacklists, the PiHole can simply not serve the address to known advertising URLs. Cutting the ads off before the request ever leaves your house.

I’ve been using it at home for about 3 years now and absolutely love it. There are some ads that still come thru, and sometimes if I click on an ad, I’ll get a “page can’t be reached” message. It was different at first to get used to, but now… I would trade it for the world!



Another great piece of software to install on you RPi is PiVPN. It’s an easy and secure way to create a VPN (a private tunnel) to your home when you are out and about. The best part about it is that it can allow you to use Pi-Hole when your not at home. Check out my article here.