Intro AdguardHome on Openwrt / Dnsmasq / DNS over TLS or HTTPS

DNS over TLS

DNS is the phonebook of the Internet; DNS resolvers translate human-readable domain names into machine-readable IP addresses. By default, DNS queries and responses are sent in plaintext (via UDP), which means they can be read by networks, ISPs, or anybody able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

This lack of privacy has a huge impact on security and, in some cases, human rights; if DNS queries are not private, then it becomes easier for governments to censor the Internet and for attackers to stalk users’ online behavior.

DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.
DNS over TLS

  • DNS cache poisoning
    • DNS cache poisoning is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites.
    • Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver. This is possible because DNS servers use UDP instead of TCP, and because currently there is no verification for DNS information.
    • A number of vulnerabilities make DNS poisoning possible, but the chief problem is that DNS was built for a much smaller Internet and based on a principle of trust (much like BGP).
    • Instead of using TCP, which requires both communicating parties to perform a ‘handshake’ to initiate communication and verify the identity of the devices, DNS requests and responses use UDP, or the User Datagram Protocol. With UDP, there is no guarantee that a connection is open, that the recipient is ready to receive, or that the sender is who they say they are. UDP is vulnerable to forging for this reason – an attacker can send a message via UDP and pretend it’s a response from a legitimate server by forging the header data.
    • If a DNS resolver receives a forged response, it accepts and caches the data uncritically because there is no way to verify if the information is accurate and comes from a legitimate source. DNS was created in the early days of the Internet, when the only parties connected to it were universities and research centers. There was no reason to expect that anyone would try to spread fake DNS information.
  • DNS spoofing and censorship
    • Several governments have intentionally poisoned DNS caches within their countries in order to deny access to certain websites or web resources.
  • How will DNSSEC help prevent DNS poisoning?
    • DNSSEC is short for Domain Name System Security Extensions, and it is a means of verifying DNS data integrity and origin. DNS was originally designed with no such verification, which is why DNS poisoning is possible.
    • Much like TLS/SSL, DNSSEC uses public key cryptography (a way of digitally signing information) to verify and authenticate data. DNSSEC extensions were published in 2005, but DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks.
  • What is the difference between DNS over TLS/HTTPS and DNSSEC?
    • DNSSEC is a set of security extensions for verifying the identity of DNS root servers and authoritative nameservers in communications with DNS resolvers. It is designed to prevent DNS cache poisoning, among other attacks. It does not encrypt communications.

What is DNS cache poisoning? | DNS spoofing

Dnsmasq

Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.

The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled).
Dnsmasq

Why AdguardHome

When we talk about ads, what we means ads ?

  • Ads
    • Google Ads
    • Amazon
  • Analytics
    • Google Analytics
  • Error Trackers
  • Social Trackers
    • Facebook
    • Twitter
    • LinkedIn
    • Youtube
  • Mix
    • Yahoo
    • Yandex
  • OEM/IoT
    • Xiaomi
    • Huawei
    • Samsung
    • Apple

AdguardHome can operates as a DNS server.

AdGuard Home: In-depth overview

Why not use it together with on device ad block vpns/plugs ?

Platform Description
Android Blokada
IOS
Chrome uBlock Origin

AdguardHome configuration

AdGuardHome redirect mode
53Redirect
Use port 53 replace dnsmasq

1
2
3
4
5
upstream_dns:
- tls://dns.google
- https://dns.google/dns-query
- tls://dns11.quad9.net
- https://dns11.quad9.net/dns-query
1
2
3
4
5
6
7
8
9
10
11
12
13
rewrites:
- domain: dns.quad9.net
answer: 9.9.9.9
- domain: dns.quad9.net
answer: 2620:fe::fe
- domain: dns.google
answer: 8.8.8.8
- domain: dns.google
answer: 8.8.4.4
- domain: dns.google
answer: 2001:4860:4860::8888
- domain: dns.google
answer: 2001:4860:4860::8844
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1628750870
- enabled: true
url: https://anti-ad.net/easylist.txt
name: 'CHN: anti-AD'
id: 1628750871
- enabled: true
url: https://gitee.com/xinggsf/Adblock-Rule/raw/master/mv.txt
name: 乘风视频广告过滤规则
id: 1647351517
- enabled: true
url: https://gitee.com/xinggsf/Adblock-Rule/raw/master/rule.txt
name: 乘风广告过滤规则
id: 1647351518
- enabled: true
url: https://gitee.com/cjx82630/cjxlist/raw/master/cjx-ublock.txt
name: CJX'suBlocklist
id: 1647351519
- enabled: true
url: https://easylist-downloads.adblockplus.org/easyprivacy.txt
name: EasyListPrivacy
id: 1647351520
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylist.txt
name: Easylist
id: 1647351521
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylistchina.txt
name: EasylistChina
id: 1647351522
- enabled: true
url: https://cdn.jsdelivr.net/gh/cjx82630/cjxlist@master/cjx-annoyance.txt
name: CJX'sAnnoyanceList
id: 1647351523
- enabled: true
url: https://cdn.jsdelivr.net/gh/zsakvo/AdGuard-Custom-Rule@master/rule/zhihu-strict.txt
name: 移除知乎部分广告
id: 1647351524
- enabled: true
url: http://sub.adtchrome.com/adt-chinalist-easylist.txt
name: ChinaList+EasyList(淇)
id: 1647351525
- enabled: true
url: https://raw.sevencdn.com/Goooler/1024_hosts/master/hosts
name: Goooler
id: 1647351526
- enabled: true
url: https://raw.sevencdn.com/jdlingyu/ad-wars/master/hosts
name: ad-wars
id: 1647351527
- enabled: true
url: https://raw.sevencdn.com/jdlingyu/ad-wars/master/sha_ad_hosts
name: ad-wars2
id: 1647351528
- enabled: true
url: https://cdn.jsdelivr.net/gh/neoFelhz/neohosts@gh-pages/full/hosts.txt
name: NekoDevTeam&neoHostsTeam
id: 1647351529
- enabled: true
url: https://raw.sevencdn.com/VeleSila/yhosts/master/hosts.txt
name: VeleSila/yhosts
id: 1647351530
- enabled: true
url: https://raw.sevencdn.com/timlu85/AdGuard-Home_Youtube-Adfilter/master/Youtube-Adfilter-Web.txt
name: Youtube-Adfilter-Web
id: 1647351531
- enabled: true
url: https://raw.sevencdn.com/91ajames/ublock-filters-ulist-youtube/main/blocklist.txt
name: ublock-filters-ulist-youtube
id: 1647351532
- enabled: true
url: https://halflife.coding.net/p/list/d/list/git/raw/master/ad.txt
name: 本规则合并自乘风视频广告过滤规则、EasylistChina、EasylistLite、CJX'sAnnoyance
id: 1647351533
- enabled: true
url: https://cdn.jsdelivr.net/gh/anudeepND/blacklist@master/adservers.txt
name: anudeepND/blacklist
id: 1647351534
- enabled: true
url: https://raw.sevencdn.com/neodevpro/neodevhost/master/adblocker
name: NEODEVHOST
id: 1647351535
- enabled: true
url: https://cdn.jsdelivr.net/gh/liwenjie119/adg-rules@master/black.txt
name: LWJ'sblacklist
id: 1647351536
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
whitelist_filters:
- enabled: true
url: https://cdn.jsdelivr.net/gh/hl2guide/Filterlist-for-AdGuard@master/filter_whitelist.txt
name: hl2guideFilterlist-for-AdGuard
id: 1647351537
- enabled: true
url: https://cdn.jsdelivr.net/gh/hg1978/AdGuard-Home-Whitelist@master/whitelist.txt
name: hg1978/AdGuard-Home-Whitelist
id: 1647351538
- enabled: true
url: https://cdn.jsdelivr.net/gh/mmotti/adguard-home-filters@master/whitelist.txt
name: mmotti/adguard-home-filters
id: 1647351539
- enabled: true
url: https://raw.sevencdn.com/mawenjian/china-cdn-domain-whitelist/master/china-cdn-domain-whitelist.txt
name: china-cdn-domain-whitelist
id: 1647351540
- enabled: true
url: https://raw.sevencdn.com/pluwen/china-domain-allowlist/master/allow-list.sorl
name: china-domain-allowlist
id: 1647351541
- enabled: true
url: https://raw.sevencdn.com/entr0pia/SwitchyOmega-Whitelist/master/white-list.sorl
name: SwitchyOmega-Whitelist
id: 1647351542
- enabled: true
url: https://cdn.jsdelivr.net/gh/liwenjie119/adg-rules@master/white.txt
name: LWJ'swhitelist
id: 1647351543
- enabled: true
url: https://cdn.jsdelivr.net/gh/LucienShui/chinalist@gh-pages/chinalist.txt
name: LucienShui/chinalist
id: 1647351544
- enabled: true
url: https://raw.sevencdn.com/etotakeo/AdGuardDNSPassList/master/DNS-Pass-List
name: etotakeo/AdGuardDNSPassList
id: 1647351545
- enabled: true
url: https://cdn.jsdelivr.net/gh/JamesDamp/AdGuard-Home---Personal-Whitelist@master/AdGuardHome-Whitelist.txt
name: JamesDamp/Personal-Whitelist
id: 1647351546
- enabled: true
url: https://cdn.jsdelivr.net/gh/scarletbane/AdGuard-Home-Whitelist@main/whitelist.txt
name: scarletbane/AdGuard-Home-Whitelist
id: 1647351547
- enabled: true
url: https://raw.sevencdn.com/Aveelo/Aveelo-adguard-home-Adlist-Whitelist/master/WhitelistAdGuardHome
name: Aveelo-adguard-home-Adlist-Whitelist
id: 1647351548

Adblock Test

Ad Blocker Test - d3ward
AdBlock Tester

References

Author: Yuzu
Link: https://kamisu66.com/2022/03/29/Intro-AdguardHome/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.