Local DNS Server
Which DNS-Server to choose
Best option for a local DNS Server
Installation
Installation Raspbian
Optional: Behind Reverse Proxy
Configuration
Encryption Settings
DNS Settings
DNS Blocklist
DNS Rewrites Which DNS-Server to choose Which DNS-Server to choose Best option for a local DNS Server
There is a variety of open Source DNS Servers, some of them specifically designed to run on the Raspberry Pi. You probably have heard of the most popular one: Pi-hole. PiHole however lacks some important features, such as DNS over HTTPS (DoH) or DNS over TLS. Another downside of PiHole is, that it doesn't offer you an SSL-protected Web-Interface by default, so you have to manually install it with Lighttpd or have it run behind a reverse proxy. It also doesn't support Load Balancing. The best alternative, that offers all those features is, in my opinion, AdGuard Home. You can install AdGuard Home without any problems on a default Raspbian, if you really want to use the DoH features, you should however make your DNS-Server publicly accessible, so you have a valid SSL certificate. Otherwise, most Os's, etc. won't accept the DoH Server. Normal DNS on the other hand works without any problems. In my installation, I'm running AdGuard Home exclusively locally and don't use the DoH feature. Installation Installation Installation Raspbian
Before we start, update the PI
sudo apt -y update && sudo apt -y upgrade
Download AdGuard Home
cd /tmp
wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz
sudo tar xvf AdGuardHome_linux_armv6.tar.gz -C /opt
Now switch into the AdGuardHome directory and install it via it's script
cd /opt/AdGuardHome
sudo ./AdGuardHome -s install
Restart AdGuardHome:
sudo systemctl restart AdGuardHome.service
You can now open the Web interface, by opening http://hostname:3000/ in your browser. Then go through the initial setup steps.
For HTTPS access in our local network, we now create a self-signed SSL certificate by running
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/adguard-
dnsserver.key -out /etc/ssl/certs/adguard-dnsserver.crt
Go back to the Web interface and continue configuring your AdGuard Home Server.
Installation Optional: Behind Reverse Proxy
If you want to run AdGuard Home behind an NGINX Reverse Proxy, you have to adjust the AdGuardHome.yaml configuration file. You can find this file in the root directory of your AdGuard Home installation. Edit it, and adjust the following values:
bind_host: 0.0.0.0
bind_port: 8080 #Or any other Port not in use, but 80 and 443
[...]
tls:
enabled: false
If you need TLS enabled, e.g for DoH features, change port_https to something other, than 443.
Your complete configuration file will now look like this:
bind_host: 0.0.0.0
bind_port: 8080
beta_bind_port: 0
users:
- name: userName
password: somehash
http_proxy: ""
language: ""
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
bind_host: 10.10.10.1
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 30 querylog_size_memory: 1000 anonymize_client_ip: false protection_enabled: true blocking_mode: default blocking_ipv4: "0.0.0.0" blocking_ipv6: "::" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 ratelimit_whitelist: [] refuse_any: true upstream_dns:
- 208.67.222.222
- 208.67.222.220 upstream_dns_file: "" bootstrap_dns: all_servers: true fastest_addr: false allowed_clients: [] disallowed_clients: [] blocked_hosts:
- version.bind
- id.server
- hostname.bind cache_size: 4194304 cache_ttl_min: 0 cache_ttl_max: 0 bogus_nxdomain: [] aaaa_disabled: false enable_dnssec: false edns_client_subnet: false max_goroutines: 300 ipset: [] filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: false safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites:
blocked_services:
customresolver: null tls:
enabled: false
server_name: ""
force_https: true
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 784
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: /etc/ssl/certs/[...].crt
private_key_path: /etc/ssl/private/[...].key filters:
- enabled: true
url: https://blocking.example.com/blocking.txt
name: AdGuard DNS Filter
id: 1 whitelist_filters: [] user_rules: dhcp:
enabled: false
interface_name: ""
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6: range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
schema_version: 7
Now you can setup your reverse proxy as usual. Configuration Configuration Encryption Settings
In the web front end, switch to the Tab Settings -> Encryption Settings and now enter the path to your certificate as shown in the screenshot Server Name: This is the local domain, under which you can reach the Web interface
Configuration DNS Settings
Settings -> DNS-Settings
As Upstream DNS Servers I choose the OpenDNS Server
208.67.222.222
208.67.222.220
Then you should choose Load Balancing or Parallel Ports . Fastest IP address ironically is the slowest option.
Leave the DoH Upstream DNS Servers empty.
You can leave all settings at default, or if you want to change the response for a blocked domain do so.
All other settings on this page can be left at their default value too, or tweaked to your needs.
Setting the Rate limit to a value much above 20 or even unlimited is a bad idea, because you open your server to the risk of being flooded with requestests, commonly known as DNS Flooding.
Configuration DNS Blocklist
Simply add lists with domains, that should be blocked, or create the lists yourself. As you can see, AdGuard can read Adblock as well as hosts file syntax.
Here are some of the lists I use:
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://abp.oisd.nl/
https://someonewhocares.org/hosts/zero/hosts
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-
Sites/master/hacked-domains.list
https://raw.githubusercontent.com/DRSDavidSoft/additional-
hosts/master/domains/blacklist/unwanted-iranian.txt
https://raw.githubusercontent.com/xorcan/hosts/master/xhosts.txt
Configuration DNS Rewrites
DNS Rewrites are in other words local DNS entries. Keep in mind, that the order of DNS resolving under any OS is
1. Hosts file/Cache (if exists) 2. Primary DNS-Resolver (via DHCP / Static Entry) (or 2-3) 3. Upstream DNS-Resolver -> Authoritative DNS-Resolver -> Root DNS-Resolver
That means if you make a local DNS entry, resolving google.com to an internal IP, eg. 10.10.10.10 . Entering google.com in the browser, you will no longer reach Google. So only set local DNS records for domains, that you either don't need or those, that are intended for internal purposes anyway, such as intranet/ . To be on the safe side, it's best to use a TLD, that is not assigned by IANA.
This, for example, would resolve intranet.home.com to one of my Home Servers. You can set both A- and AAAA-Records.