Local DNS Server

Which DNS-Server to choose

Best option for a local DNS Server

Installation

Installation Raspbian

Optional: Behind Reverse Proxy

Configuration

Encryption Settings

DNS Settings

DNS Blocklist

DNS Rewrites Which DNS-Server to choose Which DNS-Server to choose Best option for a local DNS Server

There is a variety of open Source DNS Servers, some of them specifically designed to run on the Raspberry Pi. You probably have heard of the most popular one: Pi-hole. PiHole however lacks some important features, such as DNS over HTTPS (DoH) or DNS over TLS. Another downside of PiHole is, that it doesn't offer you an SSL-protected Web-Interface by default, so you have to manually install it with Lighttpd or have it run behind a reverse proxy. It also doesn't support Load Balancing. The best alternative, that offers all those features is, in my opinion, AdGuard Home. You can install AdGuard Home without any problems on a default Raspbian, if you really want to use the DoH features, you should however make your DNS-Server publicly accessible, so you have a valid SSL certificate. Otherwise, most Os's, etc. won't accept the DoH Server. Normal DNS on the other hand works without any problems. In my installation, I'm running AdGuard Home exclusively locally and don't use the DoH feature. Installation Installation Installation Raspbian

Before we start, update the PI

sudo apt -y update && sudo apt -y upgrade

Download AdGuard Home

cd /tmp

wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz

sudo tar xvf AdGuardHome_linux_armv6.tar.gz -C /opt

Now switch into the AdGuardHome directory and install it via it's script

cd /opt/AdGuardHome

sudo ./AdGuardHome -s install

Restart AdGuardHome:

sudo systemctl restart AdGuardHome.service

You can now open the Web interface, by opening http://hostname:3000/ in your browser. Then go through the initial setup steps.

For HTTPS access in our local network, we now create a self-signed SSL certificate by running

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/adguard-

dnsserver.key -out /etc/ssl/certs/adguard-dnsserver.crt

Go back to the Web interface and continue configuring your AdGuard Home Server.

Installation Optional: Behind Reverse Proxy

If you want to run AdGuard Home behind an NGINX Reverse Proxy, you have to adjust the AdGuardHome.yaml configuration file. You can find this file in the root directory of your AdGuard Home installation. Edit it, and adjust the following values:

bind_host: 0.0.0.0

bind_port: 8080 #Or any other Port not in use, but 80 and 443

[...]

tls:

enabled: false

If you need TLS enabled, e.g for DoH features, change port_https to something other, than 443.

Your complete configuration file will now look like this:

bind_host: 0.0.0.0

bind_port: 8080

beta_bind_port: 0

users:

- name: userName

password: somehash

http_proxy: ""

language: ""

rlimit_nofile: 0

debug_pprof: false

web_session_ttl: 720

dns:

bind_host: 10.10.10.1

port: 53

statistics_interval: 1

querylog_enabled: true

querylog_file_enabled: true

querylog_interval: 30 querylog_size_memory: 1000 anonymize_client_ip: false protection_enabled: true blocking_mode: default blocking_ipv4: "0.0.0.0" blocking_ipv6: "::" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 ratelimit_whitelist: [] refuse_any: true upstream_dns:

- 208.67.222.222

- 208.67.222.220 upstream_dns_file: "" bootstrap_dns: all_servers: true fastest_addr: false allowed_clients: [] disallowed_clients: [] blocked_hosts:

- version.bind

- id.server

- hostname.bind cache_size: 4194304 cache_ttl_min: 0 cache_ttl_max: 0 bogus_nxdomain: [] aaaa_disabled: false enable_dnssec: false edns_client_subnet: false max_goroutines: 300 ipset: [] filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: false safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576

parental_cache_size: 1048576

cache_time: 30

rewrites:

blocked_services:

customresolver: null tls:

enabled: false

server_name: ""

force_https: true

port_https: 443

port_dns_over_tls: 853

port_dns_over_quic: 784

port_dnscrypt: 0

dnscrypt_config_file: ""

allow_unencrypted_doh: false

strict_sni_check: false

certificate_chain: ""

private_key: ""

certificate_path: /etc/ssl/certs/[...].crt

private_key_path: /etc/ssl/private/[...].key filters:

- enabled: true

url: https://blocking.example.com/blocking.txt

name: AdGuard DNS Filter

id: 1 whitelist_filters: [] user_rules: dhcp:

enabled: false

interface_name: ""

dhcpv4:

gateway_ip: ""

subnet_mask: ""

range_start: ""

range_end: ""

lease_duration: 86400

icmp_timeout_msec: 1000

options: []

dhcpv6: range_start: ""

lease_duration: 86400

ra_slaac_only: false

ra_allow_slaac: false

clients: []

log_compress: false

log_localtime: false

log_max_backups: 0

log_max_size: 100

log_max_age: 3

log_file: ""

verbose: false

schema_version: 7

Now you can setup your reverse proxy as usual. Configuration Configuration Encryption Settings

In the web front end, switch to the Tab Settings -> Encryption Settings and now enter the path to your certificate as shown in the screenshot Server Name: This is the local domain, under which you can reach the Web interface

Configuration DNS Settings

Settings -> DNS-Settings

As Upstream DNS Servers I choose the OpenDNS Server

208.67.222.222

208.67.222.220

Then you should choose Load Balancing or Parallel Ports . Fastest IP address ironically is the slowest option.

Leave the DoH Upstream DNS Servers empty.

You can leave all settings at default, or if you want to change the response for a blocked domain do so.

All other settings on this page can be left at their default value too, or tweaked to your needs.

Setting the Rate limit to a value much above 20 or even unlimited is a bad idea, because you open your server to the risk of being flooded with requestests, commonly known as DNS Flooding.

Configuration DNS Blocklist

Simply add lists with domains, that should be blocked, or create the lists yourself. As you can see, AdGuard can read Adblock as well as hosts file syntax.

Here are some of the lists I use:

https://www.malwaredomainlist.com/hostslist/hosts.txt

https://abp.oisd.nl/

https://someonewhocares.org/hosts/zero/hosts

https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt

https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt

https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext

https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt

https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-

Sites/master/hacked-domains.list

https://raw.githubusercontent.com/DRSDavidSoft/additional-

hosts/master/domains/blacklist/unwanted-iranian.txt

https://raw.githubusercontent.com/xorcan/hosts/master/xhosts.txt

Configuration DNS Rewrites

DNS Rewrites are in other words local DNS entries. Keep in mind, that the order of DNS resolving under any OS is

1. Hosts file/Cache (if exists) 2. Primary DNS-Resolver (via DHCP / Static Entry) (or 2-3) 3. Upstream DNS-Resolver -> Authoritative DNS-Resolver -> Root DNS-Resolver

That means if you make a local DNS entry, resolving google.com to an internal IP, eg. 10.10.10.10 . Entering google.com in the browser, you will no longer reach Google. So only set local DNS records for domains, that you either don't need or those, that are intended for internal purposes anyway, such as intranet/ . To be on the safe side, it's best to use a TLD, that is not assigned by IANA.

This, for example, would resolve intranet.home.com to one of my Home Servers. You can set both A- and AAAA-Records.