Local DNS Server Which DNS-Server to choose Best option for a local DNS Server Installation Installation Raspbian Optional: Behind Reverse Proxy Configuration Encryption Settings DNS Settings DNS Blocklist DNS Rewrites Which DNS-Server to choose Which DNS-Server to choose Best option for a local DNS Server There is a variety of open Source DNS Servers, some of them specifically designed to run on the Raspberry Pi. You probably have heard of the most popular one: Pi-hole. PiHole however lacks some important features, such as DNS over HTTPS (DoH) or DNS over TLS. Another downside of PiHole is, that it doesn't offer you an SSL-protected Web-Interface by default, so you have to manually install it with Lighttpd or have it run behind a reverse proxy. It also doesn't support Load Balancing. The best alternative, that offers all those features is, in my opinion, AdGuard Home. You can install AdGuard Home without any problems on a default Raspbian, if you really want to use the DoH features, you should however make your DNS-Server publicly accessible, so you have a valid SSL certificate. Otherwise, most Os's, etc. won't accept the DoH Server. Normal DNS on the other hand works without any problems. In my installation, I'm running AdGuard Home exclusively locally and don't use the DoH feature. Installation Installation Installation Raspbian Before we start, update the PI sudo apt -y update && sudo apt -y upgrade Download AdGuard Home cd /tmp wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz sudo tar xvf AdGuardHome_linux_armv6.tar.gz -C /opt Now switch into the AdGuardHome directory and install it via it's script cd /opt/AdGuardHome sudo ./AdGuardHome -s install Restart AdGuardHome: sudo systemctl restart AdGuardHome.service You can now open the Web interface, by opening http://hostname:3000/ in your browser. Then go through the initial setup steps. For HTTPS access in our local network, we now create a self-signed SSL certificate by running sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/adguard- dnsserver.key -out /etc/ssl/certs/adguard-dnsserver.crt Go back to the Web interface and continue configuring your AdGuard Home Server. Installation Optional: Behind Reverse Proxy If you want to run AdGuard Home behind an NGINX Reverse Proxy, you have to adjust the AdGuardHome.yaml configuration file. You can find this file in the root directory of your AdGuard Home installation. Edit it, and adjust the following values: bind_host: 0.0.0.0 bind_port: 8080 #Or any other Port not in use, but 80 and 443 [...] tls: enabled: false If you need TLS enabled, e.g for DoH features, change port_https to something other, than 443. Your complete configuration file will now look like this: bind_host: 0.0.0.0 bind_port: 8080 beta_bind_port: 0 users: - name: userName password: somehash http_proxy: "" language: "" rlimit_nofile: 0 debug_pprof: false web_session_ttl: 720 dns: bind_host: 10.10.10.1 port: 53 statistics_interval: 1 querylog_enabled: true querylog_file_enabled: true querylog_interval: 30 querylog_size_memory: 1000 anonymize_client_ip: false protection_enabled: true blocking_mode: default blocking_ipv4: "0.0.0.0" blocking_ipv6: "::" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 ratelimit_whitelist: [] refuse_any: true upstream_dns: - 208.67.222.222 - 208.67.222.220 upstream_dns_file: "" bootstrap_dns: all_servers: true fastest_addr: false allowed_clients: [] disallowed_clients: [] blocked_hosts: - version.bind - id.server - hostname.bind cache_size: 4194304 cache_ttl_min: 0 cache_ttl_max: 0 bogus_nxdomain: [] aaaa_disabled: false enable_dnssec: false edns_client_subnet: false max_goroutines: 300 ipset: [] filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: false safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 cache_time: 30 rewrites: blocked_services: customresolver: null tls: enabled: false server_name: "" force_https: true port_https: 443 port_dns_over_tls: 853 port_dns_over_quic: 784 port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false strict_sni_check: false certificate_chain: "" private_key: "" certificate_path: /etc/ssl/certs/[...].crt private_key_path: /etc/ssl/private/[...].key filters: - enabled: true url: https://blocking.example.com/blocking.txt name: AdGuard DNS Filter id: 1 whitelist_filters: [] user_rules: dhcp: enabled: false interface_name: "" dhcpv4: gateway_ip: "" subnet_mask: "" range_start: "" range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 options: [] dhcpv6: range_start: "" lease_duration: 86400 ra_slaac_only: false ra_allow_slaac: false clients: [] log_compress: false log_localtime: false log_max_backups: 0 log_max_size: 100 log_max_age: 3 log_file: "" verbose: false schema_version: 7 Now you can setup your reverse proxy as usual. Configuration Configuration Encryption Settings In the web front end, switch to the Tab Settings -> Encryption Settings and now enter the path to your certificate as shown in the screenshot Server Name: This is the local domain, under which you can reach the Web interface Configuration DNS Settings Settings -> DNS-Settings As Upstream DNS Servers I choose the OpenDNS Server 208.67.222.222 208.67.222.220 Then you should choose Load Balancing or Parallel Ports . Fastest IP address ironically is the slowest option. Leave the DoH Upstream DNS Servers empty. You can leave all settings at default, or if you want to change the response for a blocked domain do so. All other settings on this page can be left at their default value too, or tweaked to your needs. Setting the Rate limit to a value much above 20 or even unlimited is a bad idea, because you open your server to the risk of being flooded with requestests, commonly known as DNS Flooding. Configuration DNS Blocklist Simply add lists with domains, that should be blocked, or create the lists yourself. As you can see, AdGuard can read Adblock as well as hosts file syntax. Here are some of the lists I use: https://www.malwaredomainlist.com/hostslist/hosts.txt https://abp.oisd.nl/ https://someonewhocares.org/hosts/zero/hosts https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web- Sites/master/hacked-domains.list https://raw.githubusercontent.com/DRSDavidSoft/additional- hosts/master/domains/blacklist/unwanted-iranian.txt https://raw.githubusercontent.com/xorcan/hosts/master/xhosts.txt Configuration DNS Rewrites DNS Rewrites are in other words local DNS entries. Keep in mind, that the order of DNS resolving under any OS is 1. Hosts file/Cache (if exists) 2. Primary DNS-Resolver (via DHCP / Static Entry) (or 2-3) 3. Upstream DNS-Resolver -> Authoritative DNS-Resolver -> Root DNS-Resolver That means if you make a local DNS entry, resolving google.com to an internal IP, eg. 10.10.10.10 . Entering google.com in the browser, you will no longer reach Google. So only set local DNS records for domains, that you either don't need or those, that are intended for internal purposes anyway, such as intranet/ . To be on the safe side, it's best to use a TLD, that is not assigned by IANA. This, for example, would resolve intranet.home.com to one of my Home Servers. You can set both A- and AAAA-Records..