Skip to content

Encryption

Ildar Kamalov edited this page Jul 5, 2019 · 7 revisions

AdGuard Home - Encryption

We are proud to say that AdGuard Home supports all modern DNS encryption protocols out-of-the-box:

In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.

  1. Install AdGuard Home on your server
  2. Register a domain name
  3. Get an SSL certificate
  4. Configure AdGuard Home
  5. Configure your devices

Install AdGuard Home on your server

It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP.

It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: DigitalOcean, Vultr, Linode, etc. Just choose one, create a cloud server there, and install AdGuard Home on your server.

Register a domain name

First of all, you need a domain name. If you have never registered one, here is a simple instruction that will help you with that.

Get an SSL certificate

Both DNS-over-HTTPS and DNS-over-TLS are based on TLS encryption so in order to use them, you will need to acquire an SSL certificate.

An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.

Alternatively, you can get the certificate for free from "Let's Encrypt" CA, a free certificate authority developed by the Internet Security Research Group (ISRG).

In this guide I'll explain how to get a certificate from them.

Install CertBot

Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt.

  1. Go to https://certbot.eff.org/ and choose "None of the above" software and your operating system.
  2. Follow the installation instructions, and stop there - don't get to the "Get Started" section.

Get a certificate using DNS challenge

You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate.

Run this command and follow the certbot's instructions:

sudo certbot certonly --manual --preferred-challenges=dns

In the end you'll get two files:

  • fullchain.pem -- your PEM-encoded SSL certificate
  • privkey.pem -- your PEM-encoded private key

Both will be necessary to configure AdGuard Home.

You will need to use the very same procedure to renew the existing certificate.

Configure AdGuard Home

  1. Open AdGuard Home web interface and go to settings.
  2. Scroll down to the "Encryption" settings
  3. Copy/paste the contents of the fullchain.pem file to "Certificates"
  4. Copy/paste the contents of the privkey.pem file to "Private key"
  5. Enter your domain name to "Server name"
  6. Click "Save settings".

Configure your devices

Please note that encrypted DNS protocols are supported only on Android 9. So you need to install additional software for other operating systems.

Here's a list of software you can use.

Android

  • Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
  • AdGuard for Android supports DNS-over-HTTPS and DNS-over-TLS.
  • Intra adds DNS-over-HTTPS support to Android.

iOS

  • DNSCloak supports DNS-over-HTTPS but in order to configure it to use your own server, you'll need to generate a DNS Stamp for it.
  • AdGuard for iOS supports DNS-over-HTTPS and DNS-over-TLS.

Other implementations

  • AdGuard Home itself can be a secure DNS client on any platform.
  • dnsproxy supports all known secure DNS protocols.
  • dnscrypt-proxy supports DNS-over-HTTPS.
  • Mozilla Firefox supports DNS-over-HTTPS.
  • You will find more implementations here and here.
You can’t perform that action at this time.