From 8cf259881953020e7829d2ef2b2557168070e002 Mon Sep 17 00:00:00 2001 From: vbagirov Date: Mon, 19 Aug 2024 11:05:44 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20gh-pages=20from=20@=20AdguardT?= =?UTF-8?q?eam/KnowledgeBaseDNS@103e7bbd8279f2584cf283b6e9324bff3e492bd9?= =?UTF-8?q?=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 404.html | 4 ++-- adguard-home/faq/index.html | 4 ++-- adguard-home/getting-started/index.html | 4 ++-- adguard-home/overview/index.html | 4 ++-- adguard-home/running-securely/index.html | 4 ++-- assets/js/e633e5a3.537daa84.js | 1 - assets/js/e633e5a3.9bc0f0ee.js | 1 + .../{runtime~main.158c7dec.js => runtime~main.27bc4957.js} | 2 +- dns-client/configuration/index.html | 4 ++-- dns-client/environment/index.html | 4 ++-- dns-client/overview/index.html | 4 ++-- general/dns-filtering-syntax/index.html | 4 ++-- general/dns-filtering/index.html | 4 ++-- general/dns-providers/index.html | 4 ++-- general/subscription/index.html | 4 ++-- index.html | 4 ++-- miscellaneous/acknowledgements/index.html | 4 ++-- miscellaneous/create-dns-stamp/index.html | 4 ++-- miscellaneous/take-screenshot/index.html | 4 ++-- miscellaneous/update-kb/index.html | 4 ++-- private-dns/api/changelog/index.html | 4 ++-- private-dns/api/overview/index.html | 4 ++-- private-dns/api/reference/index.html | 4 ++-- private-dns/overview/index.html | 4 ++-- .../solving-problems/icloud-private-relay/index.html | 4 ++-- private-dns/solving-problems/known-issues/index.html | 4 ++-- private-dns/solving-problems/remove-dns-profile/index.html | 4 ++-- public-dns/overview/index.html | 6 +++--- .../solving-problems/how-to-flush-dns-cache/index.html | 4 ++-- search/index.html | 4 ++-- 30 files changed, 57 insertions(+), 57 deletions(-) delete mode 100644 assets/js/e633e5a3.537daa84.js create mode 100644 assets/js/e633e5a3.9bc0f0ee.js rename assets/js/{runtime~main.158c7dec.js => runtime~main.27bc4957.js} (98%) diff --git a/404.html b/404.html index 4cf5dc4be..7b7aabd40 100644 --- a/404.html +++ b/404.html @@ -4,13 +4,13 @@ Page Not Found | AdGuard DNS Knowledge Base - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/adguard-home/faq/index.html b/adguard-home/faq/index.html index ee683b6a4..0d2a3315a 100644 --- a/adguard-home/faq/index.html +++ b/adguard-home/faq/index.html @@ -4,13 +4,13 @@ FAQ | AdGuard DNS Knowledge Base - +
Skip to main content

FAQ

Why doesn’t AdGuard Home block ads or threats?

Suppose that you want AdGuard Home to block somebadsite.com but for some reason it doesn’t. Let’s try to solve this problem.

Most likely, you haven’t configured your device to use AdGuard Home as the default DNS server. To check if you’re using AdGuard Home as your default DNS server:

  1. On Windows, open Command Prompt (StartRuncmd.exe). On other systems, open your Terminal application.

  2. Execute nslookup example.org. It will print something like this:

    Server: 192.168.0.1
    Address: 192.168.0.1#53

    Non-authoritative answer:
    Name: example.org
    Address: <IPv4>
    Name: example.org
    Address: <IPv6>

  3. Check if the Server IP address is the one where AdGuard Home is running. If not, you need to configure your device accordingly. See below how to do this.

  4. Ensure that your request to example.org appears in the AdGuard Home UI on the Query Log page. If not, you need to configure AdGuard Home to listen on the specified network interface. The easiest way to do this is to reinstall AdGuard Home with default settings.

If you are sure that your device is using AdGuard Home as its default DNS server, but the problem persists, it may be due to a misconfiguration of AdGuard Home. Please check and make sure that:

  1. You have enabled the Block domains using filters and hosts files setting on the SettingsGeneral settings page.

  2. You have enabled the appropriate security mechanisms, such as Parental Control, on the same page.

  3. You have enabled the appropriate filters on the FiltersDNS blocklists page.

  4. You don’t have any exception rule lists that may allow the requests enabled on the FiltersDNS allowlists page.

  5. You don’t have any DNS rewrites that may interfere on the FiltersDNS rewrites page.

  6. You don’t have any custom filtering rules that may interfere on the FiltersCustom filtering rules page.

What does “Blocked by CNAME or IP” in the query log mean?

AdGuard Home checks both DNS requests and DNS responses to prevent an adblock evasion technique known as CNAME cloaking. That is, if your filtering rules contain a domain, say tracker.example, and a DNS response for some other domain name, for example blogs.example, contains this domain name among its CNAME records, that response is blocked, because it actually leads to the blocked tracking service.

Where can I view the logs?

The default location of the plain-text logs (not to be confused with the query logs) depends on the operating system and installation mode:

  • OpenWrt Linux: use the logread -e AdGuardHome command.

  • Linux systems with systemd and other Unix systems with SysV-style init: /var/log/AdGuardHome.err.

  • macOS: /var/log/AdGuardHome.stderr.log.

  • Linux systems with Snapcraft use the snap logs adguard-home command.

  • FreeBSD: /var/log/daemon.log.

  • OpenBSD: /var/log/daemon.

  • Windows: the Windows Event Log is used.

How do I configure AdGuard Home to write verbose-level logs?

To troubleshoot a complicated issue, the verbose-level logging is sometimes required. Here’s how to enable it:

  1. Stop AdGuard Home:

    ./AdGuardHome -s stop

  2. Configure AdGuard Home to write verbose-level logs:

    1. Open AdGuardHome.yaml in your editor.

    2. Set log.file to the desired path of the log file, for example /tmp/aghlog.txt. Note that the directory must exist.

    3. Set log.verbose to true.

  3. Restart AdGuard Home and reproduce the issue:

    ./AdGuardHome -s start

  4. Once you’re done with the debugging, set log.verbose back to false.

How do I show a custom block page?

note

Before doing any of this, please note that modern browsers are set up to use HTTPS, so they validate the authenticity of the web server certificate. This means that using any of these will result in warning screens.

There is a number of proposed extensions that, if reasonably well supported by clients, would provide a better user experience, including the RFC 8914 Extended DNS Error codes and the DNS Access Denied Error Page RFC draft. We’ll implement them when browsers actually start to support them.

Prerequisites

To use any of these methods to display a custom block page, you’ll need an HTTP server running on some IP address and serving the page in question on all routes. Something like pixelserv-tls.

Custom block page for Parental Control and Safe Browsing filters

There is currently no way to set these parameters from the UI, so you’ll need to edit the configuration file manually:

  1. Stop AdGuard Home:

    ./AdGuardHome -s stop

  2. Open AdGuardHome.yaml in your editor.

  3. Set the dns.parental_block_host or dns.safebrowsing_block_host settings to the IP address of the server (in this example, 192.168.123.45):

    # …
    dns:
      # …

      # NOTE: Change to the actual IP address of your server.
      parental_block_host: 192.168.123.45
      safebrowsing_block_host: 192.168.123.45

  4. Restart AdGuard Home:

    ./AdGuardHome -s start

Custom block page for other filters

  1. Open the web UI.

  2. Navigate to SettingsDNS settings.

  3. In the DNS server configuration section, select the Custom IP radio button in the Blocking mode selector and enter the IPv4 and IPv6 addresses of the server.

  4. Click Save.

How do I change dashboard interface’s address?

  1. Stop AdGuard Home:

    ./AdGuardHome -s stop

  2. Open AdGuardHome.yaml in your editor.

  3. Set the http.address setting to a new network interface. For example:

    • 0.0.0.0:0 to listen on all network interfaces;
    • 0.0.0.0:8080 to listen on all network interfaces with port 8080;
    • 127.0.0.1:0 to listen on the local loopback interface only.

  4. Restart AdGuard Home:

    ./AdGuardHome -s start

How do I set up AdGuard Home as default DNS server?

See the Configuring Devices section on the Getting Started page.

Are there any known limitations?

Here are some examples of what cannot be blocked by a DNS-level blocker:

  • YouTube, Twitch ads.

  • Facebook, X (formerly Twitter), Instagram sponsored posts.

Basically, any ad that shares a domain with content cannot be blocked by a DNS-level blocker, unless you are ready to block the content as well.

Any possibility of dealing with this in the future?

DNS will never be enough to do this. Your only option is to use a content blocking proxy like what we do in the standalone AdGuard applications. We’ll be adding support for this feature to AdGuard Home in the future. Unfortunately, even then there will still be cases where it won’t be enough or it will require quite complicated configuration.

Why do I get bind: address already in use error when trying to install on Ubuntu?

This happens because the port 53 on localhost, which is used for DNS, is already taken by another program. Ubuntu comes with a local DNS called systemd-resolved, which uses the address 127.0.0.53:53, thus preventing AdGuard Home from binding to 127.0.0.1:53. You can see this by running:

sudo lsof -i :53

The output should be similar to:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 14542 systemd-resolve 13u IPv4 86178 0t0 UDP 127.0.0.53:domain
systemd-r 14542 systemd-resolve 14u IPv4 86179 0t0 TCP 127.0.0.53:domain

To fix this, you must either disable the systemd-resolved daemon or choose a different network interface and bind your AdGuard Home to an accessible IP address on it, such as the IP address of your router inside your network. But if you do need to listen on localhost, there are several solutions.

Firstly, AdGuard Home can detect such configurations and disable systemd-resolved for you if you press the Fix button located next to the address already in use message on the installation screen.

Secondly, if that doesn’t work, follow the instructions below. Note that if you’re using AdGuard Home with docker or snap, you’ll have to do this yourself.

  1. Create the /etc/systemd/resolved.conf.d directory, if necessary:

    sudo mkdir -p /etc/systemd/resolved.conf.d

  2. Deactivate DNSStubListener and update DNS server address. To do that, create a new file, /etc/systemd/resolved.conf.d/adguardhome.conf, with the following content:

    [Resolve]
    DNS=127.0.0.1
    DNSStubListener=no

    Specifying 127.0.0.1 as the DNS server address is necessary. Otherwise the nameserver will be 127.0.0.53 which won’t work without DNSStubListener.

  3. Activate another resolv.conf file:

    sudo mv /etc/resolv.conf /etc/resolv.conf.backup
    sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

  4. Restart DNSStubListener:

    sudo systemctl reload-or-restart systemd-resolved

After that, systemd-resolved shouldn’t be shown in the output of lsof, and AdGuard Home should be able to bind to 127.0.0.1:53.

How do I configure a reverse proxy server for AdGuard Home?

If you’re already running a web server and want to access the AdGuard Home dashboard UI from a URL like http://YOUR_SERVER/aghome/, you can use this configuration for your web server:

nginx

location /aghome/ {
 proxy_cookie_path / /aghome/;
 proxy_pass http://AGH_IP:AGH_PORT/;
 proxy_redirect / /aghome/;
 proxy_set_header Host $host;
}

caddy

:80/aghome/* {
 route {
 uri strip_prefix /aghome
 reverse_proxy AGH_IP:AGH_PORT
 }
}

Or, if you only want to serve AdGuard Home with automatic TLS, use a configuration similar to the example shown below:

DOMAIN {
 encode gzip zstd
 tls YOUR_EMAIL@DOMAIN
 reverse_proxy AGH_IP:AGH_PORT
}

Apache

<VirtualHost *:80>
  ProxyPass "/" "http://AGH_IP:AGH_PORT/"
  ProxyPassReverse "/" "http://AGH_IP:AGH_PORT/"
  PreserveHost On
</VirtualHost>
note

Do not use subdirectories with the Apache reverse HTTP proxy. It's a known issue (#6604) that Apache handles relative redirects differently than other web servers. This causes problems with the AdGuard Home web interface.

Disable DoH encryption on AdGuard Home

If you’re using TLS on your reverse proxy server, you don’t need to use TLS on AdGuard Home. Set allow_unencrypted_doh: true in AdGuardHome.yaml to allow AdGuard Home to respond to DoH requests without TLS encryption.

Real IP addresses of clients

You can set the parameter trusted_proxies to the IP address(es) of your HTTP proxy to make AdGuard Home consider the headers containing the real client IP address. See the configuration and encryption pages for more information.

How do I fix permission denied errors on Fedora?

  1. Move the AdGuardHome binary to /usr/local/bin.

  2. As root, execute the following command to change the security context of the file:

    chcon -t bin_t /usr/local/bin/AdGuardHome

  3. Add the required firewall rules in order to make it reachable through the network. For example:

    firewall-cmd --new-zone=adguard --permanent
    firewall-cmd --zone=adguard --add-source=192.168.0.14/24 --permanent
    firewall-cmd --zone=adguard --add-port=3000/tcp --permanent
    firewall-cmd --zone=adguard --add-port=53/udp --permanent
    firewall-cmd --zone=adguard --add-port=80/tcp --permanent
    firewall-cmd --reload

If you are still getting code=exited status=203/EXEC or similar errors from systemctl, try uninstalling AdGuard Home and installing it directly into /usr/local/bin by using the -o option of the install script:

curl -s -S -L 'https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh' | sh -s -- -o '/usr/local/bin' -v

See issue 765 and issue 3281.

How do I fix incompatible file system errors?

You should move your AdGuard Home installation or working directory to another location. See the limitations section on the Getting Started page.

What does Error: control/version.json mean?

This error message means that AdGuard Home was unable to reach AdGuard servers to check for updates and/or download them. This could mean that the servers are blocked by your ISP or are temporarily down. If the error does not resolve itself after some time, you can try performing a manual update or disabling the automatic update check by running the AdGuardHome executable with the --no-check-update command-line option.

How do I update AdGuard Home manually?

If the button isn’t displayed or an automatic update has failed, you can update manually. In the examples below, we’ll use AdGuard Home versions for Linux and Windows for AMD64 CPUs.

Unix (Linux, macOS, BSD)

  1. Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line, type:

    curl -L -S -o '/tmp/AdGuardHome_linux_amd64.tar.gz' -s\
    'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'

    Or, with wget:

    wget -O '/tmp/AdGuardHome_linux_amd64.tar.gz'\
    'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'

  2. Navigate to the directory where AdGuard Home is installed. On most Unix systems the default directory is /opt/AdGuardHome, but on macOS it’s /Applications/AdGuardHome.

  3. Stop AdGuard Home:

    sudo ./AdGuardHome -s stop
    OpenBSD

    On OpenBSD, you will probably want to use doas instead of sudo.

  4. Backup your data. That is, your configuration file and the data directory (AdGuardHome.yaml and data/ by default). For example, to backup your data to a new directory called ~/my-agh-backup:

    mkdir -p ~/my-agh-backup
    cp -r ./AdGuardHome.yaml ./data ~/my-agh-backup/

  5. Extract the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your ~/Downloads directory and want to extract it to /tmp/:

    tar -C /tmp/ -f ~/Downloads/AdGuardHome_linux_amd64.tar.gz -x -v -z

    On macOS, type something like:

    unzip -d /tmp/ ~/Downloads/AdGuardHome_darwin_amd64.zip

  6. Replace the old AdGuard Home executable file with the new one. On most Unix systems the command would look something like this:

    sudo cp /tmp/AdGuardHome/AdGuardHome /opt/AdGuardHome/AdGuardHome

    On macOS, something like:

    sudo cp /tmp/AdGuardHome/AdGuardHome /Applications/AdGuardHome/AdGuardHome

    You may also want to copy the documentation parts of the package, such as the change log (CHANGELOG.md), the README file (README.md), and the license (LICENSE.txt).

    You can now remove the temporary directory.

  7. Restart AdGuard Home:

    sudo ./AdGuardHome -s start

Windows (Using PowerShell)

In all examples below, the PowerShell must be run as Administrator.

  1. Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line:

    $outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip'
    $aghUri = 'https://static.adguard.com/adguardhome/release/AdGuardHome_windows_amd64.zip'
    Invoke-WebRequest -OutFile "$outFile" -Uri "$aghUri"

  2. Navigate to the directory where AdGuard Home was installed. In the examples below, we’ll use C:\Program Files\AdGuardHome.

  3. Stop AdGuard Home:

    .\AdGuardHome.exe -s stop

  4. Backup your data. That is, your configuration file and the data directory (AdGuardHome.yaml and data/ by default). For example, to backup your data to a new directory called my-agh-backup:

    $newDir = Join-Path -Path $Env:USERPROFILE -ChildPath 'my-agh-backup'
    New-Item -Path $newDir -ItemType Directory
    Copy-Item -Path .\AdGuardHome.yaml, .\data -Destination $newDir -Recurse

  5. Extract the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your Downloads directory and want to extract it to a temporary directory:

    $outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip'
    Expand-Archive -Path "$outFile" -DestinationPath $Env:TEMP

  6. Replace the old AdGuard Home executable file with the new one. For example:

    $aghExe = Join-Path -Path $Env:TEMP -ChildPath 'AdGuardHome\AdGuardHome.exe'
    Copy-Item -Path "$aghExe" -Destination .\AdGuardHome.exe

    You may also want to copy the documentation parts of the package, such as the change log (CHANGELOG.md), the README file (README.md), and the license (LICENSE.txt).

    You can now remove the temporary directory.

  7. Restart AdGuard Home:

    .\AdGuardHome.exe -s start

How do I uninstall AdGuard Home?

Depending on how you installed AdGuard Home, there are different ways to uninstall it.

caution

Before uninstalling AdGuard Home, don’t forget to change the configuration of your devices and point them to a different DNS server.

Regular installation

In this case, do the following:

  • Unregister AdGuard Home service: ./AdGuardHome -s uninstall.

  • Remove the AdGuard Home directory.

Docker

Simply stop and remove the image.

Snap Store

snap remove adguard-home
- + \ No newline at end of file diff --git a/adguard-home/getting-started/index.html b/adguard-home/getting-started/index.html index 7083330d3..8bde6f1c8 100644 --- a/adguard-home/getting-started/index.html +++ b/adguard-home/getting-started/index.html @@ -4,13 +4,13 @@ Getting started | AdGuard DNS Knowledge Base - +
Skip to main content

Getting started

Installation

Official releases

Download the archive with the binary file for your operating system from the latest stable release page. The full list of supported platforms as well as links to beta and edge (unstable) releases can be found on our platforms page.

To install AdGuard Home as a service, extract the archive, enter the AdGuardHome directory, and run:

./AdGuardHome -s install

Notes

  • Users of Fedora Linux and its derivatives: install AdGuard Home in the /usr/local/bin directory. Failure to do so may cause issues with SELinux and permissions. See issue 765 and issue 3281.

  • Users of macOS 10.15 Catalina and newer should place the AdGuard Home working directory inside the /Applications directory.

Docker and Snap

We also provide an official AdGuard Home docker image and an official Snap Store package for experienced users.

Other

Some other unofficial options include:

First start

First of all, check your firewall settings. To install and use AdGuard Home, the following ports and protocols must be available:

  • 3000/TCP for the initial installation;
  • 80/TCP for the web interface;
  • 53/UDP for the DNS server.

You may need to open additional ports for protocols other than plain DNS, such as DNS-over-HTTPS.

DNS servers bind to port 53, which requires superuser privileges most of the time, see below. Therefore, on Unix systems, you will need to run it with sudo or doas in terminal:

sudo ./AdGuardHome

On Windows, run cmd.exe or PowerShell with admin privileges and run AdGuardHome.exe from there.

When you run AdGuard Home for the first time, it starts listening on 0.0.0.0:3000 and prompts you to open it in your browser:

AdGuard Home is available at the following addresses:
go to http://127.0.0.1:3000
go to http://[::1]:3000
[…]

There you will go through the initial configuration wizard.

AdGuard Home network interface selection screen

AdGuard Home user creation screen

See our article on running AdGuard Home securely for guidance on how to select the initial configuration that fits you best.

Running as a service

The next step would be to register AdGuard Home as a system service (aka daemon). To install AdGuard Home as a service, run:

sudo ./AdGuardHome -s install

On Windows, run cmd.exe with admin privileges and run AdGuardHome.exe -s install to register a Windows service.

Here are the other commands you might need to control the service:

  • AdGuardHome -s uninstall: Uninstall the AdGuard Home service.
  • AdGuardHome -s start: Start the service.
  • AdGuardHome -s stop: Stop the service.
  • AdGuardHome -s restart: Restart the service.
  • AdGuardHome -s status: Show the current service status.

Logs

By default, the logs are written to stderr when you run AdGuard Home in a terminal. If you run it as a service, the log output depends on the platform:

  • On macOS, the log is written to /var/log/AdGuardHome.*.log files.

  • On other Unixes, the log is written to syslog or journald.

  • On Windows, the log is written to the Windows event log.

You can change this behavior in the AdGuard Home configuration file.

Updating

An example of an update notification

When a new version is released, AdGuard Home’s UI shows a notification message and the Update now button. Click this button, and AdGuard Home will be automatically updated to the latest version. Your current AdGuard Home executable file is saved inside the backup directory along with the current configuration file, so you can revert the changes, if necessary.

Manual update

In case the button isn’t shown or an automatic update has failed, you can update manually. We have a detailed guide on manual updates, but in short:

  1. Download the new AdGuard Home package.

  2. Extract it to a temporary directory.

  3. Replace the old AdGuard Home executable file with the new one.

  4. Restart AdGuard Home.

Docker, Home Assistant, and Snapcraft updates

Auto-updates for Docker, Hass.io/Home Assistant, and Snapcraft installations are disabled. Update the image instead.

Command-line update

To update AdGuard Home package without the need to use Web API run:

./AdGuardHome --update

Configuring devices

Router

This setup will automatically cover all devices connected to your home router, and you won’t need to configure each of them manually.

  1. Open the preferences for your router. Usually, you can access it from your browser via a URL, such as http://192.168.0.1/ or http://192.168.1.1/. You may be prompted to enter a password. If you don’t remember it, you can often reset the password by pressing a button on the router itself, but be aware that if this procedure is chosen, you will probably lose the entire router configuration. If your router requires an app to set it up, please install the app on your phone or PC and use it to access the router’s settings.

  2. Find the DHCP/DNS settings. Look for the DNS letters next to a field that allows two or three sets of numbers, each divided into four groups of one to three digits.

  3. Enter your AdGuard Home server addresses there.

  4. On some router types, a custom DNS server cannot be set up. In that case, setting up AdGuard Home as a DHCP server may help. Otherwise, you should consult your router manual to learn how to customize DNS servers on your specific router model.

Windows

  1. Open Control Panel from the Start menu or Windows search.

  2. Go to Network and Internet and then to Network and Sharing Center.

  3. On the left side of the screen, find the Change adapter settings button and click it.

  4. Select your active connection, right-click it and choose Properties.

  5. Find Internet Protocol Version 4 (TCP/IPv4) (or, for IPv6, Internet Protocol Version 6 (TCP/IPv6)) in the list, select it, and then click Properties again.

  6. Choose Use the following DNS server addresses and enter your AdGuard Home server addresses.

macOS

  1. Click the Apple icon and go to System Preferences.

  2. Click Network.

  3. Select the first connection in your list and click Advanced.

  4. Select the DNS tab and enter your AdGuard Home server addresses.

Android

note

Instructions for Android devices may differ depending on the OS version and the manufacturer.

  1. From the Android menu home screen, tap Settings.

  2. Tap Wi-Fi on the menu. The screen with all of the available networks will be displayed (it is impossible to set custom DNS for mobile connection).

  3. Long press the network you’re connected to and tap Modify Network.

  4. On some devices, you may need to check the box for Advanced to see more settings. To adjust your Android DNS settings, you will need to change the IP settings from DHCP to Static.

  5. Change set DNS 1 and DNS 2 values to your AdGuard Home server addresses.

iOS

  1. From the home screen, tap Settings.

  2. Select Wi-Fi from the left menu (it is impossible to configure DNS for mobile networks).

  3. Tap the name of the currently active network.

  4. In the DNS field, enter your AdGuard Home server addresses.

Running without superuser

You can run AdGuard Home without superuser privileges, but you must either grant the binary a capability (on Linux) or instruct it to use a different port (all platforms).

Granting the necessary capabilities (Linux only)

Using this method requires the setcap utility. You may need to install it using your Linux distribution’s package manager.

To allow AdGuard Home running on Linux to listen on port 53 without superuser privileges and bind its DNS servers to a particular interface, run:

sudo setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome

Then run ./AdGuardHome as an unprivileged user.

Changing the DNS listen port

To configure AdGuard Home to listen on a port that does not require superuser privileges, stop AdGuard Home, open AdGuardHome.yaml in your editor, and find these lines:

dns:
    # …
    port: 53

You can change the port to anything above 1024 to avoid requiring superuser privileges.

Limitations

Some file systems don’t support the mmap(2) system call required by the statistics system. See also issue 1188.

You can resolve this issue:

  • either by supplying the --work-dir DIRECTORY arguments to the AdGuardHome binary. This option will tell AGH to use another directory for all its files instead of the default ./data directory.

  • or by creating symbolic links pointing to another file system that supports mmap(2) (e.g. tmpfs):

    ln -s ${YOUR_AGH_PATH}/data/stats.db /tmp/stats.db
    ln -s ${YOUR_AGH_PATH}/data/sessions.db /tmp/sessions.db
- + \ No newline at end of file diff --git a/adguard-home/overview/index.html b/adguard-home/overview/index.html index 4e5c7bf98..500859c38 100644 --- a/adguard-home/overview/index.html +++ b/adguard-home/overview/index.html @@ -4,13 +4,13 @@ Overview | AdGuard DNS Knowledge Base - +
Skip to main content

Overview

What is AdGuard Home?

AdGuard Home is a network-wide software for blocking ads and tracking. Unlike Public AdGuard DNS and Private AdGuard DNS, AdGuard Home is designed to run on users’ own machines, which gives experienced users more control over their DNS traffic.

This guide should help you get started.

- + \ No newline at end of file diff --git a/adguard-home/running-securely/index.html b/adguard-home/running-securely/index.html index 839738e32..a48190e44 100644 --- a/adguard-home/running-securely/index.html +++ b/adguard-home/running-securely/index.html @@ -4,13 +4,13 @@ Setting up AdGuard Home securely | AdGuard DNS Knowledge Base - +
Skip to main content

Setting up AdGuard Home securely

This page contains a list of additional recommendations to help ensure the security of your AdGuard Home.

Choosing server addresses

The first time you start AdGuard Home, you will be asked which interface it should use to serve plain DNS. The most secure and convenient option depends on how you want to run AdGuard Home. You can change the address(es) later, by stopping your AdGuard Home, editing the dns.bind_hosts field in the configuration file, and restarting AdGuard Home.

note

The UI currently only allows you to select one interface, but you can actually select multiple addresses through the configuration file. We will be improving the UI in future releases.

If you intend to run AdGuard Home on your computer only, select the loopback device (also known as “localhost”). It is usually called localhost, lo, or something similar and has the address 127.0.0.1.

If you plan to run AdGuard Home on a router within a small isolated network, select the locally-served interface. The names can vary, but they usually contain the words wlan or wlp and have an address starting with 192.168.. You should probably also add the loopback address as well, if you want software on the router itself to use AdGuard Home too.

If you intend to run AdGuard Home on a publicly accessible server, you’ll probably want to select the All interfaces option. Note that this may expose your server to DDoS attacks, so please read the sections on access settings and rate limiting below.

Access settings

note

If your AdGuard Home is not accessible from the outside, you can skip this section.

At the bottom of the SettingsDNS settings page you will find the Access settings section. These settings allow you to either ban clients that are known to abuse your AdGuard Home instance or to enable the Allowlist mode. The Allowlist mode is recommended for public instances where the number of clients is known and all of the clients are able to use secure DNS.

To enable the Allowlist mode, enter ClientIDs (recommended) or IP addresses for allowed clients in the Allowed clients field.

Disabling plain DNS

note

If your AdGuard Home is not accessible from the outside, you can skip this section.

If all clients using your AdGuard Home are able to use encrypted protocols, it is a good idea to disable plain DNS or make it inaccessible from the outside.

If you want to completely disable plain DNS serving, you can do so on the SettingsEncryption settings page.

If you want to restrict plain DNS to internal use only, stop your AdGuard Home, edit the dns.bind_hosts field in the configuration file to contain only the loopback address(es), and restart AdGuard Home.

Plain-DNS ratelimiting

note

If your AdGuard Home is not accessible from the outside, you can skip this section.

The default plain-DNS ratelimit of 20 should generally be sufficient, but if you have a list of known clients, you can add them to the allowlist and set a stricter ratelimit for other clients.

OS service concerns

In order to prevent privilege escalations through binary planting, it is important that the directory where AdGuard Home is installed to has proper ownership and permissions set.

We thank Go Compile for assistance in writing this section.

Unix (FreeBSD, Linux, macOS, OpenBSD)

AdGuard Home working directory, which is by default /Applications/AdGuardHome on macOS and /opt/AdGuardHome on other Unix systems, as well as the binary itself should generally have root:root ownership and not be writeable by anyone but root. You can check this with the following command, replacing /opt/AdGuardHome with your directory and /opt/AdGuardHome/AdGuardHome with your binary:

ls -d -l /opt/AdGuardHome
ls -l /opt/AdGuardHome/AdGuardHome

A reasonably secure output should look something like this:

drwxr-xr-x 4 root root 4096 Jan 1 12:00 /opt/AdGuardHome/
-rwxr-xr-x 1 root root 29409280 Jan 1 12:00 /opt/AdGuardHome/AdGuardHome

Note the lack of write permission for anyone but root as well as root ownership. If the permissions and/or ownership are not correct, run the following commands under root:

chmod 755 /opt/AdGuardHome/ /opt/AdGuardHome/AdGuardHome
chown root:root /opt/AdGuardHome/ /opt/AdGuardHome/AdGuardHome

Windows

The principle is the same on Windows: make sure that the AdGuard Home directory, typically C:\Program Files\AdGuardHome, and the AdGuardHome.exe binary have the permissions that would only allow regular users to read and execute/list them.

In the future we plan to release Windows builds as MSI installer files that make sure that this is performed automatically.

- + \ No newline at end of file diff --git a/assets/js/e633e5a3.537daa84.js b/assets/js/e633e5a3.537daa84.js deleted file mode 100644 index c481be0d7..000000000 --- a/assets/js/e633e5a3.537daa84.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkadguard_dns_knowledge_base=self.webpackChunkadguard_dns_knowledge_base||[]).push([[846],{5680:(e,r,t)=>{t.d(r,{xA:()=>c,yg:()=>b});var o=t(6540);function n(e,r,t){return r in e?Object.defineProperty(e,r,{value:t,enumerable:!0,configurable:!0,writable:!0}):e[r]=t,e}function a(e,r){var t=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);r&&(o=o.filter((function(r){return Object.getOwnPropertyDescriptor(e,r).enumerable}))),t.push.apply(t,o)}return t}function s(e){for(var r=1;r=0||(n[t]=e[t]);return n}(e,r);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(o=0;o=0||Object.prototype.propertyIsEnumerable.call(e,t)&&(n[t]=e[t])}return n}var d=o.createContext({}),l=function(e){var r=o.useContext(d),t=r;return e&&(t="function"==typeof e?e(r):s(s({},r),e)),t},c=function(e){var r=l(e.components);return o.createElement(d.Provider,{value:r},e.children)},p="mdxType",u={inlineCode:"code",wrapper:function(e){var r=e.children;return o.createElement(o.Fragment,{},r)}},v=o.forwardRef((function(e,r){var t=e.components,n=e.mdxType,a=e.originalType,d=e.parentName,c=i(e,["components","mdxType","originalType","parentName"]),p=l(t),v=n,b=p["".concat(d,".").concat(v)]||p[v]||u[v]||a;return t?o.createElement(b,s(s({ref:r},c),{},{components:t})):o.createElement(b,s({ref:r},c))}));function b(e,r){var t=arguments,n=r&&r.mdxType;if("string"==typeof e||n){var a=t.length,s=new Array(a);s[0]=v;var i={};for(var d in r)hasOwnProperty.call(r,d)&&(i[d]=r[d]);i.originalType=e,i[p]="string"==typeof e?e:n,s[1]=i;for(var l=2;l{t.r(r),t.d(r,{assets:()=>d,contentTitle:()=>s,default:()=>u,frontMatter:()=>a,metadata:()=>i,toc:()=>l});var o=t(9668),n=(t(6540),t(5680));const a={title:"Overview",sidebar_position:1},s=void 0,i={unversionedId:"public-dns/overview",id:"public-dns/overview",title:"Overview",description:"What is AdGuard DNS?",source:"@site/docs/public-dns/overview.md",sourceDirName:"public-dns",slug:"/public-dns/overview",permalink:"/KnowledgeBaseDNS/public-dns/overview",draft:!1,editUrl:"https://github.com/AdguardTeam/KnowledgeBaseDNS/edit/master/docs/public-dns/overview.md",tags:[],version:"current",sidebarPosition:1,frontMatter:{title:"Overview",sidebar_position:1},sidebar:"sidebar",previous:{title:"How to purchase, upgrade, or get a refund",permalink:"/KnowledgeBaseDNS/general/subscription"},next:{title:"How to flush DNS cache",permalink:"/KnowledgeBaseDNS/public-dns/solving-problems/how-to-flush-dns-cache"}},d={},l=[{value:"What is AdGuard DNS?",id:"what-is-adguard-dns",level:2},{value:"Public AdGuard DNS servers",id:"public-adguard-dns-servers",level:2},{value:"AdGuard DNS protocols",id:"adguard-dns-protocols",level:2},{value:"DNSCrypt",id:"dnscrypt",level:3},{value:"DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)",id:"dns-over-https-doh-and-dns-over-tls-dot",level:3},{value:"DNS-over-QUIC (DoQ)",id:"dns-over-quic-doq",level:3}],c={toc:l},p="wrapper";function u(e){let{components:r,...t}=e;return(0,n.yg)(p,(0,o.A)({},c,t,{components:r,mdxType:"MDXLayout"}),(0,n.yg)("h2",{id:"what-is-adguard-dns"},"What is AdGuard DNS?"),(0,n.yg)("p",null,"AdGuard DNS is a free, privacy-oriented DNS resolver that provides secure connection and also can block tracking, ads, phishing and adult content (optionally). AdGuard DNS does not require installing any applications. It is easy to use and can be effortlessly set up on any device (smartphones, desktops, routers, game consoles, etc.)."),(0,n.yg)("h2",{id:"public-adguard-dns-servers"},"Public AdGuard DNS servers"),(0,n.yg)("p",null,'AdGuard DNS has three different types of public servers. "Default" server is for blocking ads, trackers, malware and phishing websites. "Family protection" does the same, but also blocks websites with adult content and enforces "Safe search" option in browsers that provide it. "Non-filtering" provides a secure and reliable connection but doesn\'t block anything. You can find detailed instructions on setting up AdGuard DNS on any device on ',(0,n.yg)("a",{parentName:"p",href:"https://adguard-dns.io/public-dns.html"},"our website"),".\nEach server supports different secure protocols: DNSCrypt, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ)."),(0,n.yg)("h2",{id:"adguard-dns-protocols"},"AdGuard DNS protocols"),(0,n.yg)("p",null,"Besides plain DNS (both IPv4 and IPv6) AdGuard DNS supports various encrypted protocols, so you can choose the one that suits you best."),(0,n.yg)("h3",{id:"dnscrypt"},"DNSCrypt"),(0,n.yg)("p",null,"AdGuard DNS allows you to use a specific encrypted protocol \u2014 DNSCrypt. Thanks to it, all DNS requests are being encrypted, which protects you from possible request interception and subsequent eavesdropping and/or alteration. But compared to the DoH, DoT and DoQ protocols, DNSCrypt is considered obsolete and if possible we recommend using these protocols."),(0,n.yg)("h3",{id:"dns-over-https-doh-and-dns-over-tls-dot"},"DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)"),(0,n.yg)("p",null,"DoH and DoT are modern secure DNS protocols that gain more and more popularity and will become the industry standards for the foreseeable future. Both are more reliable than DNSCrypt and both are supported by AdGuard DNS."),(0,n.yg)("h3",{id:"dns-over-quic-doq"},"DNS-over-QUIC (DoQ)"),(0,n.yg)("p",null,(0,n.yg)("a",{parentName:"p",href:"https://adguard.com/blog/dns-over-quic.html"},"DNS-over-QUIC is a new DNS encryption protocol")," and AdGuard DNS is the first public resolver that supports it. Unlike DoH and DoT, it uses QUIC as a transport protocol and finally brings DNS back to its roots \u2014 working over UDP. It brings all the good things that QUIC has to offer \u2014 out-of-the-box encryption, reduced connection times, better performance when data packets are lost. Also, QUIC is supposed to be a transport-level protocol and there are no risks of metadata leaks that could happen with DoH."))}u.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/e633e5a3.9bc0f0ee.js b/assets/js/e633e5a3.9bc0f0ee.js new file mode 100644 index 000000000..5c115792f --- /dev/null +++ b/assets/js/e633e5a3.9bc0f0ee.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkadguard_dns_knowledge_base=self.webpackChunkadguard_dns_knowledge_base||[]).push([[846],{5680:(e,r,t)=>{t.d(r,{xA:()=>p,yg:()=>g});var o=t(6540);function n(e,r,t){return r in e?Object.defineProperty(e,r,{value:t,enumerable:!0,configurable:!0,writable:!0}):e[r]=t,e}function a(e,r){var t=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);r&&(o=o.filter((function(r){return Object.getOwnPropertyDescriptor(e,r).enumerable}))),t.push.apply(t,o)}return t}function s(e){for(var r=1;r=0||(n[t]=e[t]);return n}(e,r);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(o=0;o=0||Object.prototype.propertyIsEnumerable.call(e,t)&&(n[t]=e[t])}return n}var d=o.createContext({}),l=function(e){var r=o.useContext(d),t=r;return e&&(t="function"==typeof e?e(r):s(s({},r),e)),t},p=function(e){var r=l(e.components);return o.createElement(d.Provider,{value:r},e.children)},c="mdxType",u={inlineCode:"code",wrapper:function(e){var r=e.children;return o.createElement(o.Fragment,{},r)}},v=o.forwardRef((function(e,r){var t=e.components,n=e.mdxType,a=e.originalType,d=e.parentName,p=i(e,["components","mdxType","originalType","parentName"]),c=l(t),v=n,g=c["".concat(d,".").concat(v)]||c[v]||u[v]||a;return t?o.createElement(g,s(s({ref:r},p),{},{components:t})):o.createElement(g,s({ref:r},p))}));function g(e,r){var t=arguments,n=r&&r.mdxType;if("string"==typeof e||n){var a=t.length,s=new Array(a);s[0]=v;var i={};for(var d in r)hasOwnProperty.call(r,d)&&(i[d]=r[d]);i.originalType=e,i[c]="string"==typeof e?e:n,s[1]=i;for(var l=2;l{t.r(r),t.d(r,{assets:()=>d,contentTitle:()=>s,default:()=>u,frontMatter:()=>a,metadata:()=>i,toc:()=>l});var o=t(9668),n=(t(6540),t(5680));const a={title:"Overview",sidebar_position:1},s=void 0,i={unversionedId:"public-dns/overview",id:"public-dns/overview",title:"Overview",description:"What is AdGuard DNS?",source:"@site/docs/public-dns/overview.md",sourceDirName:"public-dns",slug:"/public-dns/overview",permalink:"/KnowledgeBaseDNS/public-dns/overview",draft:!1,editUrl:"https://github.com/AdguardTeam/KnowledgeBaseDNS/edit/master/docs/public-dns/overview.md",tags:[],version:"current",sidebarPosition:1,frontMatter:{title:"Overview",sidebar_position:1},sidebar:"sidebar",previous:{title:"How to purchase, upgrade, or get a refund",permalink:"/KnowledgeBaseDNS/general/subscription"},next:{title:"How to flush DNS cache",permalink:"/KnowledgeBaseDNS/public-dns/solving-problems/how-to-flush-dns-cache"}},d={},l=[{value:"What is AdGuard DNS?",id:"what-is-adguard-dns",level:2},{value:"Public AdGuard DNS servers",id:"public-adguard-dns-servers",level:2},{value:"AdGuard DNS protocols",id:"adguard-dns-protocols",level:2},{value:"DNSCrypt",id:"dnscrypt",level:3},{value:"DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)",id:"dns-over-https-doh-and-dns-over-tls-dot",level:3},{value:"JSON API for DNS",id:"json-api-for-dns",level:4},{value:"DNS-over-QUIC (DoQ)",id:"dns-over-quic-doq",level:3}],p={toc:l},c="wrapper";function u(e){let{components:r,...t}=e;return(0,n.yg)(c,(0,o.A)({},p,t,{components:r,mdxType:"MDXLayout"}),(0,n.yg)("h2",{id:"what-is-adguard-dns"},"What is AdGuard DNS?"),(0,n.yg)("p",null,"AdGuard DNS is a free, privacy-oriented DNS resolver that provides secure connection and also can block tracking, ads, phishing and adult content (optionally). AdGuard DNS does not require installing any applications. It is easy to use and can be effortlessly set up on any device (smartphones, desktops, routers, game consoles, etc.)."),(0,n.yg)("h2",{id:"public-adguard-dns-servers"},"Public AdGuard DNS servers"),(0,n.yg)("p",null,'AdGuard DNS has three different types of public servers. "Default" server is for blocking ads, trackers, malware and phishing websites. "Family protection" does the same, but also blocks websites with adult content and enforces "Safe search" option in browsers that provide it. "Non-filtering" provides a secure and reliable connection but doesn\'t block anything. You can find detailed instructions on setting up AdGuard DNS on any device on ',(0,n.yg)("a",{parentName:"p",href:"https://adguard-dns.io/public-dns.html"},"our website"),".\nEach server supports different secure protocols: DNSCrypt, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ)."),(0,n.yg)("h2",{id:"adguard-dns-protocols"},"AdGuard DNS protocols"),(0,n.yg)("p",null,"Besides plain DNS (both IPv4 and IPv6) AdGuard DNS supports various encrypted protocols, so you can choose the one that suits you best."),(0,n.yg)("h3",{id:"dnscrypt"},"DNSCrypt"),(0,n.yg)("p",null,"AdGuard DNS allows you to use a specific encrypted protocol \u2014 DNSCrypt. Thanks to it, all DNS requests are being encrypted, which protects you from possible request interception and subsequent eavesdropping and/or alteration. But compared to the DoH, DoT and DoQ protocols, DNSCrypt is considered obsolete and if possible we recommend using these protocols."),(0,n.yg)("h3",{id:"dns-over-https-doh-and-dns-over-tls-dot"},"DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)"),(0,n.yg)("p",null,"DoH and DoT are modern secure DNS protocols that gain more and more popularity and will become the industry standards for the foreseeable future. Both are more reliable than DNSCrypt and both are supported by AdGuard DNS."),(0,n.yg)("h4",{id:"json-api-for-dns"},"JSON API for DNS"),(0,n.yg)("p",null,"AdGuard DNS also provides a JSON API for DNS. It is possible to get a DNS response in JSON by typing:"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-text"},"curl 'https://dns.adguard-dns.com/resolve?name=www.example.com'\n")),(0,n.yg)("p",null,"For detailed documentation, refer to ",(0,n.yg)("a",{parentName:"p",href:"https://developers.google.com/speed/public-dns/docs/doh/json"},"Google's guide to JSON API for DNS-over-HTTPS"),". Getting a DNS response in JSON works the same way with AdGuard DNS."),(0,n.yg)("admonition",{type:"note"},(0,n.yg)("p",{parentName:"admonition"},"Unlike with Google DNS, AdGuard DNS doesn't support ",(0,n.yg)("inlineCode",{parentName:"p"},"edns_client_subnet")," and ",(0,n.yg)("inlineCode",{parentName:"p"},"Comment")," values in response JSONs.")),(0,n.yg)("h3",{id:"dns-over-quic-doq"},"DNS-over-QUIC (DoQ)"),(0,n.yg)("p",null,(0,n.yg)("a",{parentName:"p",href:"https://adguard.com/blog/dns-over-quic.html"},"DNS-over-QUIC is a new DNS encryption protocol")," and AdGuard DNS is the first public resolver that supports it. Unlike DoH and DoT, it uses QUIC as a transport protocol and finally brings DNS back to its roots \u2014 working over UDP. It brings all the good things that QUIC has to offer \u2014 out-of-the-box encryption, reduced connection times, better performance when data packets are lost. Also, QUIC is supposed to be a transport-level protocol and there are no risks of metadata leaks that could happen with DoH."))}u.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/runtime~main.158c7dec.js b/assets/js/runtime~main.27bc4957.js similarity index 98% rename from assets/js/runtime~main.158c7dec.js rename to assets/js/runtime~main.27bc4957.js index 8d2814359..3e0566d83 100644 --- a/assets/js/runtime~main.158c7dec.js +++ b/assets/js/runtime~main.27bc4957.js @@ -1 +1 @@ -(()=>{"use strict";var e,a,t,r,f,d={},o={};function n(e){var a=o[e];if(void 0!==a)return a.exports;var t=o[e]={id:e,loaded:!1,exports:{}};return d[e].call(t.exports,t,t.exports,n),t.loaded=!0,t.exports}n.m=d,n.c=o,e=[],n.O=(a,t,r,f)=>{if(!t){var d=1/0;for(i=0;i=f)&&Object.keys(n.O).every((e=>n.O[e](t[b])))?t.splice(b--,1):(o=!1,f0&&e[i-1][2]>f;i--)e[i]=e[i-1];e[i]=[t,r,f]},n.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return n.d(a,{a:a}),a},t=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,n.t=function(e,r){if(1&r&&(e=this(e)),8&r)return e;if("object"==typeof e&&e){if(4&r&&e.__esModule)return e;if(16&r&&"function"==typeof e.then)return e}var f=Object.create(null);n.r(f);var d={};a=a||[null,t({}),t([]),t(t)];for(var o=2&r&&e;"object"==typeof o&&!~a.indexOf(o);o=t(o))Object.getOwnPropertyNames(o).forEach((a=>d[a]=()=>e[a]));return d.default=()=>e,n.d(f,d),f},n.d=(e,a)=>{for(var t in a)n.o(a,t)&&!n.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:a[t]})},n.f={},n.e=e=>Promise.all(Object.keys(n.f).reduce(((a,t)=>(n.f[t](e,a),a)),[])),n.u=e=>"assets/js/"+({17:"02a805f0",31:"b7143858",38:"3e965b85",39:"3ae1f4a3",82:"83ffdaa0",116:"49e6968f",138:"1a4e3797",145:"12afb509",179:"c649e91c",258:"b25ed7d0",328:"8897b4d1",346:"da8d71d8",382:"ff177938",401:"17896441",433:"6ac4fc81",486:"f897b711",556:"c726af22",576:"0e011d66",581:"935f2afb",669:"0d1dfb30",677:"4a744877",684:"bed4a2d1",714:"1be78505",739:"1365b58d",828:"1a7e4f3f",829:"cfb258e5",846:"e633e5a3",913:"a7bc4adb",946:"67ff55fd",976:"0e384e19",996:"3c66d643"}[e]||e)+"."+{17:"f0f4f935",31:"d6f217c1",38:"13a59e46",39:"3d7c29da",82:"831a2d99",116:"d5e0a1b9",138:"569ded55",145:"255040d8",179:"5c3fdea2",247:"5ecccf0d",258:"05ccd297",322:"13297352",328:"005fba71",346:"a12f47f5",381:"47da99c5",382:"473e9cec",401:"e4755091",433:"f3715af8",486:"8e685366",529:"d131b264",556:"ecd6725a",576:"e74015ba",581:"068d5f84",605:"d553e60b",669:"727b3223",670:"9fe617b6",677:"430ae92d",684:"7394c554",714:"cdef0748",716:"0a14156a",739:"c1379920",828:"20083168",829:"48c46498",846:"537daa84",913:"6e38ea2c",946:"a8d41680",976:"96550454",996:"028119a0"}[e]+".js",n.miniCssF=e=>{},n.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),n.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),r={},f="adguard-dns-knowledge-base:",n.l=(e,a,t,d)=>{if(r[e])r[e].push(a);else{var o,b;if(void 0!==t)for(var c=document.getElementsByTagName("script"),i=0;i{o.onerror=o.onload=null,clearTimeout(s);var f=r[e];if(delete r[e],o.parentNode&&o.parentNode.removeChild(o),f&&f.forEach((e=>e(t))),a)return a(t)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:o}),12e4);o.onerror=l.bind(null,o.onerror),o.onload=l.bind(null,o.onload),b&&document.head.appendChild(o)}},n.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.p="/KnowledgeBaseDNS/",n.gca=function(e){return e={17896441:"401","02a805f0":"17",b7143858:"31","3e965b85":"38","3ae1f4a3":"39","83ffdaa0":"82","49e6968f":"116","1a4e3797":"138","12afb509":"145",c649e91c:"179",b25ed7d0:"258","8897b4d1":"328",da8d71d8:"346",ff177938:"382","6ac4fc81":"433",f897b711:"486",c726af22:"556","0e011d66":"576","935f2afb":"581","0d1dfb30":"669","4a744877":"677",bed4a2d1:"684","1be78505":"714","1365b58d":"739","1a7e4f3f":"828",cfb258e5:"829",e633e5a3:"846",a7bc4adb:"913","67ff55fd":"946","0e384e19":"976","3c66d643":"996"}[e]||e,n.p+n.u(e)},(()=>{var e={354:0,869:0};n.f.j=(a,t)=>{var r=n.o(e,a)?e[a]:void 0;if(0!==r)if(r)t.push(r[2]);else if(/^(354|869)$/.test(a))e[a]=0;else{var f=new Promise(((t,f)=>r=e[a]=[t,f]));t.push(r[2]=f);var d=n.p+n.u(a),o=new Error;n.l(d,(t=>{if(n.o(e,a)&&(0!==(r=e[a])&&(e[a]=void 0),r)){var f=t&&("load"===t.type?"missing":t.type),d=t&&t.target&&t.target.src;o.message="Loading chunk "+a+" failed.\n("+f+": "+d+")",o.name="ChunkLoadError",o.type=f,o.request=d,r[1](o)}}),"chunk-"+a,a)}},n.O.j=a=>0===e[a];var a=(a,t)=>{var r,f,d=t[0],o=t[1],b=t[2],c=0;if(d.some((a=>0!==e[a]))){for(r in o)n.o(o,r)&&(n.m[r]=o[r]);if(b)var i=b(n)}for(a&&a(t);c{"use strict";var e,a,t,r,f,d={},o={};function n(e){var a=o[e];if(void 0!==a)return a.exports;var t=o[e]={id:e,loaded:!1,exports:{}};return d[e].call(t.exports,t,t.exports,n),t.loaded=!0,t.exports}n.m=d,n.c=o,e=[],n.O=(a,t,r,f)=>{if(!t){var d=1/0;for(i=0;i=f)&&Object.keys(n.O).every((e=>n.O[e](t[b])))?t.splice(b--,1):(o=!1,f0&&e[i-1][2]>f;i--)e[i]=e[i-1];e[i]=[t,r,f]},n.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return n.d(a,{a:a}),a},t=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,n.t=function(e,r){if(1&r&&(e=this(e)),8&r)return e;if("object"==typeof e&&e){if(4&r&&e.__esModule)return e;if(16&r&&"function"==typeof e.then)return e}var f=Object.create(null);n.r(f);var d={};a=a||[null,t({}),t([]),t(t)];for(var o=2&r&&e;"object"==typeof o&&!~a.indexOf(o);o=t(o))Object.getOwnPropertyNames(o).forEach((a=>d[a]=()=>e[a]));return d.default=()=>e,n.d(f,d),f},n.d=(e,a)=>{for(var t in a)n.o(a,t)&&!n.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:a[t]})},n.f={},n.e=e=>Promise.all(Object.keys(n.f).reduce(((a,t)=>(n.f[t](e,a),a)),[])),n.u=e=>"assets/js/"+({17:"02a805f0",31:"b7143858",38:"3e965b85",39:"3ae1f4a3",82:"83ffdaa0",116:"49e6968f",138:"1a4e3797",145:"12afb509",179:"c649e91c",258:"b25ed7d0",328:"8897b4d1",346:"da8d71d8",382:"ff177938",401:"17896441",433:"6ac4fc81",486:"f897b711",556:"c726af22",576:"0e011d66",581:"935f2afb",669:"0d1dfb30",677:"4a744877",684:"bed4a2d1",714:"1be78505",739:"1365b58d",828:"1a7e4f3f",829:"cfb258e5",846:"e633e5a3",913:"a7bc4adb",946:"67ff55fd",976:"0e384e19",996:"3c66d643"}[e]||e)+"."+{17:"f0f4f935",31:"d6f217c1",38:"13a59e46",39:"3d7c29da",82:"831a2d99",116:"d5e0a1b9",138:"569ded55",145:"255040d8",179:"5c3fdea2",247:"5ecccf0d",258:"05ccd297",322:"13297352",328:"005fba71",346:"a12f47f5",381:"47da99c5",382:"473e9cec",401:"e4755091",433:"f3715af8",486:"8e685366",529:"d131b264",556:"ecd6725a",576:"e74015ba",581:"068d5f84",605:"d553e60b",669:"727b3223",670:"9fe617b6",677:"430ae92d",684:"7394c554",714:"cdef0748",716:"0a14156a",739:"c1379920",828:"20083168",829:"48c46498",846:"9bc0f0ee",913:"6e38ea2c",946:"a8d41680",976:"96550454",996:"028119a0"}[e]+".js",n.miniCssF=e=>{},n.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),n.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),r={},f="adguard-dns-knowledge-base:",n.l=(e,a,t,d)=>{if(r[e])r[e].push(a);else{var o,b;if(void 0!==t)for(var c=document.getElementsByTagName("script"),i=0;i{o.onerror=o.onload=null,clearTimeout(s);var f=r[e];if(delete r[e],o.parentNode&&o.parentNode.removeChild(o),f&&f.forEach((e=>e(t))),a)return a(t)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:o}),12e4);o.onerror=l.bind(null,o.onerror),o.onload=l.bind(null,o.onload),b&&document.head.appendChild(o)}},n.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.p="/KnowledgeBaseDNS/",n.gca=function(e){return e={17896441:"401","02a805f0":"17",b7143858:"31","3e965b85":"38","3ae1f4a3":"39","83ffdaa0":"82","49e6968f":"116","1a4e3797":"138","12afb509":"145",c649e91c:"179",b25ed7d0:"258","8897b4d1":"328",da8d71d8:"346",ff177938:"382","6ac4fc81":"433",f897b711:"486",c726af22:"556","0e011d66":"576","935f2afb":"581","0d1dfb30":"669","4a744877":"677",bed4a2d1:"684","1be78505":"714","1365b58d":"739","1a7e4f3f":"828",cfb258e5:"829",e633e5a3:"846",a7bc4adb:"913","67ff55fd":"946","0e384e19":"976","3c66d643":"996"}[e]||e,n.p+n.u(e)},(()=>{var e={354:0,869:0};n.f.j=(a,t)=>{var r=n.o(e,a)?e[a]:void 0;if(0!==r)if(r)t.push(r[2]);else if(/^(354|869)$/.test(a))e[a]=0;else{var f=new Promise(((t,f)=>r=e[a]=[t,f]));t.push(r[2]=f);var d=n.p+n.u(a),o=new Error;n.l(d,(t=>{if(n.o(e,a)&&(0!==(r=e[a])&&(e[a]=void 0),r)){var f=t&&("load"===t.type?"missing":t.type),d=t&&t.target&&t.target.src;o.message="Loading chunk "+a+" failed.\n("+f+": "+d+")",o.name="ChunkLoadError",o.type=f,o.request=d,r[1](o)}}),"chunk-"+a,a)}},n.O.j=a=>0===e[a];var a=(a,t)=>{var r,f,d=t[0],o=t[1],b=t[2],c=0;if(d.some((a=>0!==e[a]))){for(r in o)n.o(o,r)&&(n.m[r]=o[r]);if(b)var i=b(n)}for(a&&a(t);c Configuration file | AdGuard DNS Knowledge Base - +

Configuration file

See file config.dist.yml for a full example of a YAML configuration file with comments.

dns

The dns object configures the behavior of the DNS server. It has the following properties:

cache

The cache object configures caching the results of querying DNS. It has the following properties:

  • enabled: Whether or not the DNS results should be cached.

    Example: true

  • size: The maximum size of the DNS result cache as human-readable data size. It must be greater than zero if enabled is true.

    Example: 128 MB

  • client_size: The maximum size of the DNS result cache for each configured client’s address or subnetwork as human-readable data size. It must be greater than zero if enabled is true.

    Example: 4 MB

server

The server object configures the handling of incoming requests. It has the following properties:

  • listen_addresses: The set of addresses with ports to listen on.

    Property example:

    'listen_addresses':
        - address: '127.0.0.1:53'
        - address: '[::1]:53'

bootstrap

The bootstrap object configures the resolution of upstream server addresses. It has the following properties:

  • servers: The list of servers to resolve the hostnames of upstream servers.

    Property example:

    'servers':
        - address: '8.8.8.8:53'
        - address: '192.168.1.1:53'

  • timeout: The timeout for bootstrap DNS requests as a human-readable duration.

    Example: 2 s

upstream

The upstream object configures the actual resolving of requests. It has the following properties:

  • groups: The set of upstream servers keyed by the group’s name. It has the following fields:

    • address: The upstream server’s address.

      Example: '8.8.8.8:53'

    • match: The list of criteria to match the request against. Each entry may contain the following properties:

      • question_domain: The domain or a suffix of the domain that the set of upstream servers should be used to resolve.

        Example: 'mycompany.local'

      • client: The client’s address or a subnet of the client’s address from which the set of upstream servers should resolve requests. It must have no significant bits outside the subnet mask.

        Example: '192.0.2.0/24'

      note

      Properties specified within a single entry are combined with a logical AND. Entries are combined with a logical OR.

      Property example:

      'match':
          - question_domain: 'mycompany.local'
          client: '192.168.1.0/24'
          - question_domain: 'mycompany.external'
          - client: '1.2.3.4'
    info

    groups should contain at least a single entry named default, and optionally a single entry named private, both should have no match property.

    The default group will be used when there are no matches among other groups. The private group will be used to resolve the PTR requests for the private IP addresses. Such queries will be answered with NXDOMAIN if no private group is defined.

  • timeout: The timeout for upstream DNS requests as a human-readable duration.

    Example: 2s

fallback

The fallback object configures the behavior of the DNS server in case of failure. It has the following properties:

  • servers: The list of servers to use after the actual upstream failed to respond.

    Property example:

    'servers':
        - address: 'tls://94.140.14.140'

  • timeout: The timeout for fallback DNS requests as a human-readable duration.

    Example: 2s

debug

The debug object configures the debugging features. It has the following properties:

pprof

The pprof object configures the pprof HTTP handlers. It has the following properties:

  • port: The port to listen on for debug HTTP requests on localhost.

    Example: 6060

  • enabled: Whether or not the debug profiling is enabled.

    Example: true

log

The log object configures the logging. It has the following properties:

  • output: The output to which logs are written.

    note

    Log entries written to the system log are in text format (see below) and use the system timestamp.

    Possible values:

    • syslog means that the platform-specific system log is used, which is syslog for Linux and Event Log for Windows.

    • stdout for standard output stream.

    • stderr for standard error stream.

    • Absolute path to the log file.

      Example: /home/user/logs

      Example: C:\Users\user\logs.txt

    Example: syslog

  • format: Specifies the format of the log entries.

    Possible values:

    • default: A simple format. Example:

      INFO service started prefix=program addr=127.0.0.1:53

    • json: A structured JSON format. Example:

      {"level":"INFO","msg":"service started","prefix":"program","addr":"127.0.0.1:53"}

    • jsonhybrid: Same as json but with a limited number of fields. Example:

      {"level":"INFO","msg":"service started, attrs: prefix=program addr=127.0.0.1:53"}

    • text: A structured text format. Example:

      level=INFO msg="service started" prefix=program addr=127.0.0.1:53

    Example: default

  • timestamp: Specifies whether to include a timestamp in the log entries.

    Example: false

  • verbose: Specifies whether the log should be more informative.

    Example: false

- + \ No newline at end of file diff --git a/dns-client/environment/index.html b/dns-client/environment/index.html index 69725d2c0..ceb31c087 100644 --- a/dns-client/environment/index.html +++ b/dns-client/environment/index.html @@ -4,13 +4,13 @@ Environment | AdGuard DNS Knowledge Base - +

Environment

AdGuard DNS Client uses environment variables to store part of the configuration. The rest of the configuration is stored in the configuration file.

LOG_OUTPUT

The log destination, must be an absolute path to the file or one of the special values. See the logging configuration description in the article about the configuration file.

This environment variable overrides the log.output field in the configuration file.

Default: Unset.

LOG_FORMAT

The format for log entries. See the logging configuration description in the article about the configuration file.

This environment variable overrides the log.format field in the configuration file.

Default: Unset.

LOG_TIMESTAMP

When set to 1, log entries have a timestamp. When set to 0, log entries don’t have it.

This environment variable overrides the log.timestamp field in the configuration file.

Default: Unset.

VERBOSE

When set to 1, enable verbose logging. When set to 0, disable it.

This environment variable overrides the log.verbose field in the configuration file.

Default: Unset.

- + \ No newline at end of file diff --git a/dns-client/overview/index.html b/dns-client/overview/index.html index 69738a0f6..30e4ca919 100644 --- a/dns-client/overview/index.html +++ b/dns-client/overview/index.html @@ -4,13 +4,13 @@ Overview | AdGuard DNS Knowledge Base - +

Overview

What is AdGuard DNS Client?

A cross-platform lightweight DNS client for AdGuard DNS. It operates as a DNS server that forwards DNS requests to the corresponding upstream resolvers.

Quick start

caution

AdGuard DNS Client is still in the Beta stage. It may be unstable.

Supported operating systems:

  • Linux
  • macOS
  • Windows

Supported CPU architectures:

  • 64-bit ARM
  • AMD64
  • i386

Getting started

Unix-like operating systems

  1. Download and unpack the .tar.gz or .zip archive from the releases page.

    caution

    On macOS, it's crucial that globally installed daemons are owned by root (see the launchd documentation), so the AdGuardDNSClient executable must be placed in the /Applications/ directory or its subdirectory.

  2. Install it as a service by running:

    ./AdGuardDNSClient -s install -v

  3. Edit the configuration file config.yaml.

  4. Start the service:

    ./AdGuardDNSClient -s start -v

To check that it works, use any DNS checking utility. For example, using nslookup:

nslookup -debug 'www.example.com' '127.0.0.1'

Windows

Just download and install using the MSI installer from the releases page.

To check that it works, use any DNS checking utility. For example, using nslookup.exe:

nslookup -debug "www.example.com" "127.0.0.1"

Command-line options

Each option overrides the corresponding value provided by the configuration file and the environment.

Help

Option -h makes AdGuard DNS Client print out a help message to standard output and exit with a success status-code.

Service

Option -s <value> specifies the OS service action. Possible values are:

  • install: installs AdGuard DNS Client as a service
  • restart: restarts the running AdGuard DNS Client service
  • start: starts the installed AdGuard DNS Client service
  • status: shows the status of the installed AdGuard DNS Client service
  • stop: stops the running AdGuard DNS Client
  • uninstall: uninstalls AdGuard DNS Client service

Verbose

Option -v enables the verbose log output.

Version

Option --version makes AdGuard DNS Client print out the version of the AdGuardDNSClient executable to standard output and exit with a success status-code.

Configuration

File

The YAML configuration file is described in its own article, and there is also a sample configuration file config.dist.yaml. Some configuration parameters can also be overridden using the environment.

Exit codes

There are a few different exit codes that may appear under different error conditions:

  • 0: Successfully finished and exited, no errors.

  • 1: Internal error, most likely a misconfiguration.

  • 2: Bad command-line argument or value.

- + \ No newline at end of file diff --git a/general/dns-filtering-syntax/index.html b/general/dns-filtering-syntax/index.html index 33b598b21..53d6debed 100644 --- a/general/dns-filtering-syntax/index.html +++ b/general/dns-filtering-syntax/index.html @@ -4,7 +4,7 @@ DNS filtering rules syntax | AdGuard DNS Knowledge Base - + @@ -13,7 +13,7 @@ AdGuard DNS filtering rules syntax can be used in different AdGuard products such as AdGuard Home, AdGuard DNS, AdGuard for Windows/Mac/Android.

There are three different approaches to writing hosts blocklists:

  • Adblock-style syntax: the modern approach to writing filtering rules based on using a subset of the Adblock-style rule syntax. This way blocklists are compatible with browser ad blockers.

  • /etc/hosts syntax: the old, tried-and-true approach that uses the same syntax that operating systems do for their hosts files.

  • Domains-only syntax: a simple list of domain names.

If you are creating a blocklist, we recommend using the Adblock-style syntax. It has a couple of important advantages over the old-style syntax:

  • Blocklists size. Using pattern matching allows you to have a single rule instead of hundreds of /etc/hosts entries.

  • Compatibility. Your blocklist will be compatible with browser ad blockers, and it will be easier to share rules with a browser filter list.

  • Extensibility. In the past decade, the Adblock-style syntax has greatly evolved, and we see no reason not to extend it even further and offer additional features for network-level blockers.

If you're maintaining either a /etc/hosts-style blocklist or multiple filtering lists (regardless of type), we provide a tool for blocklist compilation. We named it Hostlist compiler and we use it ourselves to create AdGuard DNS filter.

Basic examples

  • ||example.org^: block access to the example.org domain and all its subdomains, like www.example.org.

  • @@||example.org^: unblock access to the example.org domain and all its subdomains.

  • 1.2.3.4 example.org: (attention, old /etc/hosts-style syntax) in AdGuard Home, respond with 1.2.3.4 to queries for the example.org domain but not its subdomains. In Private AdGuard DNS, block access to example.org. www.example.org remains allowed.

    In AdGuard Home, using the unspecified IP address (0.0.0.0) or a local address (127.0.0.1 and alike) for a host is basically the same as blocking that host.

    # Returns the IP address 1.2.3.4 for example.org.
    1.2.3.4 example.org
    # Blocks example.org by responding with 0.0.0.0.
    0.0.0.0 example.org

  • example.org: a simple domain rule. Blocks the example.org domain but not its subdomains. www.example.org remains allowed.

  • ! Here goes a comment and # Also a comment: comments.

  • /REGEX/: block access to the domains matching the specified regular expression.

Adblock-style syntax

This is a subset of the traditional Adblock-style syntax which is used by browser ad blockers.

     rule = ["@@"] pattern [ "$" modifiers ]
modifiers = [modifier0, modifier1[, ...[, modifierN]]]

  • pattern: the hostname mask. Every hostname is matched against this mask. The pattern can also contain special characters, which are described below.

  • @@: the marker that is used in the exception rules. Start your rule with this marker if you want to turn off filtering for the matching hostnames.

  • modifiers: parameters that clarify the rule. They may limit the scope of the rule or even completely change the way it works.

Special characters

  • *: the wildcard character. It is used to represent any set of characters. This can also be an empty string or a string of any length.

  • ||: matches the beginning of a hostname, including any subdomain. For instance, ||example.org matches example.org and test.example.org but not testexample.org.

  • ^: the separator character. Unlike browser ad blocking, there's nothing to separate in a hostname, so the only purpose of this character is to mark the end of the hostname.

  • |: a pointer to the beginning or the end of the hostname. The value depends on the character placement in the mask. For example, the rule ample.org| corresponds to example.org but not to example.org.com. |example corresponds to example.org but not to test.example.

Regular expressions

If you want even more flexibility in making rules, you can use regular expressions instead of the default simplified matching syntax. If you want to use a regular expression, the pattern has to look like this:

pattern = "/" regexp "/"

Examples:

  • /example.*/ will block hosts matching the example.* regexp.

  • @@/example.*/$important will unblock hosts matching the example.* regexp. Note that this rule also implies the important modifier.

Comments

Any line that starts with an exclamation mark or a hash sign is a comment and it will be ignored by the filtering engine. Comments are usually placed above rules and used to describe what a rule does.

Example:

! This is a comment.
# This is also a comment.

Rule modifiers

You can change the behavior of a rule by adding modifiers. Modifiers must be located at the end of the rule after the $ character and be separated by commas.

Examples:

  • ||example.org^$important

    ||example.org^ is the matching pattern. $ is the delimiter, which signals that the rest of the rule are modifiers. important is the modifier.

  • You may want to use multiple modifiers in a rule. In that case, separate them by commas:

    ||example.org^$client=127.0.0.1,dnstype=A

    ||example.org^ is the matching pattern. $ is the delimiter, which signals that the rest of the rule are modifiers. client=127.0.0.1 is the client modifier with its value, 127.0.0.1. , is the delimiter between modifiers. And finally, dnstype=A is the dnstype modifier with its value, A.

NOTE: If a rule contains a modifier not listed in this document, the whole rule must be ignored. This way we avoid false-positives when people are trying to use unmodified browser ad blockers' filter lists like EasyList or EasyPrivacy.

client

The client modifier allows specifying clients this rule is applied to. There are two main ways to identify a client:

  • By their IP address or CIDR prefix. This way works for all kinds of clients.

  • By their name. This way only works for persistent clients (in AdGuard Home) and devices (in Private AdGuard DNS), which you have manually added.

    NOTE: In AdGuard Home, ClientIDs are not currently supported, only names are. If you have added a client with the name “My Client” and ClientID my-client spell your modifier as $client='My Client' as opposed to $client=my-client.

The syntax is:

$client=value1|value2|...

You can also exclude clients by adding a ~ character before the value. In this case, the rule is not be applied to this client's DNS requests.

$client=~value1

Client names usually contain spaces or other special characters, which is why you should enclose the name in quotes. Both single and double ASCII quotes are supported. Use the backslash (\) to escape quotes (" and '), commas (,), and pipes (|).

NOTE: When excluding a client, you must place ~ outside the quotes.

Examples:

  • @@||*^$client=127.0.0.1: unblock everything for localhost.

  • ||example.org^$client='Frank\'s laptop': block example.org for the client named Frank's laptop only. Note that quote (') in the name must be escaped.

  • ||example.org^$client=~'Mary\'s\, John\'s\, and Boris\'s laptops': block example.org for everyone except for the client named Mary's, John's, and Boris's laptops. Note that comma (,) must be escaped as well.

  • ||example.org^$client=~Mom|~Dad|Kids: block example.org for Kids, but not for Mom and Dad. This example demonstrates how to specify multiple clients in one rule.

  • ||example.org^$client=192.168.0.0/24: block example.org for all clients with IP addresses in the range from 192.168.0.0 to 192.168.0.255.

denyallow

You can use the denyallow modifier to exclude domains from the blocking rule. To add multiple domains to one rule, use the | character as a separator.

The syntax is:

$denyallow=domain1|domain2|...

This modifier allows avoiding creating unnecessary exception rules when our blocking rule covers too many domains. You may want to block everything except for a couple of TLD domains. You could use the standard approach, i.e. rules like this:

! Block everything.
/.*/

! Unblock a couple of TLDs.
@@||com^
@@||net^

The problem with this approach is that this way you will also unblock tracking domains that are located on those TLDs (i.e. google-analytics.com). Here's how to solve this with denyallow:

*$denyallow=com|net

Examples:

  • *$denyallow=com|net: block everything except for *.com and *.net.

  • @@*$denyallow=com|net: unblock everything except for *.com and *.net.

  • ||example.org^$denyallow=sub.example.org. block example.org and *.example.org but don't block sub.example.org.

dnstype

The dnstype modifier allows specifying DNS request or response type on which this rule will be triggered.

The syntax is:

$dnstype=value1|value2|...
$dnstype=~value1|~value2|~...

The names of the types are case-insensitive, but are validated against a set of actual DNS resource record (RR) types.

Do not combine exclusion rules with inclusion ones. This:

$dnstype=~value1|value2

is equivalent to this:

$dnstype=value2

Examples:

  • ||example.org^$dnstype=AAAA: block DNS queries for the IPv6 addresses of example.org.

  • ||example.org^$dnstype=~A|~CNAME: only allow A and CNAME DNS queries for example.org, block out the rest.

NOTE: Before version v0.108.0, AdGuard Home would use the type of the request to filter the response records, as opposed to the type of the response record itself. That caused issues, since that meant that you could not write rules that would allow certain CNAME records in responses in A and AAAA requests. In v0.108.0 that behaviour was changed, so now this:

||canon.example.com^$dnstype=~CNAME

allows you to avoid filtering of the following response:

ANSWERS:
->  example.com
    canonical name = canon.example.com.
    ttl = 60
->  canon.example.com
    internet address = 1.2.3.4
    ttl = 60

dnsrewrite

The dnsrewrite response modifier allows replacing the content of the response to the DNS request for the matching hosts. Note that this modifier in AdGuard Home works in all rules, but in Private AdGuard DNS — only in custom ones.

Rules with the dnsrewrite response modifier have higher priority than other rules in AdGuard Home.

The shorthand syntax is:

$dnsrewrite=1.2.3.4
$dnsrewrite=abcd::1234
$dnsrewrite=example.net
$dnsrewrite=REFUSED

The keywords MUST be in all caps (e.g. NOERROR). Keyword rewrites take precedence over the other and will result in an empty response with an appropriate response code.

The full syntax is of the form RCODE;RRTYPE;VALUE:

$dnsrewrite=NOERROR;A;1.2.3.4
$dnsrewrite=NOERROR;AAAA;abcd::1234
$dnsrewrite=NOERROR;CNAME;example.net
$dnsrewrite=REFUSED;;

The $dnsrewrite modifier with the NOERROR response code may also has empty RRTYPE and VALUE fields.

The CNAME one is special because AdGuard Home will resolve the host and add its info to the response. That is, if example.net has IP 1.2.3.4, and the user has this in their filter rules:

||example.com^$dnsrewrite=example.net
! Or:
||example.com^$dnsrewrite=NOERROR;CNAME;example.net

then the response will be something like:

nslookup example.com my.adguard.local
Server: my.adguard.local
Address: 127.0.0.1#53

Non-authoritative answer:
example.com canonical name = example.net.
Name: example.net
Address: 1.2.3.4

Next, the CNAME rewrite. After that, all other records' values are summed as one response, so this:

||example.com^$dnsrewrite=NOERROR;A;1.2.3.4
||example.com^$dnsrewrite=NOERROR;A;1.2.3.5

will result in a response with two A records.

Currently supported RR types with examples:

  • ||4.3.2.1.in-addr.arpa^$dnsrewrite=NOERROR;PTR;example.net. adds a PTR record for reverse DNS. Reverse DNS requests for 1.2.3.4 to the DNS server will result in example.net.

    NOTE: the IP MUST be in reverse order. See RFC 1035.

  • ||example.com^$dnsrewrite=NOERROR;A;1.2.3.4 adds an A record with the value 1.2.3.4.

  • ||example.com^$dnsrewrite=NOERROR;AAAA;abcd::1234 adds an AAAA record with the value abcd::1234.

  • ||example.com^$dnsrewrite=NOERROR;CNAME;example.org adds a CNAME record. See explanation above.

  • ||example.com^$dnsrewrite=NOERROR;HTTPS;32 example.com alpn=h3 adds an HTTPS record. Only a subset of parameter values is supported: values must be contiguous and, where a value-list is expected, only one value is currently supported:

    ipv4hint=127.0.0.1             // Supported.
    ipv4hint="127.0.0.1"           // Unsupported.
    ipv4hint=127.0.0.1,127.0.0.2   // Unsupported.
    ipv4hint="127.0.0.1,127.0.0.2" // Unsupported.

    This will be changed in the future.

  • ||example.com^$dnsrewrite=NOERROR;MX;32 example.mail adds an MX record with precedence value 32 and exchange value example.mail.

  • ||example.com^$dnsrewrite=NOERROR;SVCB;32 example.com alpn=h3 adds a SVCB value. See the HTTPS example above.

  • ||example.com^$dnsrewrite=NOERROR;TXT;hello_world adds a TXT record with the value hello_world.

  • ||_svctype._tcp.example.com^$dnsrewrite=NOERROR;SRV;10 60 8080 example.com adds an SRV record with priority value 10, weight value 60, port8080, and target value example.com.

  • ||example.com^$dnsrewrite=NXDOMAIN;; responds with an NXDOMAIN code.

  • $dnstype=AAAA,denyallow=example.org,dnsrewrite=NOERROR;; responds with an empty NOERROR answers for all AAAA requests except the ones for example.org.

Exception rules unblock one or all rules:

  • @@||example.com^$dnsrewrite unblocks all DNS rewrite rules.

  • @@||example.com^$dnsrewrite=1.2.3.4 unblocks the DNS rewrite rule that adds an A record with the value 1.2.3.4.

important

The important modifier applied to a rule increases its priority over any other rule without the modifier. Even over basic exception rules.

Examples:

  • In this example:

    ||example.org^$important
    @@||example.org^

    ||example.org^$important will block all requests to *.example.org despite the exception rule.

  • In this example:

    ||example.org^$important
    @@||example.org^$important

    the exception rule also has the important modifier, so it will work.

badfilter

The rules with the badfilter modifier disable other basic rules to which they refer. It means that the text of the disabled rule should match the text of the badfilter rule (without the badfilter modifier).

Examples:

  • ||example.com$badfilter disables ||example.com.

  • @@||example.org^$badfilter disables @@||example.org^.

    NOTE: The badfilter modifier currently doesn't work with /etc/hosts-style rules. 127.0.0.1 example.org$badfilter will not disable the original 127.0.0.1 example.org rule.

ctag

The ctag modifier can only be used in AdGuard Home.

It allows to block domains only for specific types of DNS client tags. You can assign tags to clients in the AdGuard Home UI. In the future, we plan to assign tags automatically by analyzing the behavior of each client.

The syntax is:

$ctag=value1|value2|...

If one of client's tags matches the ctag values, this rule applies to the client. The syntax for exclusion is:

$ctag=~value1|~value2|...

If one of client's tags matches the exclusion ctag values, this rule doesn't apply to the client.

Examples:

  • ||example.org^$ctag=device_pc|device_phone: block example.org for clients tagged as device_pc or device_phone.

  • ||example.org^$ctag=~device_phone: block example.org for all clients except those tagged as device_phone.

The list of allowed tags:

  • By device type:

    • device_audio: audio devices.
    • device_camera: cameras.
    • device_gameconsole: game consoles.
    • device_laptop: laptops.
    • device_nas: NAS (Network-attached Storages).
    • device_pc: PCs.
    • device_phone: phones.
    • device_printer: printers.
    • device_securityalarm: security alarms.
    • device_tablet: tablets.
    • device_tv: TVs.
    • device_other: other devices.

  • By operating system:

    • os_android: Android.
    • os_ios: iOS.
    • os_linux: Linux.
    • os_macos: macOS.
    • os_windows: Windows.
    • os_other: other OSes.

  • By user group:

    • user_admin: administrators.
    • user_regular: regular users.
    • user_child: children.

/etc/hosts-style syntax

For each host a single line should be present with the following information:

IP_address canonical_hostname [aliases...]

Fields of the entries are separated by any number of space or tab characters. Text from the # character until the end of the line is a comment and is ignored.

Hostnames may contain only alphanumeric characters, hyphen-minus signs (-), and periods (.). They must begin with an alphabetic character and end with an alphanumeric character. Optional aliases provide for name changes, alternate spellings, shorter hostnames, or generic hostnames (for example, localhost).

Example:

# This is a comment
127.0.0.1 example.org example.info
127.0.0.1 example.com
127.0.0.1 example.net # this is also a comment

In AdGuard Home, the IP addresses are used to respond to DNS queries for these domains. In Private AdGuard DNS, these addresses are simply blocked.

Domains-only syntax

A simple list of domain names, one name per line.

Example:

# This is a comment
example.com
example.org
example.net # this is also a comment

If a string is not a valid domain (e.g. *.example.org), AdGuard Home will consider it to be an Adblock-style syntax rule.

Hostlist compiler

If you are maintaining a blocklist and use different sources in it, Hostlist compiler may be useful to you. It is a simple tool that makes it easier to compile a hosts blocklist compatible with AdGuard Home, Private AdGuard DNS or any other AdGuard product with DNS filtering.

What it's capable of:

  1. Compile a single blocklist from multiple sources.

  2. Exclude the rules you don't need.

  3. Cleanup the resulting list: deduplicate, remove invalid rules, and compress the list.

- + \ No newline at end of file diff --git a/general/dns-filtering/index.html b/general/dns-filtering/index.html index e16d10cc2..055d6f0d2 100644 --- a/general/dns-filtering/index.html +++ b/general/dns-filtering/index.html @@ -4,14 +4,14 @@ DNS filtering | AdGuard DNS Knowledge Base - +

DNS filtering

info

The easiest way to explore the benefits of DNS filtering is to install AdGuard Ad Blocker or try AdGuard DNS. If you want to filter DNS at the network level, AdGuard Home is your tool

Quick links: Download AdGuard Ad Blocker, Get AdGuard Home, Try AdGuard DNS

To better understand DNS filtering, first, we should answer the question "What is DNS?".

What is DNS?

DNS stands for "Domain Name System", and its purpose is to translate websites' names into something browsers can understand, i.e. IP addresses. Thus, each time you go to a website, your browser sends a request to a special type of server (DNS server). That server looks at the requested domain name and replies with a corresponding IP address. Very schematically it can be represented like this:

How DNS works

The same applies, of course, to all apps and programs that send any web requests, not just browsers.

How does DNS filtering work?

When you use one of the AdGuard apps that supports DNS filtering, it acts as a buffer between your device and the DNS server. All DNS requests that your browsers or apps are about to send first get processed by AdGuard. If you're using the default DNS server provided by your ISP, your DNS traffic is likely not encrypted and vulnerable to snooping and hijacking. AdGuard will encrypt all your DNS requests before they leave your device, so that no malefactor could get access to their contents. On top of that, AdGuard can identify requests to ad, tracking, and/or adult domains and redirect them to a "blackhole" instead of forwarding them to the DNS server. More on that later.

How DNS filtering works

DNS filtering is a powerful tool and it's supported by all major AdGuard apps: AdGuard for Windows, AdGuard for Mac, AdGuard for Android and AdGuard for iOS.

DNS filtering can be broken down into two separate functions: to encrypt and reroute DNS traffic to DNS servers, and to block some domains locally by applying DNS blocklists.

DNS servers

There are thousands of DNS servers to choose from, and they are all unique in their properties and purposes. Most simply return the IP address of the requested domain, but some have additional functions: they block ad, tracking, adult domains and so on. Nowadays all major DNS servers employ one or more reliable encryption protocols: DNS-over-HTTPS, DNS-over-TLS. AdGuard also provides a DNS service, and it was the world's first to offer the brand new and very promising DNS-over-QUIC encryption protocol. AdGuard has different servers for different goals. This diagram illustrates how AdGuard blocking servers work:

AdGuard DNS

Other DNS providers may work differently, so learn more about them before committing to this or that DNS server. You can find the list of some of the most popular DNS providers in this article. All AdGuard apps that support DNS functionality also have a list of DNS servers to choose from, or even allow to select any custom DNS server that you'd like.

Local DNS blocklists

But by relying on DNS servers only to filter your DNS traffic you lose all flexibility. If the selected server blocks a domain, you can't access it. With AdGuard, you don't even need to configure any specific DNS server to filter DNS traffic. All AdGuard products let you employ DNS blocklists, be it simple hosts files or lists that use more advanced syntax. They work similarly to regular blocklists: when a DNS request matches one of the rules in the active filter list, it gets blocked. To be more precise, the DNS server gives a non-routable IP address for such a request.

tip

In AdGuard for iOS, first you have to enable Advanced mode in Settings in order to get access to DNS blocking.

You can add as many custom blocklists as you wish. For instance, you can use AdGuard DNS filter. It quite literally blocks everything that AdGuard DNS server does, but in this case you are free to use any other DNS server. Plus, this way you can add more filters or create custom exception rules, all of which would be impossible with a simple "use a blocking DNS server" setup.

There are hundreds of different DNS blocklists, you can look for them here.

DNS filtering vs. network filtering

Network filtering is what we call the 'regular' way AdGuard standalone apps process network traffic, hence the name. Feel free to brush up on it by reading this article.

First of all, we have to mention that with AdGuard you don't have to choose. You can always use both regular network filtering and DNS filtering at the same time. However, it's important to understand key differences between the two. DNS filtering has both its unique advantages and drawbacks:

Pros of DNS filtering:

  1. On some platforms, this is the only way to achieve system-wide filtering. For example, on iOS only the Safari browser supports content blocking in the familiar sense, for everything else there's only DNS filtering.
  2. Some forms of tracking (like CNAME-cloaked tracking) can only be dealt with by DNS filtering.
  3. The stage of processing a DNS request is the earliest you could possibly deal with an ad or a tracker, this helps save a little bit of battery life and traffic.

Cons of DNS filtering:

  1. DNS filtering is "coarse", which means it doesn't remove whitespace left behind a blocked ad or apply any sorts of cosmetic filtering. Many of the more complicated ads can't be blocked on DNS-level (or rather, they can, but only by blocking the entire domains which are being used for other purposes).

    Example of difference An example of the difference between DNS filtering and network filtering

  2. It's not possible to know the origin of a DNS request, which means you can't distinguish between different apps on the DNS-level. This impacts the statistics negatively and makes it impossible to create app-specific filtering rules.

We recommend using DNS filtering in addition to network filtering, not instead of it, whenever possible.

- + \ No newline at end of file diff --git a/general/dns-providers/index.html b/general/dns-providers/index.html index 72505f4bb..19ef916d9 100644 --- a/general/dns-providers/index.html +++ b/general/dns-providers/index.html @@ -4,7 +4,7 @@ Known DNS Providers | AdGuard DNS Knowledge Base - + @@ -12,7 +12,7 @@

Known DNS Providers

info

Here we suggest a list of trusted DNS providers. To use them, first install AdGuard Ad Blocker or AdGuard VPN on your device. Then, on the same device, click the link to a provider in this article

Quick links: Download AdGuard Ad Blocker, Download AdGuard VPN

Public anycast resolvers

These are globally distributed, large-scale DNS resolvers that use anycast routing to direct your DNS queries to the nearest data center.

AdGuard DNS

AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use.

Default

These servers block ads, tracking, and phishing.

ProtocolAddress
DNS, IPv494.140.14.14 and 94.140.15.15Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a10:50c0::ad1:ff and 2a10:50c0::ad2:ffAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.adguard-dns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://dns.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt.default.ns1.adguard.com IP: 94.140.14.14:5443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt.default.ns1.adguard.com IP: [2a10:50c0::ad1:ff]:5443Add to AdGuard

Family Protection

These servers provide the Default features + Blocking adult websites + Safe search.

ProtocolAddress
DNS, IPv494.140.14.15 and 94.140.15.16Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a10:50c0::bad1:ff and 2a10:50c0::bad2:ffAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://family.adguard-dns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://family.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt.family.ns1.adguard.com IP: 94.140.14.15:5443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt.family.ns1.adguard.com IP: [2a10:50c0::bad1:ff]:5443Add to AdGuard

Non-filtering

Each of these servers provides a secure and reliable connection, but unlike the "Standard" and "Family Protection" servers, they don't filter anything.

ProtocolAddress
DNS, IPv494.140.14.140 and 94.140.14.141Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a10:50c0::1:ff and 2a10:50c0::2:ffAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://unfiltered.adguard-dns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://unfiltered.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://unfiltered.adguard-dns.comAdd to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt.unfiltered.ns1.adguard.com IP: 94.140.14.140:5443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt.unfiltered.ns1.adguard.com IP: [2a10:50c0::1:ff]:5443Add to AdGuard

Ali DNS

Ali DNS is a free recursive DNS service that committed to providing fast, stable and secure DNS resolution for the majority of Internet users. It includes AliGuard facility to protect users from various attacks and threats.

ProtocolAddress
DNS, IPv4223.5.5.5 and 223.6.6.6Add to AdGuard, Add to AdGuard VPN
DNS, IPv62400:3200::1 and 2400:3200:baba::1Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.alidns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.alidns.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://dns.alidns.com:853Add to AdGuard, Add to AdGuard VPN

BebasDNS by BebasID

BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection.

Default

This is the default variant of BebasDNS. This variant blocks ads, malware, and phishing domains.

ProtocolAddress
DNS-over-HTTPShttps://dns.bebasid.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.bebasid.com:853Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.dns.bebasid.com IP: 103.87.68.194:8443Add to AdGuard

Unfiltered

This variant doesn't filter anything.

ProtocolAddress
DNS-over-HTTPShttps://dns.bebasid.com/unfilteredAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://unfiltered.dns.bebasid.com:853Add to AdGuard, Add to AdGuard VPN

Security

This is the security/antivirus variant of BebasDNS. This variant only blocks malware, and phishing domains.

ProtocolAddress
DNS-over-HTTPShttps://antivirus.bebasid.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://antivirus.bebasid.com:853Add to AdGuard, Add to AdGuard VPN

Family

This is the family variant of BebasDNS. This variant blocks pornography, gambling, hate site, blocks malware, and phishing domains.

ProtocolAddress
DNS-over-HTTPShttps://internetsehat.bebasid.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://internetsehat.bebasid.com:853Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.internetsehat.bebasid.com IP: 103.87.68.196:8443Add to AdGuard

Family With Ad Filtering

This is the family variant of BebasDNS but with adblocker

ProtocolAddress
DNS-over-HTTPShttps://internetsehat.bebasid.com/adblockAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family-adblock.bebasid.com:853Add to AdGuard, Add to AdGuard VPN

OISD Filter

This is a custom BebasDNS variant with only OISD Big filter

ProtocolAddress
DNS-over-HTTPShttps://dns.bebasid.com/dns-oisdAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://oisd.dns.bebasid.com:853Add to AdGuard, Add to AdGuard VPN

Hagezi Multi Normal Filter

This is a custom BebasDNS variant with only Hagezi Multi Normal filter

ProtocolAddress
DNS-over-HTTPShttps://dns.bebasid.com/dns-hageziAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://hagezi.dns.bebasid.com:853Add to AdGuard, Add to AdGuard VPN

0ms DNS

DNS is a global DNS resolution service provided by 0ms Group as an alternative to your current DNS provider.

It uses OISD Big as the basic filter to give everyone a more secure environment. It is designed with various optimizations, such as HTTP/3, caching, and more. It leverages machine learning to protect users from potential security threats while also optimizing itself over time.

ProtocolAddress
DNS-over-HTTPShttps://0ms.dev/dns-queryAdd to AdGuard, Add to AdGuard VPN

CFIEC Public DNS

IPv6-based anycast DNS service with strong security capabilities and protection from spyware, malicious websites. It supports DNS64 to provide domain name resolution only for IPv6 users.

ProtocolAddress
DNS, IPv6240C::6666 and 240C::6644Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.cfiec.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.cfiec.netAdd to AdGuard, Add to AdGuard VPN

Cisco OpenDNS

Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime.

Standard

DNS servers with custom filtering that protects your device from malware.

ProtocolAddress
DNS, IPv4208.67.222.222 and 208.67.220.220Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:119:35::35 and 2620:119:53::53Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.opendns.com IP: 208.67.220.220Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.opendns.com IP: [2620:0:ccc::2]Add to AdGuard
DNS-over-HTTPShttps://doh.opendns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.opendns.comAdd to AdGuard, Add to AdGuard VPN

FamilyShield

OpenDNS servers that provide adult content blocking.

ProtocolAddress
DNS, IPv4208.67.222.123 and 208.67.220.123Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.opendns.com IP: 208.67.220.123Add to AdGuard
DNS-over-HTTPShttps://doh.familyshield.opendns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://familyshield.opendns.comAdd to AdGuard, Add to AdGuard VPN

Sandbox

Non-filtering OpenDNS servers.

ProtocolAddress
DNS, IPv4208.67.222.2 and 208.67.220.2Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:0:ccc::2 IP: 2620:0:ccd::2Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.sandbox.opendns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://sandbox.opendns.comAdd to AdGuard, Add to AdGuard VPN
info

OpenDNS's servers remove the AUTHORITY sections from certain responses, including those with NODATA, which makes caching such responses impossible.

CleanBrowsing

CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content.

Family Filter

Blocks access to all adult, pornographic and explicit sites, including proxy & VPN domains and mixed content sites.

ProtocolAddress
DNS, IPv4185.228.168.168 and 185.228.169.168Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a0d:2a00:1:: and 2a0d:2a00:2::Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: cleanbrowsing.org IP: 185.228.168.168:8443Add to AdGuard
DNSCrypt, IPv6Provider: cleanbrowsing.org IP: [2a0d:2a00:1::]:8443Add to AdGuard
DNS-over-HTTPShttps://doh.cleanbrowsing.org/doh/family-filter/Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family-filter-dns.cleanbrowsing.orgAdd to AdGuard, Add to AdGuard VPN

Adult Filter

Less restrictive than the Family filter, it only blocks access to adult content and malicious and phishing domains.

ProtocolAddress
DNS, IPv4185.228.168.10 and 185.228.169.11Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a0d:2a00:1::1 and 2a0d:2a00:2::1Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: cleanbrowsing.org IP: 185.228.168.10:8443Add to AdGuard
DNSCrypt, IPv6Provider: cleanbrowsing.org IP: [2a0d:2a00:1::1]:8443Add to AdGuard
DNS-over-HTTPShttps://doh.cleanbrowsing.org/doh/adult-filter/Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://adult-filter-dns.cleanbrowsing.orgAdd to AdGuard, Add to AdGuard VPN

Security Filter

Blocks phishing, spam and malicious domains.

ProtocolAddress
DNS, IPv4185.228.168.9 and 185.228.169.9Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a0d:2a00:1::2 and 2a0d:2a00:2::2Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.cleanbrowsing.org/doh/security-filter/Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://security-filter-dns.cleanbrowsing.orgAdd to AdGuard, Add to AdGuard VPN

Cloudflare DNS

Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet.

Standard

ProtocolAddress
DNS, IPv41.1.1.1 and 1.0.0.1Add to AdGuard, Add to AdGuard VPN
DNS, IPv62606:4700:4700::1111 and 2606:4700:4700::1001Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPS, IPv4https://dns.cloudflare.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPS, IPv6https://dns.cloudflare.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://one.one.one.oneAdd to AdGuard, Add to AdGuard VPN

Malware blocking only

ProtocolAddress
DNS, IPv41.1.1.2 and 1.0.0.2Add to AdGuard, Add to AdGuard VPN
DNS, IPv62606:4700:4700::1112 and 2606:4700:4700::1002Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://security.cloudflare-dns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://security.cloudflare-dns.comAdd to AdGuard, Add to AdGuard VPN

Malware and adult content blocking

ProtocolAddress
DNS, IPv41.1.1.3 and 1.0.0.3Add to AdGuard, Add to AdGuard VPN
DNS, IPv62606:4700:4700::1113 and 2606:4700:4700::1003Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPS, IPv4https://family.cloudflare-dns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family.cloudflare-dns.comAdd to AdGuard, Add to AdGuard VPN

Comodo Secure DNS

Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through worldwide network of DNS servers. Removes excessive ads and protects from phishing and spyware.

ProtocolAddress
DNS, IPv48.26.56.26 and 8.20.247.20Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.shield-2.dnsbycomodo.com IP: 8.20.247.2Add to AdGuard

ControlD

ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services.

Non-filtering

ProtocolAddress
DNS, IPv476.76.2.0 and 76.76.10.0Add to AdGuard, Add to AdGuard VPN
IPv62606:1a40:: and 2606:1a40:1::Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://freedns.controld.com/p0Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSp0.freedns.controld.comAdd to AdGuard, Add to AdGuard VPN

Block malware

ProtocolAddress
DNS, IPv476.76.2.1Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://freedns.controld.com/p1Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://p1.freedns.controld.comAdd to AdGuard, Add to AdGuard VPN

Block malware + ads

ProtocolAddress
DNS, IPv476.76.2.2Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://freedns.controld.com/p2Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://p2.freedns.controld.comAdd to AdGuard, Add to AdGuard VPN

Block malware + ads + social

ProtocolAddress
DNS, IPv476.76.2.3Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://freedns.controld.com/p3Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://p3.freedns.controld.com[Add to AdGuard, Add to AdGuard VPN

DeCloudUs DNS

DeCloudUs DNS is a DNS service that lets you block anything you wish while by default protecting you and your family from ads, trackers, malware, phishing, malicious sites, and much more.

ProtocolAddress
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.DeCloudUs-test IP: 78.47.212.211:9443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.DeCloudUs-test IP: [2a01:4f8:13a:250b::30]:9443Add to AdGuard
DNS-over-HTTPShttps://dns.decloudus.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.decloudus.comAdd to AdGuard, Add to AdGuard VPN

DNS Privacy

A collaborative open project to promote, implement, and deploy DNS Privacy.

DNS servers run by the Stubby developers

ProtocolAddress
DNS-over-TLSHostname: tls://getdnsapi.net IP: 185.49.141.37 and IPv6: 2a04:b900:0:100::37Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: Surfnet Hostname: tls://dnsovertls.sinodun.com IP: 145.100.185.15 and IPv6: 2001:610:1:40ba:145:100:185:15Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: Surfnet Hostname: tls://dnsovertls1.sinodun.com IP: 145.100.185.16 and IPv6: 2001:610:1:40ba:145:100:185:16Add to AdGuard, Add to AdGuard VPN

Other DNS servers with no-logging policy

ProtocolAddress
DNS-over-TLSProvider: UncensoredDNS Hostname: tls://unicast.censurfridns.dk IP: 89.233.43.71 and IPv6: 2a01:3a0:53:53::0Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: UncensoredDNS Hostname: tls://anycast.censurfridns.dk IP: 91.239.100.100 and IPv6: 2001:67c:28a4::Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: dkg Hostname: tls://dns.cmrg.net IP: 199.58.81.218 and IPv6: 2001:470:1c:76d::53Add to AdGuard, Add to AdGuard VPN
DNS-over-TLS, IPv4Hostname: tls://dns.larsdebruin.net IP: 51.15.70.167Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://dns-tls.bitwiseshift.net IP: 81.187.221.24 and IPv6: 2001:8b0:24:24::24Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://ns1.dnsprivacy.at IP: 94.130.110.185 and IPv6: 2a01:4f8:c0c:3c03::2Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://ns2.dnsprivacy.at IP: 94.130.110.178 and IPv6: 2a01:4f8:c0c:3bfc::2Add to AdGuard, Add to AdGuard VPN
DNS-over-TLS, IPv4Hostname: tls://dns.bitgeek.in IP: 139.59.51.46Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://dns.neutopia.org IP: 89.234.186.112 and IPv6: 2a00:5884:8209::2Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: Go6Lab Hostname: tls://privacydns.go6lab.si and IPv6: 2001:67c:27e4::35Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://dot.securedns.eu IP: 146.185.167.43 and IPv6: 2a03:b0c0:0:1010::e9a:3001Add to AdGuard, Add to AdGuard VPN

DNS servers with minimal logging/restrictions

These servers use some logging, self-signed certs or no support for strict mode.

ProtocolAddress
DNS-over-TLSProvider: NIC Chile Hostname: dnsotls.lab.nic.cl IP: 200.1.123.46 and IPv6: 2001:1398:1:0:200:1:123:46Add to AdGuard, Add to AdGuard VPN
DNS-over-TLSProvider: OARC Hostname: tls-dns-u.odvr.dns-oarc.net IP: 184.105.193.78 and IPv6: 2620:ff:c000:0:1::64:25Add to AdGuard, Add to AdGuard VPN

DNS.SB

DNS.SB provides free DNS service without logging and with DNSSEC enabled.

ProtocolAddress
DNS, IPv4185.222.222.222 and 45.11.45.11Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a09:: and 2a11::Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.dns.sb/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.sbAdd to AdGuard, Add to AdGuard VPN

DNSPod Public DNS+

DNSPod Public DNS+ is a privacy-friendly DNS provider with years of experience in domain name resolution services development, it aims to provide users more rapid, accurate and stable recursive resolution service.

ProtocolAddress
DNS, IPv4119.29.29.29 and 119.28.28.28Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.pub/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.pub/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.pubAdd to AdGuard, Add to AdGuard VPN

DNSWatchGO

DNSWatchGO is a DNS service by WatchGuard that prevents people from interacting with malicious content.

ProtocolAddress
DNS, IPv454.174.40.213 and 52.3.100.184Add to AdGuard, Add to AdGuard VPN

Dyn DNS

Dyn DNS is a free alternative DNS service by Dyn.

ProtocolAddress
DNS, IPv4216.146.35.35 and 216.146.36.36Add to AdGuard, Add to AdGuard VPN

Freenom World

Freenom World is a free anonymous DNS resolver by Freenom World.

ProtocolAddress
DNS, IPv480.80.80.80 and 80.80.81.81Add to AdGuard, Add to AdGuard VPN

Google DNS

Google DNS is a free, global DNS resolution service that you can use as an alternative to your current DNS provider.

ProtocolAddress
DNS, IPv48.8.8.8 and 8.8.4.4Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:4860:4860::8888 and 2001:4860:4860::8844Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.google/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.googleAdd to AdGuard, Add to AdGuard VPN

Hurricane Electric Public Recursor

Hurricane Electric Public Recursor is a free alternative DNS service by Hurricane Electric with anycast.

ProtocolAddress
DNS, IPv474.82.42.42Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:470:20::2Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://ordns.he.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://ordns.he.netAdd to AdGuard, Add to AdGuard VPN

Mullvad

Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York).

Non-filtering

ProtocolAddress
DNS-over-HTTPShttps://dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Ad blocking

ProtocolAddress
DNS-over-HTTPShttps://adblock.dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://adblock.dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Ad + malware blocking

ProtocolAddress
DNS-over-HTTPShttps://base.dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://base.dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Ad + malware + social media blocking

ProtocolAddress
DNS-over-HTTPShttps://extended.dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://extended.dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Ad + malware + adult + gambling blocking

ProtocolAddress
DNS-over-HTTPShttps://family.dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family.dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Ad + malware + adult + gambling + social media blocking

ProtocolAddress
DNS-over-HTTPShttps://all.dns.mullvad.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://all.dns.mullvad.netAdd to AdGuard, Add to AdGuard VPN

Nawala Childprotection DNS

Nawala Childprotection DNS is an anycast Internet filtering system that protects children from inappropriate websites and abusive contents.

ProtocolAddress
DNS, IPv4180.131.144.144 and 180.131.145.145Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.nawala.id IP: 180.131.144.144Add to AdGuard

Neustar Recursive DNS

Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence.

Reliability & Performance 1

These servers provide reliable and fast DNS lookups without blocking any specific categories.

ProtocolAddress
DNS, IPv4156.154.70.1 and 156.154.71.1Add to AdGuard, Add to AdGuard VPN
DNS, IPv62610:a1:1018::1 and 2610:a1:1019::1Add to AdGuard, Add to AdGuard VPN

Reliability & Performance 2

These servers provide reliable and fast DNS lookups without blocking any specific categories and also prevent redirecting NXDomain (non-existent domain) responses to landing pages.

ProtocolAddress
DNS, IPv4156.154.70.5 and 156.154.71.5Add to AdGuard, Add to AdGuard VPN
DNS, IPv62610:a1:1018::5 and 2610:a1:1019::5Add to AdGuard, Add to AdGuard VPN

Threat Protection

These servers provide protection against malicious domains and also include "Reliability & Performance" features.

ProtocolAddress
DNS, IPv4156.154.70.2 and 156.154.71.2Add to AdGuard, Add to AdGuard VPN
DNS, IPv62610:a1:1018::2 and 2610:a1:1019::2Add to AdGuard, Add to AdGuard VPN

Family Secure

These servers provide adult content blocking and also include "Reliability & Performance" + "Threat Protection" features.

ProtocolAddress
DNS, IPv4156.154.70.3 and 156.154.71.3Add to AdGuard, Add to AdGuard VPN
DNS, IPv62610:a1:1018::3 and 2610:a1:1019::3Add to AdGuard, Add to AdGuard VPN

Business Secure

These servers provide blocking unwanted and time-wasting content and also include "Reliability & Performance" + "Threat Protection" + "Family Secure" features.

ProtocolAddress
DNS, IPv4156.154.70.4 and 156.154.71.4Add to AdGuard, Add to AdGuard VPN
DNS, IPv62610:a1:1018::4 and 2610:a1:1019::4Add to AdGuard, Add to AdGuard VPN

NextDNS

NextDNS provides publicly accessible non-filtering resolvers without logging in addition to its freemium configurable filtering resolvers with optional logging.

Ultra-low latency

ProtocolAddress
DNS-over-HTTPShttps://dns.nextdns.ioAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.nextdns.ioAdd to AdGuard, Add to AdGuard VPN

Anycast

ProtocolAddress
DNS-over-HTTPShttps://anycast.dns.nextdns.ioAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://anycast.dns.nextdns.ioAdd to AdGuard, Add to AdGuard VPN

OpenBLD.net DNS

OpenBLD.net DNS — Anycast/GeoDNS DNS-over-HTTPS, DNS-over-TLS resolvers with blocking: advertising, tracking, adware, malware, malicious activities and phishing companies, blocks ~1M domains. Has 24h/48h logs for DDoS/Flood attack mitigation.

Adaptive Filtering (ADA)

Recommended for most users, very flexible filtering with blocking most ads networks, ad-tracking, malware and phishing domains.

ProtocolAddress
DNS-over-HTTPShttps://ada.openbld.net/dns-queryAdd to AdGuard
DNS-over-TLStls://ada.openbld.netAdd to AdGuard

Strict Filtering (RIC)

More strictly filtering policies with blocking — ads, marketing, tracking, clickbait, coinhive, malicious, and phishing domains.

ProtocolAddress
DNS-over-HTTPShttps://ric.openbld.net/dns-queryAdd to AdGuard
DNS-over-TLStls://ric.openbld.netAdd to AdGuard

dns0.eu

dns0.eu is a free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union.

ProtocolAddress
DNS, IPv4193.110.81.0 and 185.253.5.0Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://zero.dns0.eu/Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://zero.dns0.euAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://zero.dns0.euAdd to AdGuard, Add to AdGuard VPN

Quad9 DNS

Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component.

Standard

Regular DNS servers which provide protection from phishing and spyware. They include blocklists, DNSSEC validation, and other security features.

ProtocolAddress
DNS, IPv49.9.9.9 and 149.112.112.112Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:fe::fe IP: 2620:fe::fe:9Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.quad9.net IP: 9.9.9.9:8443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::fe]:8443Add to AdGuard
DNS-over-HTTPShttps://dns.quad9.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.quad9.netAdd to AdGuard, Add to AdGuard VPN

Unsecured

Unsecured DNS servers don't provide security blocklists, DNSSEC, or EDNS Client Subnet.

ProtocolAddress
DNS, IPv49.9.9.10 and 149.112.112.10Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:fe::10 IP: 2620:fe::fe:10Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.quad9.net IP: 9.9.9.10:8443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::fe:10]:8443Add to AdGuard
DNS-over-HTTPShttps://dns10.quad9.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns10.quad9.netAdd to AdGuard, Add to AdGuard VPN

ECS support

EDNS Client Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. It provides security blocklist, DNSSEC, EDNS Client Subnet.

ProtocolAddress
DNS, IPv49.9.9.11 and 149.112.112.11Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:fe::11 IP: 2620:fe::fe:11Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.quad9.net IP: 9.9.9.11:8443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::11]:8443Add to AdGuard
DNS-over-HTTPShttps://dns11.quad9.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns11.quad9.netAdd to AdGuard, Add to AdGuard VPN

RethinkDNS

RethinkDNS provides DNS-over-HTTPS service running as Cloudflare Worker and DNS-over-TLS service running as Fly.io Worker with configurable blocklists.

Non-filtering

ProtocolAddress
DNS-over-HTTPShttps://basic.rethinkdns.com/Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://max.rethinkdns.comAdd to AdGuard, Add to AdGuard VPN

Safe DNS

Safe DNS is a global anycast network which consists of servers located throughout the world — both Americas, Europe, Africa, Australia, and the Far East to ensure a fast and reliable DNS resolving from any point worldwide.

ProtocolAddress
DNS, IPv4195.46.39.39 and 195.46.39.40Add to AdGuard, Add to AdGuard VPN

Safe Surfer

Safe Surfer is a DNS service that blocks 50+ categories like porn, ads, malware, and popular social media sites making web surfing safer.

ProtocolAddress
DNS, IPv4104.155.237.225 and 104.197.28.121Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.safesurfer.co.nz IP: 104.197.28.121Add to AdGuard

360 Secure DNS

360 Secure DNS is a industry-leading recursive DNS service with advanced network security threat protection.

ProtocolAddress
DNS, IPv4101.226.4.6 and 218.30.118.6Add to AdGuard, Add to AdGuard VPN
DNS, IPv4123.125.81.6 and 140.207.198.6Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.360.cn/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.360.cnAdd to AdGuard, Add to AdGuard VPN

Verisign Public DNS

Verisign Public DNS is a free DNS service that offers improved DNS stability and security over other alternatives. Verisign respects users' privacy: they neither sell public DNS data to third parties nor redirect users' queries to serve them ads.

ProtocolAddress
DNS, IPv464.6.64.6 and 64.6.65.6Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:74:1b::1:1 and 2620:74:1c::2:2Add to AdGuard, Add to AdGuard VPN

Wikimedia DNS

Wikimedia DNS is a caching, recursive, public DoH and DoT resolver service that is run and managed by the Site Reliability Engineering (Traffic) team at the Wikimedia Foundation on all six Wikimedia data centers with anycast.

ProtocolAddress
DNS-over-HTTPShttps://wikimedia-dns.org/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: wikimedia-dns.org IP: 185.71.138.138 and IPv6: 2001:67c:930::1Add to AdGuard, Add to AdGuard VPN

Regional resolvers

Regional DNS resolvers are typically focused on specific geographic regions, offering optimized performance for users in those areas. These resolvers are often operated by non-profit organizations, local ISPs, or other entities.

Applied Privacy DNS

Applied Privacy DNS operates DNS privacy services to help protect DNS traffic and to help diversify the DNS resolver landscape offering modern protocols.

ProtocolAddress
DNS-over-HTTPShttps://doh.applied-privacy.net/queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot1.applied-privacy.netAdd to AdGuard, Add to AdGuard VPN

ByteDance Public DNS

ByteDance Public DNS is a free alternative DNS service by ByteDance at China. The only DNS currently provided by ByteDance supports IPV4. DOH, DOT, DOQ, and other encrypted DNS services will be launched soon.

ProtocolAddress
DNS, IPv4180.184.1.1 and 180.184.2.2Add to AdGuard, Add to AdGuard VPN

CIRA Canadian Shield DNS

CIRA Shield DNS protects against theft of personal and financial data. Keep viruses, ransomware, and other malware out of your home.

Private

In "Private" mode, DNS resolution only.

ProtocolAddress
DNS, IPv4149.112.121.10 and 149.112.122.10Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:10A:80BB::10 and 2620:10A:80BC::10Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://private.canadianshield.cira.ca/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLS — PrivateHostname: tls://private.canadianshield.cira.ca IP: 149.112.121.10 and IPv6: 2620:10A:80BB::10Add to AdGuard, Add to AdGuard VPN

Protected

In "Protected" mode, malware and phishing protection.

ProtocolAddress
DNS, IPv4149.112.121.20 and 149.112.122.20Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:10A:80BB::20 and 2620:10A:80BC::20Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://protected.canadianshield.cira.ca/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLS — ProtectedHostname: tls://protected.canadianshield.cira.ca IP: 149.112.121.20 and IPv6: 2620:10A:80BB::20Add to AdGuard, Add to AdGuard VPN

Family

In "Family" mode, Protected + blocking adult content.

ProtocolAddress
DNS, IPv4149.112.121.30 and 149.112.122.30Add to AdGuard, Add to AdGuard VPN
DNS, IPv62620:10A:80BB::30 and 2620:10A:80BC::30Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://family.canadianshield.cira.ca/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLS — FamilyHostname: tls://family.canadianshield.cira.ca IP: 149.112.121.30 and IPv6: 2620:10A:80BB::30Add to AdGuard, Add to AdGuard VPN

Comss.one DNS

Comss.one DNS is a fast and secure DNS service with protection against ads, tracking, and phishing.

ProtocolAddress
DNS-over-HTTPShttps://dns.controld.com/comssAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://comss.dns.controld.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://comss.dns.controld.comAdd to AdGuard, Add to AdGuard VPN

CZ.NIC ODVR

CZ.NIC ODVR CZ.NIC ODVR are Open DNSSEC Validating Resolvers. CZ.NIC neither collect any personal data nor gather information on pages where devices sends personal data.

ProtocolAddress
DNS, IPv4193.17.47.1 and 185.43.135.1Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:148f:ffff::1 and 2001:148f:fffe::1Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://odvr.nic.cz/dohAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://odvr.nic.czAdd to AdGuard, Add to AdGuard VPN

Digitale Gesellschaft DNS

Digitale Gesellschaft is a public resolver operated by the Digital Society. Hosted in Zurich, Switzerland.

ProtocolAddress
DNS-over-HTTPShttps://dns.digitale-gesellschaft.ch/dns-query IP: 185.95.218.42 and IPv6: 2a05:fc84::42Add to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.digitale-gesellschaft.ch IP: 185.95.218.43 and IPv6: 2a05:fc84::43Add to AdGuard, Add to AdGuard VPN

DNS for Family

DNS for Family aims to block adult websites. It enables children and adults to surf the Internet safely without worrying about being tracked by malicious websites.

ProtocolAddress
DNS-over-HTTPShttps://dns-doh.dnsforfamily.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns-dot.dnsforfamily.comAdd to AdGuard, Add to AdGuard VPN
DNS, IPv494.130.180.225 and 78.47.64.161Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a01:4f8:1c0c:40db::1 and 2a01:4f8:1c17:4df8::1Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: dnsforfamily.com IP: 94.130.180.225Add to AdGuard
DNSCrypt, IPv6Provider: dnsforfamily.com IP: [2a01:4f8:1c0c:40db::1]Add to AdGuard

Fondation Restena DNS

Restena DNS servers provided by Restena Foundation.

ProtocolAddress
DNS-over-HTTPShttps://kaitain.restena.lu/dns-query IP: 158.64.1.29 and IPv6: 2001:a18:1::29Add to AdGuard, Add to AdGuard VPN

| DNS-over-TLS| tls://kaitain.restena.lu IP: 158.64.1.29 and IPv6: 2001:a18:1::29 | Add to AdGuard, Add to AdGuard VPN |

114DNS

114DNS is a professional and high-reliability DNS service.

Normal

Block ads and annoying websites.

ProtocolAddress
DNS, IPv4114.114.114.114 and 114.114.115.115Add to AdGuard, Add to AdGuard VPN

Safe

Blocks phishing, malicious and other unsafe websites.

ProtocolAddress
DNS, IPv4114.114.114.119 and 114.114.115.119Add to AdGuard, Add to AdGuard VPN

Family

These servers block adult websites and inappropriate contents.

ProtocolAddress
DNS, IPv4114.114.114.110 and 114.114.115.110Add to AdGuard, Add to AdGuard VPN

IIJ.JP DNS

IIJ.JP is a public DNS service operated by Internet Initiative Japan. It also blocks child abuse content.

ProtocolAddress
DNS-over-HTTPShttps://public.dns.iij.jp/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://public.dns.iij.jpAdd to AdGuard, Add to AdGuard VPN

JupitrDNS

JupitrDNS is a a free recursive DNS service that blocks ads, trackers, and malware. It has DNSSEC support and does not store logs.

ProtocolAddress
DNS, IPv435.215.30.118 and 35.215.48.207Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.jupitrdns.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.jupitrdns.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://dns.jupitrdns.comAdd to AdGuard, Add to AdGuard VPN

LibreDNS

LibreDNS is a public encrypted DNS service run by LibreOps.

ProtocolAddress
DNS, IPv488.198.92.222Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.libredns.gr/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.libredns.gr/adsAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.libredns.gr IP: 116.202.176.26Add to AdGuard, Add to AdGuard VPN

OneDNS

OneDNS is a secure, fast, free niche DNS service with malicious domains blocking facility.

Pure Edition

ProtocolAddress
DNS, IPv4117.50.10.10 and 52.80.52.52Add to AdGuard, Add to AdGuard VPN

Block Edition

ProtocolAddress
DNS, IPv4117.50.11.11 and 52.80.66.66Add to AdGuard, Add to AdGuard VPN

OpenNIC DNS

OpenNIC DNS is a free alternative DNS service by OpenNIC Project.

ProtocolAddress
DNS, IPv4217.160.70.42Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:8d8:1801:86e7::1Add to AdGuard, Add to AdGuard VPN

This is just one of the available servers, the full list can be found here.

Quad101

Quad101 is a free alternative DNS service without logging by TWNIC (Taiwan Network Information Center).

ProtocolAddress
DNS, IPv4101.101.101.101 and 101.102.103.104Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:de4::101 and 2001:de4::102Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.twnic.tw/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://101.101.101.101Add to AdGuard, Add to AdGuard VPN

SkyDNS RU

SkyDNS solutions for content filtering and internet security.

ProtocolAddress
DNS, IPv4193.58.251.251Add to AdGuard, Add to AdGuard VPN

SWITCH DNS

SWITCH DNS is a Swiss public DNS service provided by switch.ch.

ProtocolAddress
DNS, IPv4Provider: dns.switch.ch IP: 130.59.31.248Add to AdGuard, Add to AdGuard VPN
DNS, IPv6Provider: dns.switch.ch IPv6: 2001:620:0:ff::2Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.switch.ch/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLSHostname: tls://dns.switch.ch IP: 130.59.31.248 and IPv6: 2001:620:0:ff::2Add to AdGuard, Add to AdGuard VPN

Yandex DNS

Yandex.DNS is a free recursive DNS service. Yandex.DNS' servers are located in Russia, CIS countries, and Western Europe. Users' requests are processed by the nearest data center which provides high connection speeds.

Basic

In "Basic" mode, there is no traffic filtering.

ProtocolAddress
DNS, IPv477.88.8.8 and 77.88.8.1Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ffAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://common.dot.dns.yandex.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://common.dot.dns.yandex.netAdd to AdGuard, Add to AdGuard VPN

Safe

In "Safe" mode, protection from infected and fraudulent sites is provided.

ProtocolAddress
DNS, IPv477.88.8.88 and 77.88.8.2Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a02:6b8::feed:bad and 2a02:6b8:0:1::feed:badAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://safe.dot.dns.yandex.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://safe.dot.dns.yandex.netAdd to AdGuard, Add to AdGuard VPN

Family

In "Family" mode, protection from infected, fraudulent and adult sites is provided.

ProtocolAddress
DNS, IPv477.88.8.3 and 77.88.8.7Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://family.dot.dns.yandex.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://family.dot.dns.yandex.netAdd to AdGuard, Add to AdGuard VPN

Small personal resolvers

These are DNS resolvers usually run by enthusiasts or small groups. While they may lack the scale and redundancy of larger providers, they often prioritize privacy, transparency, or offer specialized features.

We won't be able to proper monitor their availability. Use them at your own risk.

AhaDNS

AhaDNS A zero-logging and ad-blocking DNS service provided by Fredrik Pettersson.

Netherlands

ProtocolAddress
DNS, IPv45.2.75.75Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a04:52c0:101:75::75Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.nl.ahadns.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.nl.ahadns.netAdd to AdGuard, Add to AdGuard VPN

Los Angeles

ProtocolAddress
DNS, IPv445.67.219.208Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a04:bdc7:100:70::70Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.la.ahadns.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.la.ahadns.netAdd to AdGuard, Add to AdGuard VPN

Arapurayil

Arapurayil is a personal DNS service hosted in Mumbai, India.

Non-logging | Filters ads, trackers, phishing, etc. | DNSSEC | QNAME Minimization | No EDNS Client Subnet.

ProtocolAddress
DNSCrypt, IPv4Host: 2.dnscrypt-cert.dns.arapurayil.com IP: 3.7.156.128Add to AdGuard
DNS-over-HTTPSHost: https://dns.arapurayil.com/dns-queryAdd to AdGuard, Add to AdGuard VPN

Captnemo DNS

Captnemo DNS is a server running off of a Digital Ocean droplet in BLR1 region. Maintained by Abhay Rana aka Nemo.

ProtocolAddress
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.captnemo.in IP: 139.59.48.222:4434Add to AdGuard

Dandelion Sprout's Official DNS Server

Dandelion Sprout's Official DNS Server is a personal DNS service hosted in Trondheim, Norway, using an AdGuard Home infrastructure.

Blocks more ads and malware than AdGuard DNS thanks to more advanced syntax, but goes easier on trackers, and blocks alt-right tabloids and most imageboards. Logging is used to improve its used filter lists (e.g. by unblocking sites that shouldn't have been blocked), and to determine the least bad times for server system updates.

ProtocolAddress
DNS-over-HTTPShttps://dandelionsprout.asuscomm.com:2501/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dandelionsprout.asuscomm.com:853Add to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://dandelionsprout.asuscomm.com:48582Add to AdGuard, Add to AdGuard VPN
DNS, IPv4Varies; see link above.
DNS, IPv6Varies; see link above.
DNSCrypt, IPv4Varies; see link above.

DNS Forge

DNS Forge is a redundant DNS resolver with an ad blocker and no logging provided by adminforge.

ProtocolAddress
DNS, IPv4176.9.93.198 and 176.9.1.117Add to AdGuard, Add to AdGuard VPN
DNS, IPv62a01:4f8:151:34aa::198 and 2a01:4f8:141:316d::117Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dnsforge.de/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dnsforge.deAdd to AdGuard, Add to AdGuard VPN

dnswarden

ProtocolAddress
DNS-over-TLSuncensored.dns.dnswarden.comAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://dns.dnswarden.com/uncensoredAdd to AdGuard, Add to AdGuard VPN

You can also configure custom DNS server to block ads or filter adult content.

FFMUC DNS

FFMUC free DNS servers provided by Freifunk München.

ProtocolAddress
DNS-over-TLS, IPv4Hostname: tls://dot.ffmuc.netAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPS, IPv4Hostname: https://doh.ffmuc.net/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.ffmuc.net IP: 5.1.66.255:8443Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.ffmuc.net IP: [2001:678:e68:f000::]:8443Add to AdGuard

fvz DNS

fvz DNS is a Fusl's public primary OpenNIC Tier2 Anycast DNS Resolver.

ProtocolAddress
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.dnsrec.meo.ws IP: 185.121.177.177:5353Add to AdGuard
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.dnsrec.meo.ws IP: 169.239.202.202:5353Add to AdGuard

ibksturm DNS

ibksturm DNS testing servers provided by ibksturm. OPENNIC, DNSSEC, no filtering, no logging.

ProtocolAddress
DNS-over-TLS, IPv4Hostname: tls://ibksturm.synology.me IP: 213.196.191.96Add to AdGuard, Add to AdGuard VPN
DNS-over-QUIC, IPv4Hostname: quic://ibksturm.synology.me IP: 213.196.191.96Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPS, IPv4Hostname: https://ibksturm.synology.me/dns-query IP: 213.196.191.96Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.ibksturm IP: 213.196.191.96:8443Add to AdGuard

Lelux DNS

Lelux.fi is run by Elias Ojala, Finland.

ProtocolAddress
DNS-over-HTTPShttps://resolver-eu.lelux.fi/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://resolver-eu.lelux.fiAdd to AdGuard, Add to AdGuard VPN

OSZX DNS

OSZX DNS is a small Ad-Blocking DNS hobby project.

OSZX DNS

This service ia a small ad blocking DNS hobby project with D-o-H, D-o-T & DNSCrypt v2 support.

ProtocolAddress
DNS, IPv451.38.83.141Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:41d0:801:2000::d64Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.oszx.co IP: 51.38.83.141:5353Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.oszx.co IP: [2001:41d0:801:2000::d64]:5353Add to AdGuard
DNS-over-HTTPShttps://dns.oszx.co/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.oszx.coAdd to AdGuard, Add to AdGuard VPN

PumpleX

These servers provide no ad blocking, keep no logs, and have DNSSEC enabled.

ProtocolAddress
DNS, IPv451.38.82.198Add to AdGuard, Add to AdGuard VPN
DNS, IPv62001:41d0:801:2000::1b28Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.pumplex.com IP: 51.38.82.198:5353Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.pumplex.com IP: [2001:41d0:801:2000::1b28]:5353Add to AdGuard
DNS-over-HTTPShttps://dns.pumplex.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dns.pumplex.comAdd to AdGuard, Add to AdGuard VPN

Privacy-First DNS

Privacy-First DNS blocks over 140K ads, ad-tracking, malware and phishing domains. No logging, no ECS, DNSSEC validation, free!

Singapore DNS Server

ProtocolAddressLocation
DNS, IPv4174.138.21.128Add to AdGuard, Add to AdGuard VPN
DNS, IPv62400:6180:0:d0::5f6e:4001Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.dns.tiar.app IP: 174.138.21.128Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.dns.tiar.app IP: [2400:6180:0:d0::5f6e:4001]Add to AdGuard
DNS-over-HTTPShttps://doh.tiarap.org/dns-query (cached via third-party)Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://doh.tiar.app/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-QUICquic://doh.tiar.appAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://dot.tiar.appAdd to AdGuard, Add to AdGuard VPN

Japan DNS Server

ProtocolAddress
DNS, IPv4172.104.93.80Add to AdGuard, Add to AdGuard VPN
DNS, IPv62400:8902::f03c:91ff:feda:c514Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.jp.tiar.app IP: 172.104.93.80Add to AdGuard
DNSCrypt, IPv6Provider: 2.dnscrypt-cert.jp.tiar.app IP: [2400:8902::f03c:91ff:feda:c514]Add to AdGuard
DNS-over-HTTPShttps://jp.tiarap.org/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://jp.tiar.app/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://jp.tiar.appAdd to AdGuard, Add to AdGuard VPN

Seby DNS

Seby DNS is a privacy focused DNS service provided by Sebastian Schmidt. No Logging, DNSSEC validation.

DNS Server 1

ProtocolAddress
DNS, IPv445.76.113.31Add to AdGuard, Add to AdGuard VPN
DNSCrypt, IPv4Provider: 2.dnscrypt-cert.dns.seby.io IP: 45.76.113.31Add to AdGuard
DNS-over-TLStls://dot.seby.ioAdd to AdGuard, Add to AdGuard VPN

BlackMagicc DNS

BlackMagicc DNS is a personal DNS Server located in Vietnam and intended for personal and small-scale use. It features ad blocking, malware/phishing protection, adult content filter, and DNSSEC validation.

ProtocolAddress
DNS, IPv4103.178.234.160Add to AdGuard, Add to AdGuard VPN
DNS, IPv62405:19c0:2:ea2e::1Add to AdGuard, Add to AdGuard VPN
DNS-over-HTTPShttps://robin.techomespace.com/dns-queryAdd to AdGuard, Add to AdGuard VPN
DNS-over-TLStls://robin.techomespace.com:853Add to AdGuard, Add to AdGuard VPN
- + \ No newline at end of file diff --git a/general/subscription/index.html b/general/subscription/index.html index 77ffab22f..e6a5af6ca 100644 --- a/general/subscription/index.html +++ b/general/subscription/index.html @@ -4,13 +4,13 @@ How to purchase, upgrade, or get a refund | AdGuard DNS Knowledge Base - +

How to purchase, upgrade, or get a refund

How to purchase a plan

AdGuard DNS plans can be purchased on adguard-dns.io. You can pay with Visa, Mastercard, Apple Pay, Google Pay, PayPal, Alipay, and UnionPay. We also accept the following cryptocurrencies: Ethereum, Litecoin, and Tether. Plans can be renewed on a monthly or annual basis.

The Personal plan is free for AdGuard VPN paid users.

How to upgrade a plan

To make the most out of AdGuard DNS, you can upgrade your plan for the following benefits:

  • To gain access to 2 dedicated IPv4 addresses and extend the number of devices, monthly requests, rules, and servers, you can upgrade your plan to Team
  • For more dedicated IPv4 addresses and an unlimited number of requests, devices, rules, and servers, upgrade your plan to Enterprise

You can upgrade your plan in your AdGuard account. To do so, click Upgrade under the section AdGuard DNS.

The Enterprise plan is available by request only. If you're interested, please fill out our form and provide some details about your company. Once we receive your submission, we'll contact you with further information.

How to get a refund

In accordance with our Terms of Sale, you can get a 100% refund on any AdGuard DNS Yearly plans purchased at https://adguard-dns.io/. To get a refund, you need to contact support at support@adguard-dns.io, specifying the payment method you've used. The processing time usually takes up to 5-10 business days.

A refund may be declined if:

  • A subscription was purchased more than 30 days ago
  • A subscription was purchased from a distributor
  • You applied for a partial refund for a renewal or upgrade
- + \ No newline at end of file diff --git a/index.html b/index.html index b416306af..f203c7712 100644 --- a/index.html +++ b/index.html @@ -4,13 +4,13 @@ Overview | AdGuard DNS Knowledge Base - +

Overview

What is DNS?

DNS stands for "Domain Name System", and its purpose is to convert website names into IP addresses. Each time you go to a website, your browser sends a DNS query to a DNS server to figure out the IP address of the website. And a regular DNS resolver simply returns the IP address of the requested domain.

note

The default DNS server is usually provided by your ISP. This means that your ISP can track your online activity and sell logs to third parties.

Your device always uses a DNS server to obtain the IP addresses of the domains that are accessed by various apps, services, etc.

There are also DNS servers that can block certain websites at DNS-level. How do they work? When your device sends a "bad" request, be it an ad or a tracker, a DNS server prevents the connection by responding with a non-routable IP address for a blocked domain.

Why use DNS for content blocking

Absolutely everything is connected to the Internet these days, from TV to smart light bulbs, from mobile devices to smart car. And where the Internet is, there are ads and trackers. In this case, a browser-based ad blocker has proven insufficient. To get a better protection, use DNS in combination with VPN and ad blocker.

Using DNS for content blocking has some advantages as well as obvious flaws. On the one hand, DNS is in the loop for queries from all devices and their apps. But, on the other hand, DNS blocking alone cannot provide cosmetic filtering.

What is AdGuard DNS?

AdGuard DNS is one of the most privacy-oriented DNS services on the market. It supports such reliable encryption protocols as DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC. It can work as a regular DNS resolver in Non-filtering mode, but also it can provide DNS-level content blocking: identify requests to ad, tracking, and/or adult domains (optionally), and respond with an empty response. AdGuard has its own frequently updated database with names of domains that serve ads, trackers, and scam.

An approximate scheme of how AdGuard DNS works

About 75% of AdGuard DNS traffic is encrypted. This is actually what differentiates content-blocking DNS servers from others. If you take a look at CloudFlare or Quad9 stats, you’ll see that encrypted DNS is just a small share of all queries.

AdGuard DNS exists in two main forms: Public AdGuard DNS and Private AdGuard DNS. None of these services require the installation of apps. They are easy to set up and use, and provide users with the minimum features necessary to block ads, trackers, malicious websites, and adult content (if required). There are no restrictions on what devices they can be used with.

Despite so many similarities, private AdGuard DNS and public AdGuard DNS are two different products. Their main difference is that you can customize Private AdGuard DNS, while Public AdGuard DNS cannot.

DNS filtering module in AdGuard products

All major AdGuard products, including AdGuard VPN, have a DNS filtering module where you can select a DNS server by a provider you trust. Of course, AdGuard DNS Default, AdGuard DNS Non-filtering and AdGuard DNS Family Protection are on the list. Also, AdGuard apps allow users to easily configure and use AdGuard DNS — Public or Private.

- + \ No newline at end of file diff --git a/miscellaneous/acknowledgements/index.html b/miscellaneous/acknowledgements/index.html index 856307952..a5868b41e 100644 --- a/miscellaneous/acknowledgements/index.html +++ b/miscellaneous/acknowledgements/index.html @@ -4,13 +4,13 @@ Credits and Acknowledgements | AdGuard DNS Knowledge Base - +

Credits and Acknowledgements

Our dev team would like to thank the developers of the third-party software we use in AdGuard DNS, our great beta testers and other engaged users, whose help in finding and eliminating all the bugs, translating AdGuard DNS, and moderating our communities is priceless.

AdGuard DNS

AdGuard API and Websites

- + \ No newline at end of file diff --git a/miscellaneous/create-dns-stamp/index.html b/miscellaneous/create-dns-stamp/index.html index 4657cb8af..d0909eca3 100644 --- a/miscellaneous/create-dns-stamp/index.html +++ b/miscellaneous/create-dns-stamp/index.html @@ -4,7 +4,7 @@ How to create your own DNS stamp for Secure DNS | AdGuard DNS Knowledge Base - + @@ -14,7 +14,7 @@ Enter the SHA256 digest of one of the TBS certificates found in the validation chain. If the DNS server you are using provides a ready-made hash, find and copy it. Otherwise, you can obtain it by following the instructions in the Obtaining the Certificate Hash section.
note

This field is optional

  • Host name: Enter the host name of the DNS server. This field is used for server name verification in DoT and DoQ protocols.

  • For DoH:

    • Path: Enter the path for performing DoH requests. This is usually "/dns-query", but your provider may provide a different path.

  • For DoT and DoQ:

    • There are usually no specific fields for these protocols in this tool. Just make sure the port specified in the resolver address is the correct port.

  • In the Properties section, you can check the relevant properties if they are known and applicable to your DNS server.

  • Your stamp will be automatically generated and you will see it in the Stamp field.

    • Obtaining the certificate hash

    To fill in the Hashes of the server's certificate field, you can use the following command, replacing <IP_ADDRESS>, <PORT>, and <SERVER_NAME> with the corresponding values for your DNS server:

    echo | openssl s_client -connect <IP_ADDRESS>:<PORT> -servername <SERVER_NAME> 2>/dev/null | openssl x509 -outform der | openssl asn1parse -inform der -strparse 4 -noout -out - | openssl dgst -sha256
    caution

    The result of the hash command may change over time as the server's certificate is updated. Therefore, if your DNS stamp suddenly stops working, you may need to recalculate the hash of the certificate and generate a new stamp. Regularly updating your DNS stamp will help ensure the continued secure operation of your Secure DNS service.

    Using the DNS stamp

    You now have your own DNS stamp that you can use to set up Secure DNS. This stamp can be entered into AdGuard and AdGuard VPN for enhanced internet privacy and security.

    Example of creating a DNS stamp

    Let's go through an example of creating a stamp for AdGuard DNS using DoT:

    1. Open the DNSCrypt Stamp Calculator.

    2. Select the DNS-over-TLS (DoT) protocol.

    3. Fill in the following fields:

      • IP address: Enter the IP address and port of the DNS server. In this case, it's 94.140.14.14:853.

      • Host name: Enter the host name of the DNS server. In this case, it's dns.adguard-dns.com.

      • Hashes: Execute the command

      echo | openssl s_client -connect 94.140.14.14:853 -servername dns.adguard-dns.com 2>/dev/null | openssl x509 -outform der | openssl asn1parse -inform der -strparse 4 -noout -out - | openssl dgst -sha256

      The result is 1ebea9685d57a3063c427ac4f0983f34e73c129b06e7e7705640cacd40c371c8 Paste this SHA256 hash of the server's certificate into the field.

    4. Leave the Properties section blank.

    5. Your stamp will be automatically generated and you will see it in the Stamp field.

    - + \ No newline at end of file diff --git a/miscellaneous/take-screenshot/index.html b/miscellaneous/take-screenshot/index.html index 34f1008aa..205bab5b6 100644 --- a/miscellaneous/take-screenshot/index.html +++ b/miscellaneous/take-screenshot/index.html @@ -4,13 +4,13 @@ How to take a screenshot | AdGuard DNS Knowledge Base - +

    How to take a screenshot

    Screenshot is a capture of your computer’s or mobile device’s screen, which can be obtained by using standard tools or a special program/app.

    Sometimes a screenshot (or screenshots) is required by support team to better understand the problem, and not everyone knows how to take screenshots, especially of a separate window or a specific screen area on their devices. If you recognize yourself as one of these users, don’t worry. This article will help you as it describes a range of ways to take screenshots on different platforms.

    How to take a screenshot

    Here you will find all the necessary hotkeys you should know in order to take screenshots on your computer or mobile device.

    Android

    Taking a screenshot on an Android device can be done in various ways — depending on the device model and its manufacturer.

    Generally, the following button combination can be used for Android:

    • Press and hold the Volume Down and Power buttons simultaneously for 1–2 seconds

    Your Android device will capture the entire screen and save it as a photo. So, you can find the screenshot in a Screenshots folder in your Gallery.

    However, as already mentioned, the procedure may vary depending on the particular device. Let’s look at other possible combinations:

    • Press and hold the Home and Power buttons simultaneously for 1–2 seconds;
    • Press and hold the Back and Home buttons simultaneously

    On Android 8 and later, a screenshot can also be taken by placing the edge of an open hand vertically along the left/right screen edge and swiping the hand to the other screen edge while touching the screen with the hand edge.

    If this method doesn’t work, check SettingsAdvanced features to enable Palm swipe to capture.

    Besides, you can always use any special applications for taking screenshots on your devices, for example — Screenshot Easy, Screenshot Ultimate, Screenshot Snap, etc.

    iOS

    Any iOS device (barring ancient ones) lets you take a screenshot using standard tools.

    To take a screenshot on an iOS device, use the following combination:

    • Press the Sleep/Wake (side) button and the Home button at the same time, then quickly release them

    and this one for iPhone X or later:

    • Press the Sleep/Wake button and the Volume up button at the same time, then quickly release them

    Your iOS device will capture the entire screen and save it as a photo. You can find it in a standard Photo app.

    Windows

    • To take a screenshot on Windows, press the PrtScn button

    On some notebooks you have to hold Fn and then press PrtScn instead.

    Please note: PrtScn (Print Screen) button can be differently abbreviated on various keyboards — PrntScrn, PrtScn, PrtScr or PrtSc.

    Windows captures the entire screen and copies it to the clipboard.

    To take a screenshot of an active window, use the following combination:

    • Hold down Alt and press PrtScn (or Fn + Alt + PrtScn on some laptops)

    To take a screenshot of a specific area, you should use the following combination:

    • Hold down Win (the Windows button) and Shift and press S

    After you take a screenshot, it will be saved in the clipboard. In most cases you will be able to paste it into a document that you are currently editing by using Ctrl + V button combination. Alternatively, if you need to save the screenshot into a file, you should open the standard Paint program (or any other app that can work with images). Paste your screenshot there using the same button combination or by clicking the Paste button (usually in the top left corner of the screen) and then save it.

    Windows 8 and 10 let you take a screenshot very quickly with a Win + PrtScn combination. As soon as you press these buttons, the screenshot will be automatically saved as a file to your Pictures → Screenshots Folder.

    There is also a dedicated program for taking screenshots called Snipping Tool that you can find via Start menu among standard programs of your computer. Snipping Tool lets you capture of any area of your desktop or the entire screen. After taking a screenshot using this program you can edit the picture and save it to any folder on your computer.

    Besides, you can also try using different apps for taking screenshots on your computer, like PicPick, Nimbus Screenshot, Screenshot Captor, Snipaste, Monosnap, etc.

    MacOS

    To take a screenshot on Mac, use the following button combination:

    • Press and hold together ⌘ Cmd + Shift + 3

    Your Mac will capture the entire screen and save it as a file on the desktop.

    To take a screenshot of an active window, use the following combination:

    • Press and hold together ⌘ Cmd + Shift + 4 + Space bar. The pointer will change to a camera icon. Click the window to capture it. Press the Esc button to cancel taking a screenshot

    To take a screenshot of a specific area, you should use the following combination:

    • Press and hold together ⌘ Cmd + Shift + 4. Drag the crosshair to select the needed area. Release your mouse or trackpad to take a screenshot, press the Esc button to cancel it.

    To take a screenshot of the Touch Bar (MacBook Pro) use the following combination:

    • Hold down ⌘ Cmd + Shift + 6

    Your Mac captures the entire Touch Bar and saves it as a file on the desktop.

    To copy a screenshot to the clipboard instead of saving it, hold down Ctrl together with any of the combinations above. Then you can paste the screenshot (from the clipboard) into a document or an image you are currently editing by using Cmd + V combination.

    You can also take screenshots by using Preview and choosing Take screenshot (of the selected area, window, or the entire screen). With Preview you can save your screenshots in JPG, TIFF, PDF, and other file formats.

    - + \ No newline at end of file diff --git a/miscellaneous/update-kb/index.html b/miscellaneous/update-kb/index.html index bf621596c..bae17d8c6 100644 --- a/miscellaneous/update-kb/index.html +++ b/miscellaneous/update-kb/index.html @@ -4,14 +4,14 @@ Updating the Knowledge Base | AdGuard DNS Knowledge Base - +

    Updating the Knowledge Base

    The goal of this Knowledge Base is to provide everyone with the most up-to-date information on all kinds of AdGuard DNS-related topics. But things constantly change, and sometimes an article doesn't reflect the current state of things anymore — there are simply not so many of us to keep an eye on every single bit of information and update it accordingly when new versions are released.

    This is why we placed all of our KB content to GitHub, and now literally anyone can contribute to it by suggesting edits and translations to existing articles, as well as totally new ones.

    How to suggest a change or write a new article

    You can suggest changes to current articles and add new ones to the Knowledge Base using the functionality of the GitHub mentioned above. If you are unfamiliar with principles of working with the platform, start by reading documentation in this section.

    Once you are ready to start, work in the KnowledgeBaseDNS repository. All texts in our Knowledge Base are written in Markdown markup language. Keep this in mind when editing or writing articles. Follow this link to learn more about Markdown syntax.

    The Knowledge Base website is built using Docusaurus 2 — a modern static website generator. When suggesting changes or additions, take into account that all documents must comply with the principles of the platform. You can read about them in this guide.

    You can deploy this Knowledge Base locally to your computer to preview the changes you suggest. Detailed instructions on how to do this can be found in the README.md file on this Knowledge Base's GitHub page.

    Translating articles

    Translation of the existing articles of the Knowledge Base is carried out on the Crowdin platform. All the details about translations and working with Crowdin can be found in the dedicated article of the AdGuard Ad Blocker Knowledge Base.

    When working on AdGuard DNS Knowledge Base articles, you may meet strings containing plural forms that you should translate with extra attention. In a separate article, we describe in detail the difficulties that can arise when translating strings with plural forms, and provide extensive instructions on how to work with them on the Crowdin platform.

    Working on open issues

    Sometimes there exist open tasks related to updating the Knowledge Base. You can help us speed up their completion the same way you would suggest any other changes to this Knowledge Base. Choose any issue that you find appealing and start working on it. If you have any questions — you can ask them right in the comments to that issue.

    - + \ No newline at end of file diff --git a/private-dns/api/changelog/index.html b/private-dns/api/changelog/index.html index bcde12213..56b933577 100644 --- a/private-dns/api/changelog/index.html +++ b/private-dns/api/changelog/index.html @@ -4,13 +4,13 @@ Changelog | AdGuard DNS Knowledge Base - +

    Changelog

    This article contains the changelog for AdGuard DNS API.

    v1.9

    Released on July 11, 2024

    • Added automatic device connection functionality:
      • New DNS server setting — auto_connect_devices_enabled, allowing approval for auto-connecting devices through a specific link type
      • New field in Device — auto_device, indicating that the device is automatically connected
    • Replaced int with long for queries in CategoryQueriesStats, for used in AccountLimits, and for blocked and queries in QueriesStats

    v1.8

    Released on April 20, 2024

    • Added support for DNS-over-HTTPS with authentication:
      • New operation — reset DNS-over-HTTPS password for device
      • New device setting — detect_doh_auth_only. Disables all DNS connection methods except DNS-over-HTTPS with authentication
      • New field in DeviceDNSAddresses — dns_over_https_with_auth_url. Indicates the URL to use when connecting using DNS-over-HTTPS with authentication

    v1.7

    Released on March 11, 2024

    • Added dedicated IPv4 addresses functionality:
      • Dedicated IPv4 addresses can now be used on devices for DNS server configuration
      • Dedicated IPv4 address is now associated with the device it is linked to, so that queries made to this address are logged for that device
    • Added new operations:
      • List all available dedicated IPv4 addresses
      • Allocate new dedicated IPv4 address
      • Link an available IPv4 address to a device
      • Unlink an IPv4 address from a device
      • Request info on dedicated addresses associated with a device
    • Added new limits to Account limits:
      • dedicated_ipv4 provides information about the amount of already allocated dedicated IPv4 addresses, as well as the limit on them
    • Removed deprecated field of DNSServerSettings:
      • safebrowsing_enabled

    v1.6

    Released on January 22, 2024

    • Added new Access settings section for DNS profiles (access_settings). By customizing these fields, you’ll be able to protect your AdGuard DNS server from unauthorized access:

      • allowed_clients — here you can specify which clients can use your DNS server. This field will have priority over the blocked_clients field
      • blocked_clients — here you can specify which clients are not allowed to use your DNS server
      • blocked_domain_rules — here you can specify which domains are not allowed to access your DNS server, as well as define such domains with wildcard and DNS filtering rules

    • Added new limits to Account limits:

      • access_rules provides the sum of currently used blocked_clients and blocked_domain_rules values, as well as the limit on access rules
      • user_rules shows the amount of created user rules, as well as the limit on them

    • Added a new ip_log_enabled setting to log client IP addresses and domains

    • Added new error code FIELD_REACHED_LIMIT to indicate when limits have been reached:

      • For the total number of blocked_clients and blocked_domain_rules in access settings
      • For rules in custom user rules settings

    v1.5

    Released on June 16, 2023

    • Added a new block_nrd setting and grouped all security-related settings in one place

    Model for safebrowsing settings changed

    From:

    {
       "enabled": true
    }

    To:

    {
       "enabled": true,
       "block_dangerous_domains": true,
       "block_nrd": false
    }

    where enabled now controls all settings in the group, block_dangerous_domains is the previous enabled model field, and block_nrd is a setting that blocks newly registered domains.

    Model for saving server settings changed

    From:

    {
      "protection_enabled" : true,
      "safebrowsing_enabled" : true,
      ..
    }

    to:

    {
      "protection_enabled" : true,
      "safebrowsing_settings" : {
         "enabled": true,
         "block_dangerous_domains": true,
         "block_nrd": false
      }
      ..
    }

    here a new field safebrowsing_settings is used instead of the deprecated safebrowsing_enabled, whose value is stored in block_dangerous_domains.

    v1.4

    Released on March 29, 2023

    • Added configurable option for blocking response: default (0.0.0.0), REFUSED, NXDOMAIN or custom IP address

    v1.3

    Released on December 13, 2022

    • Added method to get account limits

    v1.2

    Released on October 14, 2022

    • Added new protocol types DNS and DNSCRYPT. Deprecating the PLAIN_TCP, PLAIN_UDP, DNSCRYPT_TCP and DNSCRYPT_UDP that will be removed later

    v1.1

    Released on July 7, 2022

    • Added methods to retrieve statistics by time, domains, companies and devices
    • Added method for updating device settings
    • Fixed required fields definition

    v1.0

    Released on February 22, 2022

    • Added authentication
    • CRUD operations with devices and DNS servers
    • Query log
    • Downloading DoH and DoT .mobileconfig
    • Filter lists and web services
    - + \ No newline at end of file diff --git a/private-dns/api/overview/index.html b/private-dns/api/overview/index.html index a7889bc59..ed63efbe1 100644 --- a/private-dns/api/overview/index.html +++ b/private-dns/api/overview/index.html @@ -4,7 +4,7 @@ Overview | AdGuard DNS Knowledge Base - + @@ -14,7 +14,7 @@ using the refresh_token (Refer: Generate Access Token from Refresh Token).

  • The refresh_token is permanent. To revoke a refresh_token, refer: Revoking a Refresh Token.

    • Example request

    $ curl 'https://api.adguard-dns.io/oapi/v1/oauth_token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -d 'username=user%40adguard.com' \
        -d 'password=********' \
        -d 'mfa_token=727810'

    Example response

    {
      "access_token": "jTFho_aymtN20pZR5RRSQAzd81I",
      "token_type": "bearer",
      "refresh_token": "H3SW6YFJ-tOPe0FQCM1Jd6VnMiA",
      "expires_in": 2620978
    }

    Generate Access Token from Refresh Token

    Access tokens have limited validity. Once it expires, your app will have to use the refresh token to request for a new access token.

    Make the following POST request with the given params to get a new access token:

    https://api.adguard-dns.io/oapi/v1/oauth_token

    ParameterDescription
    refresh_tokenREFRESH TOKEN using which a new access token has to be generated.

    Example request

    $ curl 'https://api.adguard-dns.io/oapi/v1/oauth_token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -d 'refresh_token=H3SW6YFJ-tOPe0FQCM1Jd6VnMiA'

    Example response

    {
      "access_token": "xQnT7GYT6Ag--3oY_EcOOdXe-I0",
      "token_type": "bearer",
      "refresh_token": "H3SW6YFJ-tOPe0FQCM1Jd6VnMiA",
      "expires_in": 2627999
    }

    Revoking a Refresh Token

    To revoke a refresh token, make the following POST request with the given params:

    https://api.adguard-dns.io/oapi/v1/revoke_token

    Request Example

    $ curl 'https://api.adguard-dns.io/oapi/v1/revoke_token' -i -X POST \
        -d 'token=H3SW6YFJ-tOPe0FQCM1Jd6VnMiA'
    ParameterDescription
    refresh_tokenREFRESH TOKEN which is to be revoked

    Authorization endpoint

    To access this endpoint, you need to contact us at devteam@adguard.com. Please describe the reason and use cases for this endpoint, as well as provide the redirect URI. Upon approval, you will receive a unique client identifier, which should be used for the client_id parameter.

    The /oapi/v1/oauth_authorize endpoint is used to interact with the resource owner and get the authorization to access the protected resource.

    The service redirects you to AdGuard to authenticate (if you are not already logged in) and then back to your application.

    The request parameters of the /oapi/v1/oauth_authorize endpoint are:

    ParameterDescription
    response_typeTells the authorization server which grant to execute
    client_idThe ID of the OAuth client that asks for authorization
    redirect_uriContains a URL. A successful response from this endpoint results in a redirect to this URL
    stateAn opaque value used for security purposes. If this request parameter is set in the request, it is returned to the application as part of the redirect_uri
    aidAffiliate identifier

    For example:

    https://api.adguard-dns.io/oapi/v1/oauth_authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=1jbmuc0m9WTr1T6dOO82

    To inform the authorization server which grant type to use, the response_type request parameter is used as follows:

    • For the Implicit grant, use response_type=token to include an access token.

    A successful response is 302 Found, which triggers a redirect to redirect_uri (which is a request parameter). The response parameters are embedded in the fragment component (the part after #) of the redirect_uri parameter in the Location header.

    For example:

    HTTP/1.1 302 Found
    Location: REDIRECT_URI#access_token=...&token_type=Bearer&expires_in=3600&state=1jbmuc0m9WTr1T6dOO82

    Accessing API

    Once the access and the refresh tokens are generated, API calls can be made by passing the access token in the header.

    • Header name should be Authorization
    • Header value should be Bearer {access_token}

    API

    Reference

    Please see the methods reference here.

    OpenAPI spec

    OpenAPI specification is available at https://api.adguard-dns.io/static/swagger/openapi.json.

    You can use different tools to view the list of available API methods. For instance, you can open this file in https://editor.swagger.io/.

    Changelog

    The complete AdGuard DNS API changelog is available on this page.

    Feedback

    If you would like this API to be extended with new methods, please email us to devteam@adguard.com and let us know what you would like to be added.

    - + \ No newline at end of file diff --git a/private-dns/api/reference/index.html b/private-dns/api/reference/index.html index c71527c48..80adb14fe 100644 --- a/private-dns/api/reference/index.html +++ b/private-dns/api/reference/index.html @@ -4,13 +4,13 @@ Reference | AdGuard DNS Knowledge Base - +

    Reference

    This article contains documentation for AdGuard DNS API. For the complete AdGuard DNS API changelog, visit this page.

    Current version: 1.9

    /oapi/v1/account/limits

    GET

    Summary

    Gets account limits

    Responses
    CodeDescription
    200Account limits info

    /oapi/v1/dedicated_addresses/ipv4

    GET

    Summary

    Lists dedicated IPv4 addresses

    Responses
    CodeDescription
    200List of dedicated IPv4 addresses

    POST

    Summary

    Allocates new IPv4

    Responses
    CodeDescription
    200New IPv4 successfully allocated
    429Dedicated IPv4 count reached the limit

    /oapi/v1/devices

    GET

    Summary

    Lists devices

    Responses
    CodeDescription
    200List of devices

    POST

    Summary

    Creates a new device

    Responses
    CodeDescription
    200Device created
    400Validation failed
    429Devices count reached the limit

    /oapi/v1/devices/{device_id}

    DELETE

    Summary

    Removes a device

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Device deleted
    404Device not found

    GET

    Summary

    Gets an existing device by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Device info
    404Device not found

    PUT

    Summary

    Updates an existing device

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Device updated
    400Validation failed
    404Device not found

    /oapi/v1/devices/{device_id}/dedicated_addresses

    GET

    Summary

    List dedicated IPv4 and IPv6 addresses for a device

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Dedicated IPv4 and IPv6

    /oapi/v1/devices/{device_id}/dedicated_addresses/ipv4

    DELETE

    Summary

    Unlink dedicated IPv4 from the device

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Dedicated IPv4 successfully unlinked from the device
    404Device or address not found

    POST

    Summary

    Link dedicated IPv4 to the device

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Dedicated IPv4 successfully linked to the device
    400Validation failed
    404Device or address not found
    429Linked dedicated IPv4 count reached the limit

    /oapi/v1/devices/{device_id}/doh.mobileconfig

    GET

    Summary

    Gets DNS-over-HTTPS .mobileconfig file.

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    exclude_wifi_networksqueryList Wi-Fi networks by their SSID in which you want AdGuard DNS to be disabledNo[ string ]
    exclude_domainqueryList domains that will use default DNS servers instead of AdGuard DNSNo[ string ]
    Responses
    CodeDescription
    200DNS-over-HTTPS .plist file
    404Device not found

    /oapi/v1/devices/{device_id}/doh_password/reset

    PUT

    Summary

    Generate and set new DNS-over-HTTPS password

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200DNS-over-HTTPS password successfully reset
    404Device not found

    /oapi/v1/devices/{device_id}/dot.mobileconfig

    GET

    Summary

    Gets DNS-over-TLS .mobileconfig file.

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    exclude_wifi_networksqueryList Wi-Fi networks by their SSID in which you want AdGuard DNS to be disabledNo[ string ]
    exclude_domainqueryList domains that will use default DNS servers instead of AdGuard DNSNo[ string ]
    Responses
    CodeDescription
    200DNS-over-HTTPS .plist file
    404Device not found

    /oapi/v1/devices/{device_id}/settings

    PUT

    Summary

    Updates device settings

    Parameters
    NameLocated inDescriptionRequiredSchema
    device_idpathYesstring
    Responses
    CodeDescription
    200Device settings updated
    400Validation failed
    404Device not found

    /oapi/v1/dns_servers

    GET

    Summary

    Lists DNS servers that belong to the user.

    Description

    Lists DNS servers that belong to the user. By default there is at least one default server.

    Responses
    CodeDescription
    200List of DNS servers

    POST

    Summary

    Creates a new DNS server

    Description

    Creates a new DNS server. You can attach custom settings, otherwise DNS server will be created with default settings.

    Responses
    CodeDescription
    200DNS server created
    400Validation failed
    429DNS servers count reached the limit

    /oapi/v1/dns_servers/{dns_server_id}

    DELETE

    Summary

    Removes a DNS server

    Description

    Removes a DNS server. All devices attached to this DNS server will be moved to the default DNS server. Deleting the default DNS server is forbidden.

    Parameters
    NameLocated inDescriptionRequiredSchema
    dns_server_idpathYesstring
    Responses
    CodeDescription
    200DNS server deleted
    404DNS server not found

    GET

    Summary

    Gets an existing DNS server by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    dns_server_idpathYesstring
    Responses
    CodeDescription
    200DNS server info
    404DNS server not found

    PUT

    Summary

    Updates an existing DNS server

    Parameters
    NameLocated inDescriptionRequiredSchema
    dns_server_idpathYesstring
    Responses
    CodeDescription
    200DNS server updated
    400Validation failed
    404DNS server not found

    /oapi/v1/dns_servers/{dns_server_id}/settings

    PUT

    Summary

    Updates DNS server settings

    Parameters
    NameLocated inDescriptionRequiredSchema
    dns_server_idpathYesstring
    Responses
    CodeDescription
    200DNS server settings updated
    400Validation failed
    404DNS server not found

    /oapi/v1/filter_lists

    GET

    Summary

    Gets filter lists

    Responses
    CodeDescription
    200List of filters

    /oapi/v1/oauth_token

    POST

    Summary

    Generates Access and Refresh token

    Responses
    CodeDescription
    200Access token issued
    400Missing required parameters
    401Invalid credentials, MFA token or refresh token provided

    null

    /oapi/v1/query_log

    DELETE

    Summary

    Clears query log

    Responses
    CodeDescription
    202Query log was cleared

    GET

    Summary

    Gets query log

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    companiesqueryFilter by companiesNo[ string ]
    statusesqueryFilter by statusesNo[ FilteringActionStatus ]
    categoriesqueryFilter by categoriesNo[ CategoryType ]
    searchqueryFilter by domain nameNostring
    limitqueryLimit the number of records to be returnedNointeger
    cursorqueryPagination cursor. Use cursor from response to paginate through the pages.Nostring
    Responses
    CodeDescription
    200Query log

    /oapi/v1/revoke_token

    POST

    Summary

    Revokes a Refresh Token

    Parameters
    NameLocated inDescriptionRequiredSchema
    refresh_tokenqueryRefresh TokenYesstring
    Responses
    CodeDescription
    200Refresh token revoked

    null

    /oapi/v1/stats/categories

    GET

    Summary

    Gets categories statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Categories statistics received
    400Validation failed

    /oapi/v1/stats/companies

    GET

    Summary

    Gets companies statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Companies statistics received
    400Validation failed

    /oapi/v1/stats/companies/detailed

    GET

    Summary

    Gets detailed companies statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    cursorqueryPagination cursorNostring
    Responses
    CodeDescription
    200Detailed companies statistics received
    400Validation failed

    /oapi/v1/stats/countries

    GET

    Summary

    Gets countries statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Countries statistics received
    400Validation failed

    /oapi/v1/stats/devices

    GET

    Summary

    Gets devices statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Devices statistics received
    400Validation failed

    /oapi/v1/stats/domains

    GET

    Summary

    Gets domains statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Domains statistics received
    400Validation failed

    /oapi/v1/stats/time

    GET

    Summary

    Gets time statistics

    Parameters
    NameLocated inDescriptionRequiredSchema
    time_from_millisqueryTime from in milliseconds (inclusive)Yeslong
    time_to_millisqueryTime to in milliseconds (inclusive)Yeslong
    devicesqueryFilter by devicesNo[ string ]
    countriesqueryFilter by countriesNo[ string ]
    Responses
    CodeDescription
    200Time statistics received
    400Validation failed

    /oapi/v1/web_services

    GET

    Summary

    Lists web services

    Responses
    CodeDescription
    200List of web-services
    - + \ No newline at end of file diff --git a/private-dns/overview/index.html b/private-dns/overview/index.html index 2e82526e3..ef43bc8d7 100644 --- a/private-dns/overview/index.html +++ b/private-dns/overview/index.html @@ -4,13 +4,13 @@ Overview | AdGuard DNS Knowledge Base - +

    Overview

    info

    With AdGuard DNS, you can set up your private DNS servers to resolve DNS requests and block ads, trackers, and malicious domains before they reach your device

    Quick link: Try AdGuard DNS

    Private AdGuard DNS dashboard main

    General

    Private AdGuard DNS offers all the advantages of a public AdGuard DNS server, including traffic encryption and domain blocklists. It also offers additional features such as flexible customization, DNS statistics, and Parental control. All these options are easily accessible and managed via a user-friendly dashboard.

    Why you need private AdGuard DNS

    Today, you can connect anything to the Internet: TVs, refrigerators, smart bulbs, or speakers. But along with the undeniable conveniences you get trackers and ads. A simple browser-based ad blocker will not protect you in this case, but AdGuard DNS, which you can set up to filter traffic, block content and trackers, has a system-wide effect.

    At one time, the AdGuard product line included only public AdGuard DNS and AdGuard Home. These solutions work fine for some users, but for others, the public AdGuard DNS lacks the flexibility of configuration, while the AdGuard Home lacks simplicity. That's where private AdGuard DNS comes into play. It has the best of both worlds: it offers customizability, control and information — all through a simple easy-to-use dashboard.

    The difference between public and private AdGuard DNS

    Here is a simple comparison of features available in public and private AdGuard DNS.

    Public AdGuard DNSPrivate AdGuard DNS
    DNS traffic encryptionDNS traffic encryption
    Pre-determined domain blocklistsCustomizable domain blocklists
    -Custom DNS filtering rules with import/export feature
    -Request statistics (see where do your DNS requests go: which countries, which companies, etc.)
    -Detailed query log
    -Parental control

    How to set up private AdGuard DNS

    For devices that support DoH, DoT, and DoQ

    1. Go to your AdGuard DNS dashboard (if not logged in, log in using your AdGuard account)
    2. Click Connect device and follow on-screen instructions
    Supported platforms:
    • Android
    • iOS
    • Windows
    • Mac
    • Linux
    • Routers
    • Gaming consoles
    • Smart TVs

    Every device that you add in the AdGuard DNS panel has its own unique address that can be used if the device supports modern encrypted DNS protocols (DoH, DoT, and DoQ).

    For devices that do not support DoH, DoT, and DoQ

    If the device does not support encrypted DNS and you have to use plain DNS, there are two more ways to allow AdGuard DNS to recognize the device — use dedicated IP addresses or link device's IP address.

    note

    Use plain DNS addresses only if you have no other options: this reduces the security of DNS requests. If you decide to use plain DNS, we recommend that you choose dedicated IP addresses.

    Dedicated IP addresses

    For every device that you connect to AdGuard DNS, you'll be offered two dedicated IPv6 addresses that you can enter in your device settings. Using both IPv6 addresses is not mandatory, but often devices might request you to enter two IPv6 addresses.

    When you connect to them, AdGuard DNS will be able to determine which particular device is sending DNS requests and display statistics for it. And you'll be able to configure DNS rules specifically for this device.

    Unfortunately, not all service providers offer IPv6 support, and not all devices allow you to configure IPv6 addresses. If this is your case, you may have to rely on the Linked IP method.

    Linked IP

    If you connect your device to AdGuard DNS via Linked IP, the service will count all plain DNS requests coming from that IP address towards that "device". With this connection method, you would have to reconnect manually or through a special program each time the device's IP changes, which happens after each reboot.

    The only requirement for linking IP is that it must be a residential IP address.

    note

    A residential IP address is an IP address assigned to a device connected to a residential ISP. It is typically associated with a physical location and is allocated to individual homes or apartments. Residential IP addresses are used by regular Internet users for their everyday online activities, such as browsing the web, accessing social media platforms, sending emails, or streaming content.

    If you're trying to link a residential IP address and AdGuard DNS does not allow you to do that, please contact our support team at support@adguard-dns.io.

    Private AdGuard DNS features

    Statistics

    In the Statistics tab you can see all the summarized statistics on DNS queries made by devices connected to your Private AdGuard DNS. It shows the total number and geography of requests, the number of blocked requests, the list of companies the requests were addressed to, requests types and top requested domains.

    Private AdGuard DNS dashboard statistics

    Traffic destination

    This feature shows you where DNS requests sent by your devices go. On top of seeing the map of request destinations, you can filter the information by date, device and country.

    Private AdGuard DNS dashboard traffic

    Companies

    This tab allows you to quickly check which companies send the most requests, and which companies have the most blocked requests.

    Private AdGuard DNS dashboard companies

    Query log

    This is a detailed log where you can check out the information on every single request and also sort requests by status, type, company, device, time, country.

    Private AdGuard DNS dashboard query log

    Server settings

    This section features a range of settings allowing you to customize the operation of private AdGuard DNS, ensuring the Internet functions exactly as you desire.

    Blocklists management

    The Blocklists feature allows you to specify which domains you want to block and which you don't. Choose from a variety of blocklists for different purposes.

    Private AdGuard DNS dashboard blocklists

    Security settings

    Even if you're aware of all the tricks online scammers use, there's always a risk you'll accidentally click a malicious link. To protect yourself from such accidents, go to the Security settings section and check the boxes next to the options listed there.

    The Block malicious, phishing, and scam domains feature will block domains found in the dedicated database. And the Block newly registered domains will block all domains registered less than 30 days ago, which are often considered risky for your online privacy.

    Parental control

    To protect your child from online content you deem inappropriate, set up and activate the Parental control option. In addition to options such as "adult content" blocking and safe search, we've added the ability to manually specify domains for blocking and set a schedule for the Parental control to work accordingly.

    Parental control

    User rules

    For cases where pre-installed blocklists with thousands of rules are not enough, we have a handy feature called User rules. Here you can manually add custom rules to block/unblock a specific domain or import custom rule lists (see DNS filtering rules syntax). You can export the lists.

    Private AdGuard DNS dashboard user rules

    DNS-over-HTTPS with authentication

    DNS-over-HTTPS with authentication provides a login and password to connect to the server. This can limit access to unauthorized users and increase security.

    To enable this feature, go to Server settingsDevicesSettings and change the DNS server to the one with authentication. Select Deny other protocols to disable alternative protocol usage, ensuring exclusive DNS-over-HTTPS authentication and blocking third-party access.

    DNS-over-HTTPS with authentication

    Advanced

    Here you can set the way AdGuard DNS must respond to blocked domains:

    • Default — zero IP address
    • NXDOMAIN — the domain does not exist
    • REFUSED — the server has refused to process the request
    • Custom IP — you can manually specify an IP address

    Additionally, you can adjust the Time to live (TTL) setting. This parameter defines the time period (in seconds) that a client device caches the response to a DNS request. A higher TTL means that even if a previously blocked domain is unblocked, it may still appear as blocked for a while. A TTL of 0 indicates that the device does not cache responses.

    In the Advanced section, there are three options that can be customized:

    • Block access to iCloud Private Relay. Devices that use iCloud Private Relay may ignore DNS settings. Enabling this option ensures that AdGuard DNS can effectively protect your device.
    • Block Firefox canary domain. This setting prevents Firefox from automatically switching to its DoH resolver when AdGuard DNS is set as the system-wide DNS service.
    • Log IP addresses. If this option is enabled, IP addresses associated with incoming DNS requests will be recorded and displayed in the Query log.

    Access settings

    Here you can manage an access to your DNS server by configuring the following settings:

    • Allowed clients. Specify which clients are permitted to use your DNS server. Please note that allowed clients are not counted in added access rules, only disallowed clients and domains

    Added rules

    • Disallowed clients. List clients that are denied to use your DNS server
    • Disallowed domains. Specify domain names that will be denied access to your DNS server. Wildcards and DNS filtering rules can also be listed here
    note

    If you only want to use DNS on certain AS numbers or IP addresses, you should block everything else in the Disallowed clients field. Simply allowing only the necessary numbers and addresses in the Allowed clients field won’t be enough.

    By setting up these options, you can control who uses your DNS server and prevent potential DDoS attacks. Requests that are not allowed will not appear in your Query log, and they are free of charge.

    - + \ No newline at end of file diff --git a/private-dns/solving-problems/icloud-private-relay/index.html b/private-dns/solving-problems/icloud-private-relay/index.html index f0e8ae71b..58d3e2ac7 100644 --- a/private-dns/solving-problems/icloud-private-relay/index.html +++ b/private-dns/solving-problems/icloud-private-relay/index.html @@ -4,13 +4,13 @@ Using alongside iCloud Private Relay | AdGuard DNS Knowledge Base - +

    Using alongside iCloud Private Relay

    When you're using iCloud Private Relay, the AdGuard DNS dashboard (and associated AdGuard test page) will show that you are not using AdGuard DNS on that device.

    Device is not connected

    To fix this problem, you need to allow AdGuard websites see your IP address in your device's settings.

    • On iPhone or iPad:

      1. Go to adguard-dns.io

      2. Tap the Page Settings button, then tap Show IP Address

        iCloud Private Relay settings *mobile

      3. Repeat for adguard.com

    • On Mac:

      1. Go to adguard-dns.io

      2. In Safari, choose ViewReload and Show IP Address

      3. Repeat for adguard.com

    If you can't see the option to temporarily allow a website to see your IP address, update your device to the latest version of iOS, iPadOS, or macOS, then try again.

    Now your device should be displayed correctly in the AdGuard DNS dashboard:

    Device is connected

    Mind that once you turn off Private Relay for a specific website, your network provider will also be able to see which site you're browsing.

    - + \ No newline at end of file diff --git a/private-dns/solving-problems/known-issues/index.html b/private-dns/solving-problems/known-issues/index.html index 364e084d9..b0725c627 100644 --- a/private-dns/solving-problems/known-issues/index.html +++ b/private-dns/solving-problems/known-issues/index.html @@ -4,13 +4,13 @@ Known issues | AdGuard DNS Knowledge Base - +

    Known issues

    After setting up AdGuard DNS, some users may find that it doesn’t work properly: they see a message that their device is not connected to AdGuard DNS and the requests from that device are not displayed in the Query log. This can happen because of certain hidden settings in your browser or operating system. Let’s look at several common issues and their solutions.

    tip

    You can check the status of AdGuard DNS on the test page.

    Chrome’s secure DNS settings

    If you’re using Chrome and you don’t see any requests in your AdGuard DNS dashboard, this may be because Chrome uses its own DNS server. Here’s how you can disable it:

    1. Open Chrome’s settings.
    2. Navigate to Privacy and security.
    3. Select Security.
    4. Scroll down to Use secure DNS.
    5. Disable the feature.

    Chrome’s Use secure DNS feature

    If you disable Chrome’s own DNS settings, the browser will use the DNS specified in your operating system, which should be AdGuard DNS if you've set it up correctly.

    iCloud Private Relay (Safari, macOS, and iOS)

    If you enable iCloud Private Relay in your device settings, Safari will use Apple’s DNS addresses, which will override the AdGuard DNS settings.

    Here’s how you can disable iCloud Private Relay on your iPhone:

    1. Open Settings and tap your name.
    2. Select iCloudPrivate Relay.
    3. Turn off Private Relay.

    iOS Private Relay

    On your Mac:

    1. Open System Settings and click your name or Apple ID.
    2. Select iCloudPrivate Relay.
    3. Turn off Private Relay.
    4. Click Done.

    macOS Private Relay

    Advanced Tracking and Fingerprinting Protection (Safari, starting from iOS 17)

    After the iOS 17 update, Advanced Tracking and Fingerprinting Protection may be enabled in Safari settings, which could potentially have a similar effect to iCloud Private Relay bypassing AdGuard DNS settings.

    Here’s how you can disable Advanced Tracking and Fingerprinting Protection:

    1. Open Settings and scroll down to Safari.
    2. Tap Advanced.
    3. Disable Advanced Tracking and Fingerprinting Protection.

    iOS Tracking and Fingerprinting Protection *mobile

    - + \ No newline at end of file diff --git a/private-dns/solving-problems/remove-dns-profile/index.html b/private-dns/solving-problems/remove-dns-profile/index.html index 49fb25795..a1b50f952 100644 --- a/private-dns/solving-problems/remove-dns-profile/index.html +++ b/private-dns/solving-problems/remove-dns-profile/index.html @@ -4,13 +4,13 @@ How to remove a DNS profile | AdGuard DNS Knowledge Base - +

    How to remove a DNS profile

    If you need to disconnect your iPhone, iPad, or Mac with a configured DNS profile from your DNS server, you need to remove that DNS profile. Here's how to do it.

    On your Mac:

    1. Open System Settings.

    2. Click Privacy & Security.

    3. Scroll down to Profiles.

      Profiles

    4. Select a profile and click .

      Deleting a profile

    5. Confirm the removal.

      Confirmation

    On your iOS device:

    1. Open Settings.

    2. Select General.

      General settings *mobile

    3. Scroll down to VPN & Device Management.

      VPN & Device Management *mobile

    4. Select the desired profile and tap Remove Profile.

      Profile *mobile

      Deleting a profile *mobile

    5. Enter your device password to confirm the removal.

    - + \ No newline at end of file diff --git a/public-dns/overview/index.html b/public-dns/overview/index.html index 48f3b740f..790680969 100644 --- a/public-dns/overview/index.html +++ b/public-dns/overview/index.html @@ -4,14 +4,14 @@ Overview | AdGuard DNS Knowledge Base - +

    Overview

    What is AdGuard DNS?

    AdGuard DNS is a free, privacy-oriented DNS resolver that provides secure connection and also can block tracking, ads, phishing and adult content (optionally). AdGuard DNS does not require installing any applications. It is easy to use and can be effortlessly set up on any device (smartphones, desktops, routers, game consoles, etc.).

    Public AdGuard DNS servers

    AdGuard DNS has three different types of public servers. "Default" server is for blocking ads, trackers, malware and phishing websites. "Family protection" does the same, but also blocks websites with adult content and enforces "Safe search" option in browsers that provide it. "Non-filtering" provides a secure and reliable connection but doesn't block anything. You can find detailed instructions on setting up AdGuard DNS on any device on our website. -Each server supports different secure protocols: DNSCrypt, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ).

    AdGuard DNS protocols

    Besides plain DNS (both IPv4 and IPv6) AdGuard DNS supports various encrypted protocols, so you can choose the one that suits you best.

    DNSCrypt

    AdGuard DNS allows you to use a specific encrypted protocol — DNSCrypt. Thanks to it, all DNS requests are being encrypted, which protects you from possible request interception and subsequent eavesdropping and/or alteration. But compared to the DoH, DoT and DoQ protocols, DNSCrypt is considered obsolete and if possible we recommend using these protocols.

    DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

    DoH and DoT are modern secure DNS protocols that gain more and more popularity and will become the industry standards for the foreseeable future. Both are more reliable than DNSCrypt and both are supported by AdGuard DNS.

    DNS-over-QUIC (DoQ)

    DNS-over-QUIC is a new DNS encryption protocol and AdGuard DNS is the first public resolver that supports it. Unlike DoH and DoT, it uses QUIC as a transport protocol and finally brings DNS back to its roots — working over UDP. It brings all the good things that QUIC has to offer — out-of-the-box encryption, reduced connection times, better performance when data packets are lost. Also, QUIC is supposed to be a transport-level protocol and there are no risks of metadata leaks that could happen with DoH.

    - +Each server supports different secure protocols: DNSCrypt, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ).

    AdGuard DNS protocols

    Besides plain DNS (both IPv4 and IPv6) AdGuard DNS supports various encrypted protocols, so you can choose the one that suits you best.

    DNSCrypt

    AdGuard DNS allows you to use a specific encrypted protocol — DNSCrypt. Thanks to it, all DNS requests are being encrypted, which protects you from possible request interception and subsequent eavesdropping and/or alteration. But compared to the DoH, DoT and DoQ protocols, DNSCrypt is considered obsolete and if possible we recommend using these protocols.

    DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

    DoH and DoT are modern secure DNS protocols that gain more and more popularity and will become the industry standards for the foreseeable future. Both are more reliable than DNSCrypt and both are supported by AdGuard DNS.

    JSON API for DNS

    AdGuard DNS also provides a JSON API for DNS. It is possible to get a DNS response in JSON by typing:

    curl 'https://dns.adguard-dns.com/resolve?name=www.example.com'

    For detailed documentation, refer to Google's guide to JSON API for DNS-over-HTTPS. Getting a DNS response in JSON works the same way with AdGuard DNS.

    note

    Unlike with Google DNS, AdGuard DNS doesn't support edns_client_subnet and Comment values in response JSONs.

    DNS-over-QUIC (DoQ)

    DNS-over-QUIC is a new DNS encryption protocol and AdGuard DNS is the first public resolver that supports it. Unlike DoH and DoT, it uses QUIC as a transport protocol and finally brings DNS back to its roots — working over UDP. It brings all the good things that QUIC has to offer — out-of-the-box encryption, reduced connection times, better performance when data packets are lost. Also, QUIC is supposed to be a transport-level protocol and there are no risks of metadata leaks that could happen with DoH.

    + \ No newline at end of file diff --git a/public-dns/solving-problems/how-to-flush-dns-cache/index.html b/public-dns/solving-problems/how-to-flush-dns-cache/index.html index 3b9103524..05c512413 100644 --- a/public-dns/solving-problems/how-to-flush-dns-cache/index.html +++ b/public-dns/solving-problems/how-to-flush-dns-cache/index.html @@ -4,13 +4,13 @@ How to flush DNS cache | AdGuard DNS Knowledge Base - +

    How to flush DNS cache

    info

    Here we explain how you can flush the DNS cache to resolve public DNS issues. You can use AdGuard Ad Blocker to set up DNS servers, including encrypted ones

    Quick link: Download AdGuard Ad Blocker

    What is DNS cache?

    DNS cache stores the IP addresses of visited sites on the local computer so that they load faster next time. Instead of doing a long DNS lookup, the system answers the queries with DNS records from the temporary DNS cache.

    The DNS cache contains so-called resource records (RRs), which are:

    • Resource data (or rdata);
    • Record type;
    • Record name;
    • TTL (time to live);
    • Class;
    • Resource data length.

    When you might need to clear the cache

    You've changed your DNS provider to AdGuard DNS. If the user has changed their DNS, it may take some time to see the result because of the cache.

    You regularly get a 404 error. For example, the website has been transferred to another server, and its IP address has changed. To make the browser open the website from the new IP address, you need to remove the cached IP from the DNS cache.

    You want to improve your privacy.

    How to flush DNS cache on different OSs

    iOS

    There are different ways to clear the DNS cache on your iPad or iPhone.

    The simplest way is to activate the Airplane mode (for example, in the Control Center or in the Settings app) and to deactivate it again. The DNS cache will be flushed.

    Another option is to reset the network settings of your device in the Settings app. Open General, scroll down, find Reset and tap Reset Network Settings.

    note

    By doing that, you will lose connections to Wi-Fi routers and other specific network settings, including DNS servers customizations. You will need to reset them manually.

    Android

    There are different ways to clear the DNS cache on your Android device. The exact steps may vary depending on the version of Android you're using and the device manufacturer.

    Clear DNS cache via Chrome

    Google Chrome, often the default browser on Android, has its own DNS cache. To flush this cache in the Chrome browser, follow the instructions below:

    1. Launch Chrome on your Android device
    2. Type chrome://net-internals/#DNS in the address bar
    3. On the DNS lookup page, choose DNS from the menu on the left
    4. In the panel on the right, tap the Clear Host Cache button to clear the DNS cache on your device

    Modify the Wi-Fi network to Static

    To clear your Android device's DNS cache by changing Wi-Fi network settings to Static, follow these steps:

    1. Go to Settings → Wi-Fi and choose the network you're connected to
    2. Look for IP settings and select Static
    3. Fill in the required fields. You can get the necessary information from your network administrator or from your router's configuration page
    4. After entering the required information, reconnect to your Wi-Fi network. This action will force your device to update its IP and DNS settings and clear the DNS cache

    Reset network settings

    Another option is to reset the network settings of your device in the Settings app. Open Settings → System → Advanced → Reset options → Reset network settings and tap Reset Settings to confirm.

    note

    By doing that, you will lose connections to Wi-Fi routers and other specific network settings, including DNS servers customizations. You will need to reset them manually.

    macOS

    To clear the DNS cache on macOS, open the Terminal (you can find it by using the Spotlight search — to do that, press Command+Space and type Terminal) and enter the following command:

    sudo killall -HUP mDNSResponder

    On macOS Big Sur 11.2.0 and macOS Monterey 12.0.0, you may also use this command:

    sudo dscacheutil -flushcache

    After that, enter your administrator password to complete the process.

    Windows

    To flush DNS cache on your Windows device, do the following:

    Open the Command Prompt as an administrator. You can find it in the Start Menu by typing command prompt or cmd. Then type ipconfig /flushdns and press Enter.

    You will see the line Successfully flushed the DNS Resolver Cache. Done!

    Linux

    Linux does not have OS-level DNS caching unless a caching service such as systemd-resolved, DNSMasq, BIND, or nscd is installed and running. The process of clearing the DNS cache depends on the Linux distribution and the caching service used.

    For each distribution you need to start a terminal window. Press Ctrl+Alt+T on your keyboard and use the corresponding command to clear the DNS cache for the service your Linux system is running.

    To find out which DNS resolver you're using, command sudo lsof -i :53 -S.

    systemd-resolved

    To clear the systemd-resolved DNS cache, type:

    sudo systemd-resolve --flush-caches

    On success, the command doesn’t return any message.

    DNSMasq

    To clear the DNSMasq cache, you need to restart it:

    sudo service dnsmasq restart

    NSCD

    To clear the NSCD cache, you also need to restart the service:

    sudo service nscd restart

    BIND

    To flush the BIND DNS cache, run the command:

    rndc flush

    Then you will need to reload BIND:

    rndc reload

    You will get the message that the server has been successfully reloaded.

    How to flush DNS cache in Chrome

    This may be useful if you do not want restart a browser every time during work with the private AdGuard DNS or AdGuard Home. Settings 1–2 only need to be changed once.

    1. Disable secure DNS in Chrome settings

      chrome://settings/security

    2. Disable Async DNS resolver

      chrome://flags/#enable-async-dns

    3. Press both buttons here

      chrome://net-internals/#sockets

    4. Press Clear host cache

      chrome://net-internals/#dns
    - + \ No newline at end of file diff --git a/search/index.html b/search/index.html index bf9737bdd..0d1348c65 100644 --- a/search/index.html +++ b/search/index.html @@ -4,13 +4,13 @@ Search the documentation | AdGuard DNS Knowledge Base - +

    Search the documentation

    - + \ No newline at end of file