AdGuard Home on DietPi

Previously, I documented my Orange Pi Zero 3 setup with DietPi. Here is how I setup AdGuard Home using the DietPi installer.

AdGuard Home (AGH)

AdGuard Home (AGH) is an open-source ad-blocking DNS-skink written in Go. I chose to use AGH instead of Pi-Hole because it in Go (hope it’ll perform better), and supports encrypted upstream DNS resolvers, via:

• DNS over TLS (DoT) connected on DNS port 853, and
• DNS over HTTPS (DoH) connected on HTTPS port 443

On my setup AGH, takes the most RAM of all the software I install, consuming 160 MB on average.

Installation

Simply install AdGuard Home via dietpi-software. DietPi installs AdGuard Home with unbound as the local DNS resolver running on port 5335.

Configuration

I make a few AGH configuration changes by editing /mnt/dietpi_userdata/AdGuardHome.yaml:

• since I seldom check the query log and statistics anyway, I want to reduce SD wear and use RAMlog instead at /var/log, and
• I don’t prefer to hardcode the upstream DNS in the dietpi.conf file, I’d prefer to use the AGH web user interface (UI) which allows me easily change the upstream DNS, so I remove the upstream_dns_file value.

log:
  file: ""
upstream_dns_file: ""
querylog:
  enabled: true
  file_enabled: true
  dir_path: /var/log
statistics:
  enabled: true
  dir_path: /var/log

Now I can restart AG systemcl restart adguardhome. Then, login to the web UI e.g. at http://192.168.0.10:8083 as admin using the root user’s password.

Via the Settings page, I configure:

• General settings - I enable logs with a 24 hour rotation, since I don’t really bother to check them. Statistics I keep for a week
• DNS settings - more on that later, depending on if I use unbound or else some other DNS resolver.

And via the Filters page, I configure:

• DNS blocklists - for now, I enable:
  • AdGyard DNS filter and Popup Hosts filter
  • HaGeZi's Pro++ blocklist, Samsung and Xiaomi Tracker Blocklists
  • HaGeSi's Threat Intelligence Feeds
• DNS rewrites - I use this as a shortcut to local DNS resolution by hard coding transform rules (Answer and Domain respectively):

  192.160.0.100   DietPi.home.arpa
  192.160.0.100   DietPi.home
  192.160.0.100   DietPi

• Blocked services - yup, I block a whole bunch too, e.g. 4chan, 9GAG, etc.

Upstream DNS

Unbound is great because it directly queries root / authoritative DNS, but I think these will always be unencrypted. Assuming I want encrypted DNS resolution, then to be honest, I am not sure if the using unbound is neccessary or optimal...

So the options are:

• Default Install: AGH --> unbound as a private DNS server --> root / authoritative DNS
• Option 1: via unbound with DoT: AGH --> unbound --> DoT to DNS provider like CloudFlare or Quad9
• Option 2: AGH DoT/DoH directly (without unbound): AGH --> DoT or DoH to upstream DNS providers directly

Option 1: Via Unbound with DoT

To enable DNS over TLS (DoT) via unbound, just follow the DietPi DNS Servers documentation... though I preferred to create the configuration /etc/unbound/unbound.conf.d/dietpi-dot.conf file manually:

# Adding DNS-over-TLS support
server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.3@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net

BTW, if you use unbound you may also want to configure it /etc/unbound/unbound.conf.d/dietpi.conf

server:
  verbosity: 0

Option 2: AGH DOT/DOH directly

This is the configuration I setted on.

I edit upstream DNSs via the AGH UI’s DNS Settings (removing the default 127.0.0.100.:5335 connection to unbound), and placing e.g. use one or more of these for CloudFlare (1.1.1.1) and Quad9 (9.9.9.9) via DoT and DoH respectively:

tls://1.1.1.1
tls://9.9.9.9
h3://1.1.1.3/dns-query
h3://9.9.9.9/dns-query
tls://family.cloudflare-dns.com

I don’t need unbound in this case and can uninstall it via dietpi-software... or a minimum disable it from running and auto-starting to save memory, via dietpi-services:

• select unbound, and
• make sure Mode is disabled