mirrors
/
AdGuardHome
mirror of https://github.com/AdguardTeam/AdGuardHome.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

https://github.com/AdguardTeam/AdGuardHome/issues/1420

Andrey Meshkov 2020-05-15 14:34:28 +03:00
parent b4a9bd3052
commit 932f93164e
1 changed files with 37 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Encryption.md

@ -2,21 +2,23 @@
We are proud to say that AdGuard Home supports all modern DNS encryption protocols **out-of-the-box**: We are proud to say that AdGuard Home supports all modern DNS encryption protocols **out-of-the-box**:
* [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) - [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
* [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) - [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
* [DNSCrypt](https://dnscrypt.info/) (upstreams only) - [DNSCrypt](https://dnscrypt.info/) (upstreams only)
In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home. In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.
1. [Install AdGuard Home on your server](#install) 1. [Install AdGuard Home on your server](#install)
2. [Register a domain name](#register) 2. [Register a domain name](#register)
3. [Get an SSL certificate](#certificate) 3. [Get an SSL certificate](#certificate)
* [Install CertBot](#certbot) - [Install CertBot](#certbot)
* [Get a certificate using DNS challenge](#certbot-dnschallenge) - [Get a certificate using DNS challenge](#certbot-dnschallenge)
- [Alternative to CertBot: Lego](#lego)
4. [Configure AdGuard Home](#configure-home) 4. [Configure AdGuard Home](#configure-home)
5. [Configure your devices](#configure-devices) 5. [Configure your devices](#configure-devices)
<a id="install"></a> <a id="install"></a>
## Install AdGuard Home on your server ## Install AdGuard Home on your server
It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP. It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP.
@ -24,11 +26,13 @@ It does not make much sense to configure DNS encryption inside of your own local
It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: [DigitalOcean](https://digitalocean.com), [Vultr](https://vultr.com), [Linode](https://www.linode.com/), etc. Just choose one, create a cloud server there, and [install AdGuard Home](Getting-Started) on your server. It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: [DigitalOcean](https://digitalocean.com), [Vultr](https://vultr.com), [Linode](https://www.linode.com/), etc. Just choose one, create a cloud server there, and [install AdGuard Home](Getting-Started) on your server.
<a id="register"></a> <a id="register"></a>
## Register a domain name ## Register a domain name
First of all, you need a domain name. If you have never registered one, here is a [simple instruction](https://www.pcworld.com/article/241722/web-apps/how-to-register-your-own-domain-name.html) that will help you with that. First of all, you need a domain name. If you have never registered one, here is a [simple instruction](https://www.pcworld.com/article/241722/web-apps/how-to-register-your-own-domain-name.html) that will help you with that.
<a id="certificate"></a> <a id="certificate"></a>
## Get an SSL certificate ## Get an SSL certificate
Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption](https://en.wikipedia.org/wiki/Transport_Layer_Security) so in order to use them, you will need to acquire an SSL certificate. Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption](https://en.wikipedia.org/wiki/Transport_Layer_Security) so in order to use them, you will need to acquire an SSL certificate.
@ -40,6 +44,7 @@ Alternatively, you can get the certificate for free from ["Let's Encrypt" CA](ht
In this guide I'll explain how to get a certificate from them. In this guide I'll explain how to get a certificate from them.
<a id="certbot"></a> <a id="certbot"></a>
### Install CertBot ### Install CertBot
Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt. Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt.
@ -48,24 +53,37 @@ Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt
2. Follow the installation instructions, and stop there - don't get to the "Get Started" section. 2. Follow the installation instructions, and stop there - don't get to the "Get Started" section.
<a id="certbot-dnschallenge"></a> <a id="certbot-dnschallenge"></a>
### Get a certificate using DNS challenge ### Get a certificate using DNS challenge
You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate. You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate.
Run this command and follow the certbot's instructions: Run this command and follow the certbot's instructions:
```bash ```bash
sudo certbot certonly --manual --preferred-challenges=dns sudo certbot certonly --manual --preferred-challenges=dns
``` ```
In the end you'll get two files: In the end you'll get two files:
* `fullchain.pem` -- your PEM-encoded SSL certificate
* `privkey.pem` -- your PEM-encoded private key - `fullchain.pem` -- your PEM-encoded SSL certificate
- `privkey.pem` -- your PEM-encoded private key
Both will be necessary to configure AdGuard Home. Both will be necessary to configure AdGuard Home.
> You will need to use the very same procedure to renew the existing certificate. > You will need to use the very same procedure to renew the existing certificate.
<a id="lego"></a>
### Alternative to CertBot: Lego
There's also a really nice and easy-to-use alternative to CertBot called [lego](https://go-acme.github.io/lego/).
1. Install it using [an appropriate method](https://go-acme.github.io/lego/installation/).
2. Choose your DNS provider from [the list](https://go-acme.github.io/lego/dns/) and follow the instruction to obtain a certificate.
<a id="configure-home"></a> <a id="configure-home"></a>
## Configure AdGuard Home ## Configure AdGuard Home
1. Open AdGuard Home web interface and go to settings. 1. Open AdGuard Home web interface and go to settings.
@ -77,6 +95,7 @@ Both will be necessary to configure AdGuard Home.
6. Click "Save settings". 6. Click "Save settings".
<a id="configure-devices"></a> <a id="configure-devices"></a>
## Configure your devices ## Configure your devices
Please note that encrypted DNS protocols are supported only on Android 9. So you need to install additional software for other operating systems. Please note that encrypted DNS protocols are supported only on Android 9. So you need to install additional software for other operating systems.
@ -85,19 +104,19 @@ Here's a list of software you can use.
### Android ### Android
* Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there. - Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
* [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`. - [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`.
* [Intra](https://getintra.org/) adds `DNS-over-HTTPS` support to Android. - [Intra](https://getintra.org/) adds `DNS-over-HTTPS` support to Android.
### iOS ### iOS
* [DNSCloak](https://itunes.apple.com/app/id1452162351) supports `DNS-over-HTTPS` but in order to configure it to use your own server, you'll need to generate a [DNS Stamp](https://dnscrypt.info/stamps) for it. - [DNSCloak](https://itunes.apple.com/app/id1452162351) supports `DNS-over-HTTPS` but in order to configure it to use your own server, you'll need to generate a [DNS Stamp](https://dnscrypt.info/stamps) for it.
* [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`. - [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`.
### Other implementations ### Other implementations
* AdGuard Home itself can be a secure DNS client on any platform. - AdGuard Home itself can be a secure DNS client on any platform.
* [dnsproxy](https://github.com/AdguardTeam/dnsproxy) supports all known secure DNS protocols. - [dnsproxy](https://github.com/AdguardTeam/dnsproxy) supports all known secure DNS protocols.
* [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) supports `DNS-over-HTTPS`. - [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) supports `DNS-over-HTTPS`.
* [Mozilla Firefox](https://www.mozilla.org/firefox/) supports `DNS-over-HTTPS`. - [Mozilla Firefox](https://www.mozilla.org/firefox/) supports `DNS-over-HTTPS`.
* You will find more implementations [here](https://dnscrypt.info/implementations) and [here](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients). - You will find more implementations [here](https://dnscrypt.info/implementations) and [here](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients).