mirrors
/
AdGuardHome
mirror of https://github.com/AdguardTeam/AdGuardHome.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Pull request: add DNSCrypt.md 

Merge in DNS/adguard-home-wiki from 2377-dnscrypt to master

Closes #2377.
Updates #1361.

Squashed commit of the following:

commit 45347ecd32d59842c63ceca84b8bb7ff4f971861
Author: Andrey Meshkov <am@adguard.com>
Date:   Mon Dec 7 17:51:03 2020 +0300

    Added DNSCrypt clients, some minor improvements

commit 95568c19d9b529d649e621f732c0d0ec5cc7bf4b
Merge: 033e504 4cd04b5
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Dec 2 17:43:10 2020 +0300

    Merge branch 'master' into 2377-dnscrypt

commit 033e504d72604482a1a555427828b5b05a8a439c
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Mon Nov 30 21:15:43 2020 +0300

    add DNSCrypt.md
Ainar Garipov 2020-12-07 17:55:01 +03:00
parent 4cd04b5f38
commit ba710e1f23
5 changed files with 107 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Configuration.md

@ -243,8 +243,14 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
- `enabled` - encryption (DOT/DOH/HTTPS) status.
- `server_name` - the hostname of your HTTPS/TLS server.
- `force_https` - if true, forces HTTP->HTTPS redirect.
- `port_https` - HTTPS port. If 0, HTTPS will be disabled.
- `port_dns_over_tls` - DNS-over-TLS port. If 0, DOT will be disabled.
- `port_https` - HTTPS port. If `0`, HTTPS is disabled.
- `port_dns_over_tls` - DNS-over-TLS port. If `0`, DOT is disabled.
- `port_dns_over_quic` - DNS-over-QUIC port. If `0`, DOQ is disabled.
- `port_dnscrypt` - DNSCrypt port. If `0`, DNSCrypt is disabled. See
[DNSCrypt] for more information and examples.
- `dnscrypt_config_file` - DNSCrypt configuration file path. **Must** be set
if `port_dnscrypt` is not `0`. See the [`dnscrypt`] utility documentation
for examples of configuration generation.
- `allow_unencrypted_doh` - Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
- `certificate_chain` - PEM-encoded certificates chain.
- `strict_sni_check` - Reject connection if the client uses server name (in SNI) that doesn't match the certificate
@ -262,6 +268,9 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
Removing an entry from settings file will reset it to the default value. Deleting the file will reset all settings to the default values.
[DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
[`dnscrypt`]: https://github.com/ameshkov/dnscrypt
<a id="password-reset"></a>
## Reset Web Password

76
DNSCrypt.md Normal file

@ -0,0 +1,76 @@
# *AdGuard Home* - *DNSCrypt*
1. [Generating A Configuration File](#generate-config)
2. [Generating A *DNSCrypt* Stamp](#generate-stamp)
3. [Configuring Devices To Use *DNSCrypt*](#configure-devices)
<a id="generate-config"></a>
## Generating A Configuration File
Here is how to generate a *DNSCrypt* configuration file and point *AdGuardHome*
to it:
1. Get the latest version of the [`dnscrypt`] utility for your system.
2. Run:
```sh
$ dnscrypt generate --provider-name '2.dnscrypt-cert.example.org' --out ./dnscrypt.yaml
```
Where `example.org` is the name of your host and `./dnscrypt.yaml` is the
name of the configuration output file.
3. In your *AdGuardHome* configuration file (typically `AdGuardHome.yaml`), add
the following lines:
```yaml
'tls':
# …
'port_dnscrypt': 5443
'dnscrypt_config_file': './dnscrypt.yaml'
```
Where `5443` is the port for your *DNSCrypt* server and `./dnscrypt.yaml` is
the name of the configuration file generated in step 2.
[`dnscrypt`]: https://github.com/ameshkov/dnscrypt/releases
<a id="generate-stamp"></a>
## Generating A *DNSCrypt* Stamp
Here is how to generate a *DNSCrypt* stamp and check your installation:
1. Go to <https://dnscrypt.info/stamps/>.
2. Enter the data from your *DNSCrypt* configuration file. The *Provider
public key* is the value of the `public_key` field in your *DNSCrypt*
configuration file. **Do not forget** to enter the host with your custom port!
3. Now you have a stamp that looks something like this:
```none
sdns://AQcAAAAAAAAADTEyNy4wLjAuMTo0NDMg8R3bzEgX5UOEX93Uy4gYSbZCJvPeOXYlZp2HuRm8T7AbMi5kbnNjcnlwdC1jZXJ0LmV4YW1wbGUub3Jn
```
Check your installation by running:
```sh
$ dnscrypt lookup-stamp\
--domain 'example.com'\
--stamp 'sdns://AQcAAAAAAAAADTEyNy4wLjAuMTo0NDMg8R3bzEgX5UOEX93Uy4gYSbZCJvPeOXYlZp2HuRm8T7AbMi5kbnNjcnlwdC1jZXJ0LmV4YW1wbGUub3Jn'\
--type 'a'
```
Where `example.com` is the domain name to lookup.
<a id="configure-devices"></a>
## Configuring Devices To Use *DNSCrypt*
- **All platforms:** [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) (reference implementation) - DNSCrypt-Proxy is a command-line proxy for Linux, BSD, Windows, MacOS, Android and more.
- **Android:** [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNSCrypt`.
- **iOS:** [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNSCrypt`.
- **iOS:** [DNSCloak](https://itunes.apple.com/app/id1452162351) uses dnscrypt-proxy internally and supports `DNSCrypt`.
- **Windows:** [AdGuard for Windows](https://adguard.com/en/adguard-windows/overview.html) supports `DNSCrypt`.
- **Windows:** [Simple DNSCrypt](https://simplednscrypt.org/) is a simple management tool to configure and run dnscrypt-proxy on Windows.
You can find more implementations on the [DNSCrypt website](https://dnscrypt.info/implementations).

27
Encryption.md

@ -4,7 +4,9 @@ We are proud to say that AdGuard Home supports all modern DNS encryption protoco
- [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
- [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
- [DNSCrypt](https://dnscrypt.info/) (upstreams only)
- [DNS-over-QUIC](https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-01)
> AdGuard Home also supports [DNSCrypt](https://dnscrypt.info/) (both client-side and server-side). [Read this](DNSCrypt) to learn about configuring AdGuard Home as a DNSCrypt server.
In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.
@ -98,20 +100,26 @@ There's also a really nice and easy-to-use alternative to CertBot called [lego](
## Configure your devices
Please note that encrypted DNS protocols are supported only on Android 9. So you need to install additional software for other operating systems.
Here's a list of software you can use.
### Android
- Android 9 supports DNS-over-TLS natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
- [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`.
- Android 9 supports `DNS-over-TLS` natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
- [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
- [Intra](https://getintra.org/) adds `DNS-over-HTTPS` support to Android.
### iOS
- iOS 14 and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
- [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
- [DNSCloak](https://itunes.apple.com/app/id1452162351) supports `DNS-over-HTTPS` but in order to configure it to use your own server, you'll need to generate a [DNS Stamp](https://dnscrypt.info/stamps) for it.
- [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNS-over-HTTPS` and `DNS-over-TLS`.
### Windows
- Windows 10 Build 19628 and higher support `DNS-over-HTTPS` natively.
- [AdGuard for Windows](https://adguard.com/en/adguard-windows/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
### MacOS
- MacOS Big Sur and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
### Other implementations
@ -119,4 +127,5 @@ Here's a list of software you can use.
- [dnsproxy](https://github.com/AdguardTeam/dnsproxy) supports all known secure DNS protocols.
- [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) supports `DNS-over-HTTPS`.
- [Mozilla Firefox](https://www.mozilla.org/firefox/) supports `DNS-over-HTTPS`.
- You will find more implementations [here](https://dnscrypt.info/implementations) and [here](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients).
You can find more implementations [here](https://dnscrypt.info/implementations) and [here](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients).

1
Home.md

@ -29,6 +29,7 @@ The wiki was just recently created, so there isn't much content (yet).
* [Configuration](Configuration)
* [Comparing AdGuard Home to other solutions](Comparison)
* [AdGuard Home as a DNS-over-HTTPS or DNS-over-TLS server](Encryption)
* [AdGuard Home as a DNSCrypt server](DNSCrypt)
* [How to install and run AdGuard Home on Raspberry Pi](Raspberry-Pi)
* [How to install and run AdGuard Home on a Virtual Private Server](VPS)
* [OpenRC service-script](OpenRC)

1
__Sidebar.md

@ -6,6 +6,7 @@
* [Configuration](Configuration)
* [Comparing AdGuard Home to other solutions](Comparison)
* [AdGuard Home as a DNS-over-HTTPS or DNS-over-TLS server](Encryption)
* [AdGuard Home as a DNSCrypt server](DNSCrypt)
* [How to install and run AdGuard Home on Raspberry Pi](Raspberry-Pi)
* [How to install and run AdGuard Home on a Virtual Private Server](VPS)
* [OpenRC service-script](OpenRC)