
AdGuard DNS: A Privacy-Oriented DNS Server - FabianBeiner
https://adguard.com/en/blog/adguard-dns-announcement/
======
ignoramous
The instructions to use adguard DNS on their website doesn't contain how to
use adguard DNS over TLS with Android.

For anyone running on Android 9 (edit) or later, navigate to

Settings -> WiFi and Internet -> Private DNS

Select Private DNS provider hostname

Add dns.adguard.org (DNS over TLS)

Click save.

Visit
[https://googleads.g.doubleclick.net/](https://googleads.g.doubleclick.net/)
and you should see browser's 'Server not found' instead of Google's (disable
existing ad-blockers or they might jump in and block the URL anyway)

\---

For anyone on Android 4.0 or later, consider using Google's Intra [0] to use
adguard DNS over HTTPS, if you prefer it over cloudflare's or google's.

Install Intra.

Open the app, click on Settings.

Choose customer URL and paste: [https://dns.adguard.com/dns-
query](https://dns.adguard.com/dns-query)

Be sure to 'lock the app' to prevent it from being killed in the background.

[0] [https://getintra.org](https://getintra.org)

~~~
m0zg
If your goal is to get rid of ads, why would you use _anything_ made by an ad
company?

~~~
LeonM
Because some don't mind the text-based ads, but do mind the 10mb+ animated
flashing overlay ads with audio that make the internet unusable.

~~~
eps
The principal concern is pervasive tracking, not ads.

------
plg
I’ve been using Pi-Hole on my home network and it’s amazing. Routinely 18-20%%
of DNS requests are blocked. When my wife goes out onto another network she
says she is shocked at how ugly her web browsing becomes (ads on nytimes,
huffpo, etc). I highly recommend it. Am using it with cloudfare’s encrypted
DNS just as one more middle finger to my ISP.

~~~
jcastro
> Am using it with cloudfare’s encrypted DNS just as one more middle finger to
> my ISP.

Curious how you set this up? I see cloudflare as an option in the pihole
settings but doesn't appear to be encrypted? (at least as a default)

~~~
judge2020
Probably via 'cloudflared':

[https://docs.pi-hole.net/guides/dns-over-https/](https://docs.pi-
hole.net/guides/dns-over-https/)

~~~
plg
Yup cloudfared

------
Isomer
There's lots of "privacy" improving DNS servers, but none of them mention
trying to remove unintentional DNS queries.

It turns out lots of things will resolve anything that looks vaguely like a
hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These
queries get passed to your ISP, and then on towards the root name servers. So
if you run a large nameserver, you quickly find that most of your DNS queries
are very obviously rubbish.

With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between
these two names, I guarantee there is no valid records". Thus if your
nameserver supports this, it can say "there are no valid names between .pccw
and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3
records can both be cached and your resolver can synthesise NXDOMAIN records
for them. (See RFC8198 for details).

So, instead of spraying queries for "untitled.pdf" across the internet, you
can quickly, and efficiently return NXDOMAIN.

Another cause of these is search paths, when you look up
"news.ycombinator.net", if that resolution fails, it will try adding the
search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and
filenames to everyone in your search path.

If you actually value your privacy, this is the first step that you should
take.

~~~
JdeBP
The easiest solution to that, that has been known for many years, and the
_actual_ first step that one has been able to take for quite some time now, is
running one's own root content DNS server on the LAN. DNS traffic for queries
that use invalid top-level domains never escapes the LAN and never even
reaches an ISP.

It's a fairly simple exercise in content DNS service. I actually set my
machines up with a root content DNS server each.

* [http://jdebp.eu./Softwares/nosh/guide/services/djbdns.html#D...](http://jdebp.eu./Softwares/nosh/guide/services/djbdns.html#Default)

* [http://cr.yp.to/dnsroot.html](http://cr.yp.to/dnsroot.html)

Search paths are a subject in their own rights.

* [http://jdebp.eu./FGA/web-fully-qualified-domain-name.html](http://jdebp.eu./FGA/web-fully-qualified-domain-name.html)

------
time4tea
Pi hole (free) is good for this kind of thing if you are at home [https://pi-
hole.net/](https://pi-hole.net/)

I found that pihole did too much so wrote my own. I dont think it has any
users, except in my house but it seems to work

[https://github.com/time4tea-net/py-
hole/blob/master/README.m...](https://github.com/time4tea-net/py-
hole/blob/master/README.md)

~~~
Amazonerh
But does it work on outside home and on 4G?

~~~
intopieces
For $5/month you can roll your own OpenVPN server with Digital Ocean and it
will. [0] Bonus: your cellular ISP can't see your traffic and you're
automatically protected at coffee shops.

Downside: Battery life takes a slight hit due to encryption.

[0] [https://www.digitalocean.com/community/tutorials/how-to-
bloc...](https://www.digitalocean.com/community/tutorials/how-to-block-
advertisements-at-the-dns-level-using-pi-hole-and-openvpn-on-ubuntu-16-04)

~~~
LeonM
Regarding the bonus: you're just shifting the problem. Your ISP can't see your
traffic, but now digital ocean can.

~~~
woolvalley
Digital ocean has not nearly as much of an incentive in selling or tracking
the huge amounts of traffic that goes over most of their B2B customers, while
your ISP wants to up that ARPU number from every B2C customer in every way
possible. And you can switch your cloud server provider easily, your local
monopoly ISP not so much. Digital ocean has far more to lose by doing that,
while ISPs have a captive audience.

DO will forward those torrent scare / spam server abuse emails ASAP, so they
won't be good for that kind of stuff.

------
ameshkov
You might want to checkout AdGuard Home if you want to run it on your own
server or in your own network:
[https://github.com/AdguardTeam/AdGuardHome](https://github.com/AdguardTeam/AdGuardHome)

Notable differences between it and Pi-Hole:

1\. Easy to set up and use. It's just a single binary, everything you need is
inside.

2\. Supports every DNS encryption protocol out-of-the-box: DNS-over-HTTPS,
DNS-over-TLS, DNSCrypt.

3\. Can run on any platform (even on Windows since today).

------
2bitencryption
I never liked the idea of using DNS services for filtering web content.

For one, it seems like the wrong tool for the job. Filtered content can simply
switch to identifying content by IP address instead of DNS, correct? Or change
DNS constantly.

And for two, of course there are concerns with handing someone your DNS
queries in return for filtering...

~~~
greglindahl
In practice, I’ve never seen filtered content change to ip addresses or
rotating dns names. Do you know of an example?

~~~
woolvalley
A lot of adblock can be circumvented if the ads were served from first party
servers and didn't use obvious keywords or advertising sizes.

The NYT could serve their ads from NYT servers instead of nagging you to turn
off adblock and continue with their 3rd party ad providers.

So they are not doing that, so I doubt cirumventing DNS adblock will be
something that they will care much about either.

------
maltalex
On one hand, it looks pretty cool and convenient. On the other, using a DNS
server requires a lot of trust.

Giving some unknown company the ability to trivially man-in-the-middle your
connection or sell your browsing history is pretty scary. The fact that their
code is open source helps a bit, but there's no way to tell whether the code
running on their servers is the same as on github.

I'll stick with my pihole/hostsman [0]

[0]:
[http://www.abelhadigital.com/hostsman/](http://www.abelhadigital.com/hostsman/)

~~~
sdwisely
it doesn't seem like they have mentioned it but this is an alternative to
their existing self-hosted dns solution.

[https://github.com/AdguardTeam/AdGuardHome](https://github.com/AdguardTeam/AdGuardHome)

------
nasredin
IIRC the company and the servers are based in Russia.

So this is not for everybody.

------
babyslothzoo
Great idea, but how is this monetized or supported? What are they doing with
the data?

~~~
Ayesh
It doesn't cost that much to run a DNS server, even with DoH/DoT. You can
easily serve a few million users with a milisecond latency off a cheap
instance with 2GB instance.

That's not to say the cost is zero, but with with multiple caching layers
(O/S, browser, router, etc), and serving same results for everyone, server
costs are not very high.

~~~
tyingq
This might be a little more expensive than usual if it returns NXDOMAIN for
known ad serving domains. Many DNS clients don't cache failures.

~~~
wallacoloo
Don't know how AdGuard does this, but pihole returns 127.0.0.1 for ad-serving
domains. I don't know enough about DNS to guess why it does that instead of
returning a failure, though my guess is that maybe doing so prevents software
from falling through to a user's secondary DNS server.

~~~
tyingq
Interesting. Could produce odd results if you run a local webserver and don't
have SNI on. Seems like that behavior should be something configurable.

Edit: Apparently it is. [https://pi-hole.net/2018/05/18/nxdomain-and-null-
blocking-wi...](https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-
with-ftldns/)

------
Amazonerh
This is really groundbreaking but it got less noise than I thought it would.
Adhell (an app that is capable of doing system wide ad blocking along with
many other things thanks to Knox which is Samsung-only capability) was the
main reason I stayed with Samsung for years. Now every phone with Android Pie
will be to use dns based ad blocking in all networks without running an
annoying app in the background.

~~~
Nullabillity
There's also AdAway, which runs on any rooted Android phone, and doesn't
require you to show all your traffic to a particular DNS server.

~~~
cyberpip
There is also Blokada, which creates a local VPN on Android and runs it
against a hosts file:
[https://f-droid.org/en/packages/org.blokada.alarm/](https://f-droid.org/en/packages/org.blokada.alarm/)
.

------
mderazon
I've been looking for something like this for quite some time. I was hoping
Cloudflare will offer it but they haven't

My main questions are How do we know if we can trust them with our data? How
fast are they compared to Cloudflare ?

I wish there was something like Signal but for DNS. Similar in the way that
you don't have to trust them to know they are not doing nefarious things with
your dns queries.

I know I can install Pihole in my home network, but I want something that
works on every network

~~~
FabianBeiner
This script might help you compare the speed of the DNS server to any other
DNS server out there:
[https://github.com/cleanbrowsing/dnsperftest/blob/master/dns...](https://github.com/cleanbrowsing/dnsperftest/blob/master/dnstest.sh)

------
EpiphanyMachine
update: They say they do not log anything, and pass no information upstream to
the authoritative DNS server.

\------

I didn't see anything in the announcement about logging or other privacy
related questions. The FAQ also didn't list this information.

The only thing they mention about privacy is how a dns request to them is
protected, but not what they do with the data.

Did I miss something?

\-------

Reading their privacy policy:

>We do not collect anything for tracking purposes and take all necessary
technical, administrative and physical measures to protect the information we
get.

>When AdGuard DNS user tries to visit a page, our server receives following
information: User’s IP-address; DNS request which contains domain name.

>The DNS request will be forwarded to a root or authoritative DNS server, but
for the upstream server it looks as if this request is originated from AdGuard
DNS server, there is absolutely no way for them to identify the original user.
We, in our turn, do not log or save any of this information.

[https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html)

~~~
drewg123
I suspect this really screws with the DNS tricks used by many CDNs to route
requests to near-by servers. So I would not be surprised if, when using this,
YouTube, Netflix, etc, get much slower.

~~~
ignoramous
I see the website loading speeds are affected, but I think it is worth it.
This is a good stop-gap for anyone who have not setup a pi-hole just yet but
at do not want to install an app or an extension in its stead.

Prior to this, I was running Intra [0] on my Android phone to route all DNS
traffic to cloudflare-dns and had been pretty happy to use it in tandem with
PrivacyBadger, uMatrix, and uBlockOrigin on Firefox.

Someone suggested using AdAway [1] on rooted devices and another app that does
a similar trick of running a local VPN on Android through user supplied hosts
file. Great alternative.

[0] [https://getintra.org/](https://getintra.org/)

[1] [https://adaway.org/](https://adaway.org/)

------
RcouF1uZ4gsC
How is it being monetized? I have become more and more suspicious of “free”
privacy services. Unless there is an exchange of money for a service, it is
highly likely that eventually the company will either fold, or decide to sell
the previously private information.

~~~
austhrow743
Its a marketing expense as far as I can tell. They sell a mobile adblocker.

------
lota-putty
Has/Is anyone here tried/using [https://zenz-
solutions.de/personaldnsfilter/](https://zenz-solutions.de/personaldnsfilter/)
for filtering Ads/Tracking?

------
majui
Misleading claim: any external DNS server is not private. Your requests are
directed to a third-party. I suspect data-mining you is how they pay their
server bills.

The correct technical solution for privacy is running your own DNS server
locally.

~~~
judge2020
[https://1.1.1.1/](https://1.1.1.1/)

> We will never sell your data or use it to target ads. Period.

> We’ve retained KPMG to audit our systems annually

~~~
pedrocx486
On Reddit I'd never dare to say this. Cloudflare is widely hated and painted
as the enemy of privacy.

------
egberts1
I find it ironic that AdGuard blocks the very CDNs that they (and Facebook)
uses.

------
Annatar
So they would like you to please use their own DNS servers... no thanks, I'll
just keep using my own, on-premise, private DNS infrastructure at home.

Private infrastructure for the win.

~~~
chopin
Slightly out-of-topic: I am running an own bind9 internally on a bananapi. I'd
like to combine this with the functionality of a pi-hole, ideally without
needing to set-up a new raspberry for it. I tried several searches on how to
combine the exclusion lists of pi-hole with bind9, to no avail. Does anbody
know a simple solution for this (I know I could run bind9 in a different port
and install the pi-hole binary on the same machine, but this is beside the
point).

------
badrabbit
I believe Cisco umbrella(opendns) public resolver does similar
filtering,although not sure if they have one for AD filtering.

Some mentioned trust,for me support for dns ovet https is much more important
since I'd be using it over a VPN anyways. And for those thst dont,NAT and
inability to correlate DNS lookups with actual (especially encrypted) traffic
makes privacy a less significant concern for me.

------
tex777
If you want to track AdGuard DNS users with Google Analytics see:
[https://medium.freecodecamp.org/save-your-analytics-from-
con...](https://medium.freecodecamp.org/save-your-analytics-from-content-
blockers-7ee08c6ec7ee)

------
deftturtle
Love this service and wrote a blog post about it with some of my blacklist and
whitelist entries: [https://calebyers.com/blog/dns-ad-
blocking](https://calebyers.com/blog/dns-ad-blocking)

------
wil999
You can use hololo DNS changer on the Play store to point to a permanent DNS
server. I did this and built my own version of pi hole... The stats are at
opens3.net and so is the DNS service. Blocks 140000 domains

------
jtbayly
I tried this a while ago, and it broke one of my sites. No idea how or why.
There are no ads on the site or problems with any ad-blockers. Put a bad taste
in my mouth.

Edited to add: But I like the idea.

~~~
ohyeshedid
Quite possibly blocking CDN address space, or shared hosting. Pretty easy to
end up blocking way more than intended if the hostlists aren't sanitized.

------
oaf357
I'm a little disappointed they abandoned CoreDNS. I was really enjoying work
with it.

------
gcb0
someonewhocares.org/host

Local solution. I remember this url from memory, "install" on every
device/router I touch.

~~~
jerluc
Neat! Minor note, I think this should be
[https://someonewhocares.org/hosts](https://someonewhocares.org/hosts) (note
the plural)

~~~
gcb0
indeed!

------
Walkman
Another great solution is Pihole: [https://pi-hole.net/](https://pi-hole.net/)

It does not just protects your privacy, but improves your bandwidth too.

Troy Hunt wrote about it a couple of months ago:
[https://www.troyhunt.com/mmm-pi-hole/](https://www.troyhunt.com/mmm-pi-hole/)

