Hacker News new | past | comments | ask | show | jobs | submit login
AdGuard DNS: A Privacy-Oriented DNS Server (adguard.com)
196 points by FabianBeiner 3 months ago | hide | past | web | favorite | 107 comments

The instructions to use adguard DNS on their website doesn't contain how to use adguard DNS over TLS with Android.

For anyone running on Android 9 (edit) or later, navigate to

Settings -> WiFi and Internet -> Private DNS

Select Private DNS provider hostname

Add dns.adguard.org (DNS over TLS)

Click save.

Visit https://googleads.g.doubleclick.net/ and you should see browser's 'Server not found' instead of Google's (disable existing ad-blockers or they might jump in and block the URL anyway)


For anyone on Android 4.0 or later, consider using Google's Intra [0] to use adguard DNS over HTTPS, if you prefer it over cloudflare's or google's.

Install Intra.

Open the app, click on Settings.

Choose customer URL and paste: https://dns.adguard.com/dns-query

Be sure to 'lock the app' to prevent it from being killed in the background.

[0] https://getintra.org

Just wanted to say thanks!

I already use Ad Blocking on my personal phone (LineageOS + AdAway) but my wife's phone is still stock Android and without an Ad Blocker. Intra + AdGuard just fixed that. Goodbye pervasive tracking

Cloudflare should really make an address like dns.cloudflare.com, too. 1dot1dot1dot1.cloudflare-dns.com is cute as an "inside joke" of sorts, but to most people who don't know about IPs and such it would be easier to use the former.

This was introduced in Pie (Android 9), so it's most likely not working with Oreo (Android 8).

Thanks, changed it now. Added instructions for Android 4.0 and above, too.

Also, "dns.adguard.com", not "dns.adguard.org".

If your goal is to get rid of ads, why would you use _anything_ made by an ad company?

OP was actually somewhat inaccurate when he said "Google's". Intra is actually by Jigsaw, a separate Alphabet subsidiary. The difference is significant as Alphabet companies, though closely tied to Google (e.g. Jigsaw's website is a Google subdomain), are run independently.

Perhaps more important is that the project is also open source: https://github.com/Jigsaw-Code/intra

Run "independently" but financed by ad revenue, since that's where 90% of Google revenue comes from. "You can't make a person understand something if his salary depends on not understanding it".

Because some don't mind the text-based ads, but do mind the 10mb+ animated flashing overlay ads with audio that make the internet unusable.

The principal concern is pervasive tracking, not ads.

Doubleclick (owned by Google) serves those too. And there's another component to this: tracking.

Why not just stop using those websites. That's my policy.

Just use blockada app

I’ve been using Pi-Hole on my home network and it’s amazing. Routinely 18-20%% of DNS requests are blocked. When my wife goes out onto another network she says she is shocked at how ugly her web browsing becomes (ads on nytimes, huffpo, etc). I highly recommend it. Am using it with cloudfare’s encrypted DNS just as one more middle finger to my ISP.

You might already know this, but in case you don't: they can still see the domain names you visit in plain text because of TLS SNI: https://en.wikipedia.org/wiki/Server_Name_Indication

Encrypted SNI is a thing on the horizon that'll let us give the dual middle finger to our ISPs. As far as I know, it is not here now though.

A way round this, of course, is a VPN. Which is also a handy way of using an ad-blocking DNS service everywhere. My setup is documented here: https://github.com/jawj/ikev2-setup

There’s an open request to add ESNI support to cloudflared

> When my wife goes out onto another network

This is why I implemented WireGuard on top of it. All the traffic is encrypted through our home network (200/20 mbit) with DNS over TLS and adblocking due to Pi-Hole. LTE, open WLAN networks, all of these work. And roaming works very well with WireGuard. The downside is the 20 mbit upload.

Any recommended tutorial for setting this up? I have a Raspberry Pi with Pi-hole and would be great to add Wireguard on top of that.

I use WireGuard on my router (ER-L) and Pi-Hole on the router as well, with a primary DNS on my Synology which uses Pi-Hole's Docker image [1]. Docker runs on Raspberry Pi, so I recommend you look into that route. Jessfraz wrote a howto on running WireGuard in Docker [2]

[1] https://github.com/pi-hole/docker-pi-hole

[2] https://blog.jessfraz.com/post/installing-and-using-wireguar...

> Am using it with cloudfare’s encrypted DNS just as one more middle finger to my ISP.

Curious how you set this up? I see cloudflare as an option in the pihole settings but doesn't appear to be encrypted? (at least as a default)

Yup cloudfared

Do their paid versions have ads too?

There's lots of "privacy" improving DNS servers, but none of them mention trying to remove unintentional DNS queries.

It turns out lots of things will resolve anything that looks vaguely like a hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These queries get passed to your ISP, and then on towards the root name servers. So if you run a large nameserver, you quickly find that most of your DNS queries are very obviously rubbish.

With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between these two names, I guarantee there is no valid records". Thus if your nameserver supports this, it can say "there are no valid names between .pccw and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3 records can both be cached and your resolver can synthesise NXDOMAIN records for them. (See RFC8198 for details).

So, instead of spraying queries for "untitled.pdf" across the internet, you can quickly, and efficiently return NXDOMAIN.

Another cause of these is search paths, when you look up "news.ycombinator.net", if that resolution fails, it will try adding the search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and filenames to everyone in your search path.

If you actually value your privacy, this is the first step that you should take.

The easiest solution to that, that has been known for many years, and the actual first step that one has been able to take for quite some time now, is running one's own root content DNS server on the LAN. DNS traffic for queries that use invalid top-level domains never escapes the LAN and never even reaches an ISP.

It's a fairly simple exercise in content DNS service. I actually set my machines up with a root content DNS server each.

* http://jdebp.eu./Softwares/nosh/guide/services/djbdns.html#D...

* http://cr.yp.to/dnsroot.html

Search paths are a subject in their own rights.

* http://jdebp.eu./FGA/web-fully-qualified-domain-name.html

I'm not sure this works the way you say it works. NSEC records are provided by authority servers; they're a way for the delegated owner of "." to say that there aren't zones between .PCCW and .PE. They work because they have chained signatures. A recursive server can't generate NSEC records for the DNS root, and, obviously, wouldn't have to; any DNS server, DNSSEC or not, can accomplish what you're talking about with a simple "if" statement.

At DNSFilter we solve for this by loading the list of valid TLDs from official sources every few hours and immediately rejecting invalid TLD requests. Works great for those who have mis-configured their LAN DNS and are sending us all their companydomain.lan traffic.

Doesn't solve for cases where it's a valid TLD, but the domain doesn't have a valid DNS record. Guess it would depend if the TLD in question is publishing said dnssec record.

Pi hole (free) is good for this kind of thing if you are at home https://pi-hole.net/

I found that pihole did too much so wrote my own. I dont think it has any users, except in my house but it seems to work


But does it work on outside home and on 4G?

For $5/month you can roll your own OpenVPN server with Digital Ocean and it will. [0] Bonus: your cellular ISP can't see your traffic and you're automatically protected at coffee shops.

Downside: Battery life takes a slight hit due to encryption.

[0] https://www.digitalocean.com/community/tutorials/how-to-bloc...

Regarding the bonus: you're just shifting the problem. Your ISP can't see your traffic, but now digital ocean can.

Digital ocean has not nearly as much of an incentive in selling or tracking the huge amounts of traffic that goes over most of their B2B customers, while your ISP wants to up that ARPU number from every B2C customer in every way possible. And you can switch your cloud server provider easily, your local monopoly ISP not so much. Digital ocean has far more to lose by doing that, while ISPs have a captive audience.

DO will forward those torrent scare / spam server abuse emails ASAP, so they won't be good for that kind of stuff.

Sure. Someone can see my traffic. You're never anonymous on the Internet. But, as other commenters have said, it's a matter of aligning incentives: the likelihood that DigitalOcean will take any notice of my measly account is much lower than my ISP, which would love to know what I'm up to. If that incentive estimation changes, I'm off to a different solution.

Right. Same goes for a VPN too.

The thought is, Who do you trust more with your traffic data? Your ISP or a VPN provider? (In this case DigitalOcean)

You're assuming that the level of trust for ISPs and VPS providers is the same (for many, it's not).

It's true. You can reduce risk by using an ethical company. I recommend Prgmr.com over DO. Not just cuz they kindly host Lobste.rs for free. Ive watched one's comments for years plus how they discuss downtime or vulnerabilities kn their blog. They consistently seem like straight-forward, honest business. Low likelihood of nefarious stuff.

For some reason apple blocks access to appleid via Digital Ocean. Have you experienced this?

Good to know. I experienced the same when I set up algo on Scaleway recently. I considered Digital Ocean as an alternative, but ended up using Hetzner Cloud (which I now prefer, since it is cheaper and based in Germany). No access issues with appleid.apple.com anymore.

If many hosts get abused (usually due to people setting up a quick VM for a task and forgetting to update it manually and not setting up automatic security patching) even a reputable hosting service becomes a script-kiddie farm.

Perhaps this has happened with DO and Apple have blocked its host address ranges from the API due to unwitting past involvement in hack/DDoS attempts?

This is common with public VPN services that people I know have used. I have the luxury of fixed addressing and decent bandwidth at home, so I run my VPN there and have thus far not noticed any such issues. This also means that services that are location sensitive work as if I'm at home (not some random other place the VPN endpoint appears at).

I don't have this problem. Can you describe what you mean by "blocks access to AppleID"?

For 10$/year I am running a VPS server in Amsterdam with strongswan ([1] VPN server) and dnscrypt-proxy 2.0 ([2] DNS server which is dispersing queries to multiple DNSCrypt servers and also blocking various ads and bad agents) on it.

I also keep nginx to avoid pinging Apple or Google for checking if internet works (captive.apple.com, http://connectivitycheck.gstatic.com/generate_204 are re-routed to my own server).

Finally it is incredibly simple to use nginx to serve DNS-over-TLS from your own machine (so from my dnscypt-proxy) for using on Android Pie. Works on mobile as well. [3]

[1] https://strongswan.org/ [2] https://github.com/jedisct1/dnscrypt-proxy [3] https://github.com/jedisct1/dnscrypt-proxy/wiki/Connecting-t...

The problem I have with this setup is when using networks that require you click through a captive portal. Often external DNS servers can't resolve their portals -- so you can't click through to open up to the wider internet and have to screw around flipping the DNS temp. After wondering what on earth is going on for a minute or two, as you've forgotten, again.

Just curious: Wouldn't visiting sites like http://neverssl.com work? If it doesn't, then it's a good opportunity for someone to put a static-ip behind something like http://neverssl.com

No because often they redirect you to a DNS address that only exists in their internal DNS. And that internal DNS is often to an internal only IP, so you can't VPN all your traffic. e.g. you'll go to http://neverssl.com then get bounced to http://some.internal.net which resolves to which finally serves the portal you have to click through.

You can run Pi-hole on a VPS and set that as your DNS provider on portable devices, or (depends on ISP and what ports they leave open) run it at home on a fixed IP and allow the traffic through your firewall. It can be done but is not that practical. I run Pi-hole in a LXC container on my home router (a Turris Omnia) and use ad-blocking software on portable devices that I use elsewhere. This works well enough.

I've recently installed Wireguard on one of my Pis to support this, so I can use my pihole while I've been away for the christmas break - has worked perfectly.

Admittedly not got it working on android yet but I'm under the impression that there is a way of getting Wireguard working on android

For a business turnkey solution for this. Adblock DNS + VPN check out https://ba.net/adblockvpn

Disclosure. I work at ba.net

If you use a VPN to connect to your own RaspberryPi yes

You might want to checkout AdGuard Home if you want to run it on your own server or in your own network: https://github.com/AdguardTeam/AdGuardHome

Notable differences between it and Pi-Hole:

1. Easy to set up and use. It's just a single binary, everything you need is inside.

2. Supports every DNS encryption protocol out-of-the-box: DNS-over-HTTPS, DNS-over-TLS, DNSCrypt.

3. Can run on any platform (even on Windows since today).

I never liked the idea of using DNS services for filtering web content.

For one, it seems like the wrong tool for the job. Filtered content can simply switch to identifying content by IP address instead of DNS, correct? Or change DNS constantly.

And for two, of course there are concerns with handing someone your DNS queries in return for filtering...

In practice, I’ve never seen filtered content change to ip addresses or rotating dns names. Do you know of an example?

A lot of adblock can be circumvented if the ads were served from first party servers and didn't use obvious keywords or advertising sizes.

The NYT could serve their ads from NYT servers instead of nagging you to turn off adblock and continue with their 3rd party ad providers.

So they are not doing that, so I doubt cirumventing DNS adblock will be something that they will care much about either.

This particular arms race happened in the world of WWW pornography back in the 1990s. I'll leave finding examples to you.

People have been blocking stuff for decades now, and we know what the responses to some of the initial moves will be, because the world has already gone through the dance.

Depends on what your goal is. If you have children and you want to avoid accidentally seeing porn or being delivered a malicious ad, DNS based blocking can be a great tool. Also if you just want to improve the general security and performance of your home network.

Privacy is one major reason you might want to switch to a dns provider you trust. Not to mention security as well as it isn't uncommon for ISPs or rouge actors to 'take over' domains solely using attacks via DNS.

If you're not using DNS over TLS or HTTPS, I suggest you start right now.

If you're undecided abt DNS based adblock, consider reading this blog post: https://www.troyhunt.com/mmm-pi-hole/

There are certainly ways to bypass dns filtering, but as far as I know it's the most performant, and effective, way to do it.

I wouldn't use a third party service for that, preferring instead to use pihole.

>>And for two, of course there are concerns with handing someone your DNS queries in return for filtering...

Correct, but probabaly better then to give it to Google or your ISP for free!

On one hand, it looks pretty cool and convenient. On the other, using a DNS server requires a lot of trust.

Giving some unknown company the ability to trivially man-in-the-middle your connection or sell your browsing history is pretty scary. The fact that their code is open source helps a bit, but there's no way to tell whether the code running on their servers is the same as on github.

I'll stick with my pihole/hostsman [0]

[0]: http://www.abelhadigital.com/hostsman/

it doesn't seem like they have mentioned it but this is an alternative to their existing self-hosted dns solution.


IIRC the company and the servers are based in Russia.

So this is not for everybody.

Great idea, but how is this monetized or supported? What are they doing with the data?

They sell their AdGuard program on Android. Because the full version of the program isn't available on the PlayStore (it breaks rules by interfering with other apps) they depend a lot on marketing and word of mouth to get new customers.

The code for their DNS servers is actually open source, so if you want the functionality without relying on AdGuard you can run your own server.


It doesn't cost that much to run a DNS server, even with DoH/DoT. You can easily serve a few million users with a milisecond latency off a cheap instance with 2GB instance.

That's not to say the cost is zero, but with with multiple caching layers (O/S, browser, router, etc), and serving same results for everyone, server costs are not very high.

This might be a little more expensive than usual if it returns NXDOMAIN for known ad serving domains. Many DNS clients don't cache failures.

Don't know how AdGuard does this, but pihole returns for ad-serving domains. I don't know enough about DNS to guess why it does that instead of returning a failure, though my guess is that maybe doing so prevents software from falling through to a user's secondary DNS server.

Interesting. Could produce odd results if you run a local webserver and don't have SNI on. Seems like that behavior should be something configurable.

Edit: Apparently it is. https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-wi...

This is really groundbreaking but it got less noise than I thought it would. Adhell (an app that is capable of doing system wide ad blocking along with many other things thanks to Knox which is Samsung-only capability) was the main reason I stayed with Samsung for years. Now every phone with Android Pie will be to use dns based ad blocking in all networks without running an annoying app in the background.

There's also AdAway, which runs on any rooted Android phone, and doesn't require you to show all your traffic to a particular DNS server.

There is also Blokada, which creates a local VPN on Android and runs it against a hosts file: https://f-droid.org/en/packages/org.blokada.alarm/ .

The advantage of Knox based blocking is that it doesn't require root.

I've been looking for something like this for quite some time. I was hoping Cloudflare will offer it but they haven't

My main questions are How do we know if we can trust them with our data? How fast are they compared to Cloudflare ?

I wish there was something like Signal but for DNS. Similar in the way that you don't have to trust them to know they are not doing nefarious things with your dns queries.

I know I can install Pihole in my home network, but I want something that works on every network

This script might help you compare the speed of the DNS server to any other DNS server out there: https://github.com/cleanbrowsing/dnsperftest/blob/master/dns...

>I was hoping Cloudflare will offer it but they haven't

That would not be in their best interest, I'd imagine, as CF probably hosts loads of sites you'd want to filter.

update: They say they do not log anything, and pass no information upstream to the authoritative DNS server.


I didn't see anything in the announcement about logging or other privacy related questions. The FAQ also didn't list this information.

The only thing they mention about privacy is how a dns request to them is protected, but not what they do with the data.

Did I miss something?


Reading their privacy policy:

>We do not collect anything for tracking purposes and take all necessary technical, administrative and physical measures to protect the information we get.

>When AdGuard DNS user tries to visit a page, our server receives following information: User’s IP-address; DNS request which contains domain name.

>The DNS request will be forwarded to a root or authoritative DNS server, but for the upstream server it looks as if this request is originated from AdGuard DNS server, there is absolutely no way for them to identify the original user. We, in our turn, do not log or save any of this information.


I suspect this really screws with the DNS tricks used by many CDNs to route requests to near-by servers. So I would not be surprised if, when using this, YouTube, Netflix, etc, get much slower.

I see the website loading speeds are affected, but I think it is worth it. This is a good stop-gap for anyone who have not setup a pi-hole just yet but at do not want to install an app or an extension in its stead.

Prior to this, I was running Intra [0] on my Android phone to route all DNS traffic to cloudflare-dns and had been pretty happy to use it in tandem with PrivacyBadger, uMatrix, and uBlockOrigin on Firefox.

Someone suggested using AdAway [1] on rooted devices and another app that does a similar trick of running a local VPN on Android through user supplied hosts file. Great alternative.

[0] https://getintra.org/

[1] https://adaway.org/

depends whether or not they're passing EDNS0 Client Subnet data to the authoritative DNS parties, and whether those parties are listening for it / trusting it.

We embed ECS data in our requests at DNSFilter to the authoritative upstreams, and we have a large global anycast network, so even if they're not accepting it, the answer is coming from a server 'nearby' the originating dns request, so CDN requests shouldn't be affected much.

That's the first thing I thought; How does this effect georouting?


Local solution. I remember this url from memory, "install" on every device/router I touch.

Neat! Minor note, I think this should be https://someonewhocares.org/hosts (note the plural)


How is it being monetized? I have become more and more suspicious of “free” privacy services. Unless there is an exchange of money for a service, it is highly likely that eventually the company will either fold, or decide to sell the previously private information.

Its a marketing expense as far as I can tell. They sell a mobile adblocker.

Has/Is anyone here tried/using https://zenz-solutions.de/personaldnsfilter/ for filtering Ads/Tracking?

Misleading claim: any external DNS server is not private. Your requests are directed to a third-party. I suspect data-mining you is how they pay their server bills.

The correct technical solution for privacy is running your own DNS server locally.

> We will never sell your data or use it to target ads. Period.

> We’ve retained KPMG to audit our systems annually

On Reddit I'd never dare to say this. Cloudflare is widely hated and painted as the enemy of privacy.

I use OpenDNS, but I see they are now owned by Cisco. May need to reevaluate.

> The correct technical solution for privacy is running your own DNS server locally.

The ISP can still see requests the local DNS server sends to the Internet

If you use DNS-over-HTTPS on your local machine or LAN, your queries would be encrypted and safe from your ISP.

As mentioned in some other replies here, you can use vanilla DNScrypt [0] or cloudflared [1], or Pi-Hole with either one enabled, etc.

[0] https://dnscrypt.info/implementations/ [1] https://developers.cloudflare.com/

I find it ironic that AdGuard blocks the very CDNs that they (and Facebook) uses.

So they would like you to please use their own DNS servers... no thanks, I'll just keep using my own, on-premise, private DNS infrastructure at home.

Private infrastructure for the win.

Slightly out-of-topic: I am running an own bind9 internally on a bananapi. I'd like to combine this with the functionality of a pi-hole, ideally without needing to set-up a new raspberry for it. I tried several searches on how to combine the exclusion lists of pi-hole with bind9, to no avail. Does anbody know a simple solution for this (I know I could run bind9 in a different port and install the pi-hole binary on the same machine, but this is beside the point).

Adguard offers both a resolver and something aimed at home users for free and as open source on their github page.

I believe Cisco umbrella(opendns) public resolver does similar filtering,although not sure if they have one for AD filtering.

Some mentioned trust,for me support for dns ovet https is much more important since I'd be using it over a VPN anyways. And for those thst dont,NAT and inability to correlate DNS lookups with actual (especially encrypted) traffic makes privacy a less significant concern for me.

Another great solution is Pihole: https://pi-hole.net/

It does not just protects your privacy, but improves your bandwidth too.

Troy Hunt wrote about it a couple of months ago: https://www.troyhunt.com/mmm-pi-hole/

If you want to track AdGuard DNS users with Google Analytics see: https://medium.freecodecamp.org/save-your-analytics-from-con...

Love this service and wrote a blog post about it with some of my blacklist and whitelist entries: https://calebyers.com/blog/dns-ad-blocking

You can use hololo DNS changer on the Play store to point to a permanent DNS server. I did this and built my own version of pi hole... The stats are at opens3.net and so is the DNS service. Blocks 140000 domains

I tried this a while ago, and it broke one of my sites. No idea how or why. There are no ads on the site or problems with any ad-blockers. Put a bad taste in my mouth.

Edited to add: But I like the idea.

Quite possibly blocking CDN address space, or shared hosting. Pretty easy to end up blocking way more than intended if the hostlists aren't sanitized.

I'm a little disappointed they abandoned CoreDNS. I was really enjoying work with it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact