DEV Community: Tyler

Pihole or AdGuard Home as DHCP server with UFW enabled.

Tyler — Tue, 08 Mar 2022 21:06:00 +0000

In order to do this you need a couple of things first.

UFW installed.
UFW disabled.
Pihole or AdGuard Home installed.
Pihole or AdGuard Home set on a static IP configured on the machine itself.
Pihole or AdGuard Home set to lease DHCP.
Know your DHCP pool.

Your DHCP pool is essentially your router IP with a 0 replacing the last digit. So it could be 192.168.1.0 or 192.168.254.0 in my case it is 10.0.0.0 once you have this, we can setup UFW. If you SSH into your Pi-hole or AdGuard Home hosting device remotely this will block that connection, so you will have to manually specify allow incoming on the port you have SSH on, and I beg you to move it off of port 22. Follow along below.

ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow from any port 68 to any port 67 proto udp

These next two commands will vary depending on your local setup. For me my Ethernet connection is viewed as etho1 on my AdGuard Home machine. However yours could be eth1 or enspo0 you will have to determine this yourself, it will also vary if you're using a wireless connection.

Run ip a to find the name of your connection, lo is loopback and not the one to use, I will use my etho1 for the commands below. Also, I will use 192.168.1.0 for the example command, you will have to change those numbers to match your config.

ufw allow in to 192.168.1.0/24
ufw allow in on etho1 from any port 68 to any port 67 proto udp
ufw reload
ufw enable

Now ufw is running, allowing Pihole or AdGuard Home to correctly lease DHCP, blocking external connection attempts to this device, allowing local devices to utilize it, and everything is working as it should be.

AdGuard & Pi-hole Discord: https://discord.gg/VzThBmB

Using DNSCrypt with AdGuard Home & Pi-hole

Tyler — Tue, 06 Jul 2021 19:35:24 +0000

This will be a super simple and easy to follow guide to get you using DNSCrypt and utilize DNSSEC with AdGuard Home and/or Pi-hole on Linux.

1: Open your terminal of choice or ssh into the machine

2: run sudo su to become superuser

3: run cd /opt since this is where we install DNSCrypt

4: You need to download the latest binaries from GitHub with wget in this example we will use the 64bit version (since that is most common)

4.5: THIS ISN'T THE LINK YOU USE, use the latest release that is for your system wget is the correct tool for the job, this is how you download the file wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.46-beta3/dnscrypt-proxy-linux_x86_64-2.0.46-beta3.tar.gz

5: run tar xzvf dnscrypt-proxy-linux_x86_64=2.0.46-beta3.tar.gz or whichever you have to download for your system

6: run mv linux-x86_64 dnscrypt-proxy or whichever is for your system, could be linuxi386 or whatever you downloaded for your system.

7: Delete the tar file with rm dnscrypt-proxy-linux_x86_64=2.0.46-beta3.tar.gz or whichever file you have downloaded.

8: cd into the new directory with cd dnscrypt-proxy

9: use mv to rename the example to the config file we are going to use. mv example-dnscrypt-proxy.toml dnscrypt-proxy.toml

9.5: Now we are going to edit the newly created .toml file with our editor of choice, in this example I will use Vim but you can use nano, emacs, etc.

run vim dnscrypt-proxy.toml to begin editing the config file. This is a long file and mostly complete I will guide you through the lines you have to change.

listen_addresses = ['127.0.0.1:53'] needs to be changed to listen_addresses = ['127.0.0.1:5335']

require_dnssec = false should be require_dnssec = true

10: From here you are ready to continue with setup, but this is a huge config file with lots of options, you can tinker as you see fit.

11: run ./dnscrypt-proxy -service install and ./dnscrypt-proxy -service start and systemctl enable dnscrypt-proxy

Now login to the admin portal of either Pi-hole or AdGuard Home, whichever you are using.

Telling AdGuard Home to use DNSCrypt

Go into your AdGuard Home admin panel and go to Settings -> DNS settings

In the Upstream DNS servers box you now put 127.0.0.1:5335 and apply.

Telling Pi-hole to use DNSCrypt

Go into Settings and go to Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input 127.0.0.1#5335 and apply

Finalize Configuration
Make sure to enable DNSSEC in whichever software you are using with DNSCrypt.

If you have any issues or want to join a community of whole home adblocking/tech enthusiasts please check out: https://discord.gg/DGscCVPRme

How to use Unbound with AdGuard Home or Pi-hole

Tyler — Mon, 16 Nov 2020 03:21:00 +0000

Install unbound with your package manager. I use apt so in my case I sudo apt install unbound and it is installed, it depends on your system which package manager you have.
Create and edit /etc/unbound/unbound.conf.d/config.conf
I use vim but you can use whichever text editor you prefer. In my case I do sudo vim /etc/unbound/unbound.conf.d/config.conf
Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set num-threads:to the number of threads for your machine! default is one, in my config I have 4.

server:
  interface: 127.0.0.1
  port: 5335
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  # Set number of threads to use
  num-threads: 4
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  harden-algo-downgrade: no
  qname-minimisation: yes
  aggressive-nsec: yes
  rrset-roundrobin: yes

  # If DNSSEC isnt working uncomment the following line
  # auto-trust-anchor-file: "/var/lib/unbound/root.key"


  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Configure TTL of Cache
  cache-max-ttl: 14400
  # Optimizations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  serve-expired: yes
  serve-expired-ttl: 3600
  edns-buffer-size: 1232
  prefetch: yes
  prefetch-key: yes
  target-fetch-policy: "3 2 1 1 1"
  unwanted-reply-threshold: 10000000
  # Set cache size
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8
  private-address: fd00::/8
  private-address: fe80::/10

Restart unbound with sudo systemctl restart unbound it is now listening on the specified port and doing what the config says.

Telling AdGuard Home to use Unbound

Go into your AdGuard Home admin panel and go to Settings -> DNS settings
In the Upstream DNS servers box you now put 127.0.0.1:5335 and apply.

Telling Pi-hole to use Unbound

Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input 127.0.0.1#5335 and apply

Finalize Configuration

You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.

AdGuard & Pi-hole Discord: https://discord.gg/DGscCVPRme

How to use Unbound with AdGuard Home

Tyler — Fri, 13 Nov 2020 19:04:24 +0000

I made a more updated version, can't figure out how to remove this post from dev.to but here is the link

https://dev.to/cipherops/how-to-use-unbound-with-adguard-home-1o5n