Silkenweb Example: Hackernews Clone

AdGuard Home: Network-wide ad- and tracker-blocking DNS server

310 points by kls0e 1 year ago | 252 comments

JadoJodo 1 year ago
I ran a competing project[0] on my home network for a few years before I discovered NextDNS[1]. What I lost in performance (requests don't leave my house) I gained in portability: ALL my devices can take advantage – at home and away – and time-saved. PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it. At $20/year, I simply couldn't compete with NextDNS.
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
0 - https://pi-hole.net/
1 - https://nextdns.io
- sangnoir 1 year ago
  > PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it.
  I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
  > At $20/year [...]
  At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
  - kelnos 1 year ago
    I think it's weird when people suggest that a self-hosted on-prem solution requires no maintenance and has so little downtime such that the time spent fixing issues doesn't matter.
    I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
    You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
    And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
    - sangnoir 1 year ago
      > I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it.
      I don't know the nature of your maintenance, but I've had unattended security updates working for years, I automated a bunch of stuff and use etc-keeper.
      > I only run things that don't need to be highly available
      Redundancy helps. 2 (more!) RPis cam be primary/secondary/tertiary DNS servers to match paranoia levels. Even if you have a single PiHole, keeping a pristine copy of the PiHole on a $3 sd card will get one up and running instantly.
      > Suggesting that a particular home-hosted solution is "unbeatable" is meaningless
      What site am I on, Subscription-Services-News? (:
    - KolenCh 1 year ago
      Not addressing Pihole directly, as I don’t have much experience there. But have you maintained a router? Running open source firmware or not, router does require a certain level of maintenance, open source ones arguably more. But that doesn’t make it problematic enough to have a lot of downtime. Given some people runs pihole-like software directly on a router, I’m skeptical the down time there is significant enough to stay away from. I mean having high availability internet at home is hard, but I expect the rate of failure of a router to be similar of magnitude comparing to pihole. If you can’t tolerate the latter, I wonder how you solve the availability issue of the former?
  - yumraj 1 year ago
    Don’t want to jinx it but I’ve been running a pihole on a RPi 3 for a really long time - at least 6-7 years and the only thing I’ve had to do is an occasional upgrade.
    I like the convenience and the fact that I’m blocking about 4M domains.
    My TV is also forced to use it so ads don’t update on Android TV.
    Not sure if NextDNS supports custom domain lists or not.
    - doubleg72 1 year ago
      Same here, except mine runs as a docker and I haven't touched it in five years.
    - ciceryadam 1 year ago
      Yep, NextDNS supports custom domain lists.
  - dddw 1 year ago
    Nextdns is great on phones. I don't bring a raspberry pi with me when I leave the house
    - sangnoir 1 year ago
      Incidentally, Raspberry Pis are also excellent WireGuard servers!
  - pastorhudson 1 year ago
    Well you’re not wrong about Sheetz. Ha
  - andreagrandi 1 year ago
    because your electricity bill is 0, right :D ?
    - sangnoir 1 year ago
      Back of envelope calculstion for my Rpi Zero 2W: 1W * 24h * 365 = 8.76kWh, which when rounded to the nearest dollar is $1 per year on electricity - so I guess I won't get the fancy Sheetz sandwiches, but it's not exactly breaking the bank compared to the $20 SaaS subscription
    - oivey 1 year ago
      Effectively, yes, for how much it costs to run. You know if you pay for a service that your subscription partially goes toward their power bill, right?
- evanreichard 1 year ago
  I'm curious what issues you ran into with Pi-hole? I was running my instance for years without a single hiccup. I ended up moving to AdGuard Home about a year ago though because I wanted to run it on my OPNSense box.
  I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
  - RulerOf 1 year ago
    > I'm curious what issues you ran into with Pi-hole?
    My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
    These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
    DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
    - Rastonbury 1 year ago
      It must be the lists in pihole or something, I don't get any of those issues with NextDNS, if anything Ublock breaks sites before it does
    - foxylad 1 year ago
      Odd - I have a pi-hole on my home network and never hit the issue with YouTube. The only breakage I've found is the top "results" (actually sponsored ads) on Google search don't work, but I always scroll past those anyway to discourage bad behaviour.
      In fact pi-hole works so well that I'm always struck by how awful the internet has become when I venture away from my home network. Doctorow's enshitification in action.
    - jethro_tell 1 year ago
      Is this an issue that next dns fixes for you?
  - theshrike79 1 year ago
    SD card corruption that just slowly started degrading the results, twice.
    For the price of a single Pi, I can get NextDNS ad protection for _all_ my devices for multiple years. No matter where they are.
    - pdimitar 1 year ago
      Running pihole on a Pi is severely overrated.
      I run it on my NAS Linux server (in a Docker container) where I have a bunch of other things. Zero problems, now using it for more than two years.
    - throwaway742 1 year ago
      Just run it in a container. No need to use an actual Pi.
    - stupidog 1 year ago
      Same here. After a few SD Card corruptions, I was done.
      NextDNS has been fantastic. And like you said, easily portable.
  - zikduruqe 1 year ago
    > I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
    Exact same setup for me also.
    I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
    - progbits 1 year ago
      How's the latency?
      I like the idea and might set that up but my residential ISP doesn't have great peering and latency isn't great. I wonder if that extra roundtrip would be noticable or not.
  - therealfiona 1 year ago
    Too many false positives with Pi-Hole. I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town, unable to get into the pi-hole and sort out the issue.
    I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
    The blocker on PFsense eventually had the same issue.
    Realistically, I was probably running too many overly restricting blocklists for my actual needs.
    But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
    - evanreichard 1 year ago
      I can empathize with the sometimes aggressive blocking, and as you pointed out can be pretty block list dependent.
      I generally will go in and whitelist things if a site breaks due to a DNS block, but of course putting your partner on the same VLAN can be problematic. I "got around" that by having a button in Home Assistant that will completely turn off Pi-hole (and now AdGuard). So my partner will go in and toggle that if there's a problem.
      AdGuard Home does also have the ability to completely disable blocking for specific clients.
    - swed420 1 year ago
      > I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town
      One potential workaround, if your hardware supports it, is to broadcast two separate SSIDs for general users: one with a blocklist, and one without as a fallback. Users just need to know when to use each.
    - qzx_pierri 1 year ago
      Couldn't you just monitor the query log and whitelist domains that were false positives?
  - tamimio 1 year ago
    I did have several issues with adguard home, after some time (or packets?) the dns wouldn’t resolve and basically you can’t open any website, you can ping with no issues but not opening the site, only resolved by either restarting the server or waiting few minutes, didn’t bother to troubleshoot it but I tried it on several hardware and got the same issues with different interruptions time.
    - IggleSniggle 1 year ago
      I experience similar issues with Cloudflare Zero Trust (I have it setup to work as an ad blocker, using a Terraform config to update blocklists pulled from eg uBlock Origin sources). It'll work great most of the time, but when it stops working I need to disconnect and reconnect. Hard to complain since it's free, though.
  - lencastre 1 year ago
    Is there any config update to the wire guard profile needed to ensure that DNS request traffic is routed through pi-hole?
    - evanreichard 1 year ago
      I use the bare WireGuard app on iOS. I just statically set the DNS server to the AdGuard Home IP (or Pi-hole IP) on my local network in the app.
  - fdgadfagfgd 1 year ago
    I think op's saying local DNS was fine and preferred, just not usable outside the home network.
  - vin047 1 year ago
    This is the way. Added Unbound as my upstream DNS server in recursive mode for extra privacy!
- drewg123 1 year ago
  I love NextDNS.
  The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
  - maronato 1 year ago
    I’ve been using NextDNS for a little while and don’t remember having issues with captive portals on my iPhone. Maybe something changed?
    - hipsterstal1n 1 year ago
      Most likely it's due to the different lists you can add or use on NextDNS. I also have issues with captive portals (I run a number of lists on NextDNS) and I just flip it off and on when I need to.
  - air7 1 year ago
    A general trick for bringing up the captive portal manually is to browse to a non ssl url such as http://example.com
    The portal would unapologeticly mitm the server response with a redirect to the portal login page.
    The domain needs to exist (to pass DNS) and not have HSTS, but otherwise any address will do.
    - ssklash 1 year ago
      http://neverssl.com/ is my go-to for this.
- JulianWasTaken 1 year ago
  Interesting -- for me pi-hole has worked for so long that I've forgotten my login even, but when I redo my home network in the near future I definitely intend to re-evaluate the options. Sounds like I've got 3 now...
  - nickthegreek 1 year ago
    you are gonna want to do a 'pihole -up' every few months. I would suggest finding that password!
  - markphip 1 year ago
    This is also my issue with pi-hole, I still use it but I lost the password. Every now and then I take a crack at getting back in so I can update it. I have been thinking of switching to NextDNS so I could have blocking everywhere.
    Other than this problem, Pi-Hole has always been great
- i2shar 1 year ago
  Haven’t used NextDNS but have used PiHole and currently running AdGuard Home. But if you are paying $20/year just for DNS encryption/blocking, you may consider upgrading to Mullvad which gives you DNS Ad blocking but also IP anonymity, tunneling etc.
  - ThePowerOfFuet 1 year ago
    The two are not the same; with NextDNS I can choose to enable logging and see all requests from each device, as well as allowlist/denylist any domain/subdomain I want.
    - Rastonbury 1 year ago
      Not familiar with pihole but are there not ways to do those things on it?
  - schleck8 1 year ago
    The issue being that it decreases your connection speed and increases your latency while good DNS naturally doesn't.
  - oceanplexian 1 year ago
    Except all of these third party VPN and DNS type services are literally NSA honeypots and privacy nightmares. I get that you have to do DNS lookups somewhere, but I'm not going to make it ridiculously trivial for a bad actor to scoop up all that data conveniently in a central location.
    - screamingninja 1 year ago
      >> consider upgrading to Mullvad
      > all of these third party VPN and DNS type services are literally NSA honeypots
      https://mullvad.net/en/help/privacy-policy
      It is up to you to decide what you believe, but Mullvad is a swiss company that does not ask for your personal information for signup and even allows payment in cash. You hurt your own credibility each time you make an unqualified claim without looking into it.
    - hackeman300 1 year ago
      Mullvad is an NSA honeypot? Got any sources on that?
- screamingninja 1 year ago
  I setup Pi Hole with tailscale on an inexpensive cloud server. It is configured to serve DNS requests over the tailscale interface. Also added tailscale IP address of the Pi Hole to tailscale DNS override to ensure that all devices on the tailnet use it without any additional reconfiguration. For redundancy, I have multiple DNS servers on my tailnet. Family and friends can use it without worrying about portability and be protected at all times, especially on cell networks.
  - scosman 1 year ago
    Tried this. Latency of DNS so critical, wasn't loving the self host option. Plus Tailscale wasn't quite reliable enough for all DNS traffic outside the house.
    I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
- temp0826 1 year ago
  Happy nextdns user here who used to have an overly-complicated setup with pihole and vpns etc. The only thing I have to complain about is the iOS app- I really wish it had a builtin way for viewing logs and white/blacklisting domains from the app, without having to go to the site. (Other settings would be nice too, sure, but as aggressive as I run it I find myself fiddling with the whitelist the most)
- JaggedJax 1 year ago
  I've used ControlD [https://controld.com/] for this and liked it. Does anyone know how NextDNS compares to it?
  ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
  - rnicholus 1 year ago
    I've been a NextDNS user for years now, and am trying out ControlD (last week) before I commit to switching. NextDNS development seems to have stalled and there are a number of conveniences missing, such as being able to label allowlist entries (ControlD supports this). Also, running the NextDNS app on a device that use a different profile then the one on my home router results in constant issues when the device wakes from sleep (not able to resolve domains for a noticeable amount of time on wake). NextDNS claims this is an Apple issue, but I don't think that's entirely true. Certainly not a problem for other similar services.
    I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
    - SparkyMcUnicorn 1 year ago
      It looks like cost is not comparable. ControlD pricing is per user and a router costs $5/month, but NextDNS is a flat $20/year.
      So ControlD would be significantly more than NextDNS for me personally.
- therealmarv 1 year ago
  +1 for nextdns definitely, that would be also my preferred choice.
  Alternative and free for private usage is to set DNS to:
```
    dns.adguard-dns.com
```
  on your devices to block ads with DNS.
  UPDATE: it seems the old one was dns.adguard.com (which was blocked in some countries)
  - bityard 1 year ago
    For the home-gamers without a strong grip of DNS, note that you can't enter a domain name into your resolver fields, you have to use the IPs:
```
    94.140.14.14
    94.140.15.15
    2a10:50c0::ad1:ff
    2a10:50c0::ad2:ff
```
    Also, it looks like https://dns.adguard-dns.com/ redirects to https://adguard-dns.io/ which is a paid service for more advanced DNS filtering, a la NextDNS.
  - vin047 1 year ago
    9.9.9.9 from Quad9 is another great, free, pro-privacy alternative.
  - greenie_beans 1 year ago
    omg, thank youuuu
- idatum 1 year ago
  I ran Pi-hole along with my OpenBSD router running unbound for some period. Then I realized I can download the same entries used for Pi-hole, AdGuard, uBlock, etc. I created a simple script that generates an unbound configuration that I can include in my unbound.conf file.
  One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
  I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
  - anon9874 1 year ago
    Care to share your script?
    - idatum 1 year ago
      If I recall, I was inspired by this:
      https://www.tumfatig.net/2022/ads-blocking-with-openbsd-unbo...
- itsTyrion 1 year ago
  I gave up on using anything that isn’t the default/auto DNS for when I’m on the go more, as it breaks every single public wifi hotspot that has a login/I-agree-to-not-do-illegal-shit-etc page that obv cannot be resolved
- muppetman 1 year ago
  On my Pixel I just set Private DNS. Yea I had to setup a SSL certificate but that's easy to do. So when I leave home, I still use my Adguard server for adblocking without having to touch settings etc (except, as mentioned, captival portals)
  I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
  Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
- snailmailman 1 year ago
  I run a pihole server for myself- and access it over VPN when I’m traveling. But I’ve tried NextDNS and can confirm it works pretty well. Set my grandmother up on the free tier and within the first week it stopped her from getting phished, because the scam text she clicked went to a site that wouldn’t resolve.
- lnxg33k1 1 year ago
  I also switched from pihole, because of the random disservice, I’d have it working, the suddently it would just stop, without changing anything, and even having it in their own docker container, unbelievable, I am quite happy with adguardhome, but now I kinda would try this nextdns
- afruitpie 1 year ago
  Another great (and free!) option is Mullvad’s ad-blocking DNS over TLS or HTTPS.
  https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
  - 1 year ago
- stranded22 1 year ago
  I love nextdns - pihole was fine but required admin, and I also had challenges vpn’ing in to use it out side of home. Whereas nextdns is simple to use, and effective.
  - verelo 1 year ago
    No idea how I have been living under a rock. I was using Google dns forever, but just switched my router over to next! This looks amazing, and great to see so many people using it with positive feedback.
- mrbonner 1 year ago
  i paid for NextDNS back in 2020 but discontinue the following year due to services such as streaming from PBS app and websites not working properly. I knew this maybe related to aggressive blocking DNS but I wasn't having the time to investigate. I have no complain about NextDNS. Their service works and pricing is fine. I just use Adguard premium now and have no issue for a year.
- berniedurfee 1 year ago
  I’m with you. For twenty bucks it covers my home network and the app covers me when I’m out of the house.
  Turning it off occasionally reveals the horror of the un-ad-blocked internet. I never forget to turn it back on.
- hsshah 1 year ago
  Have you looked into their privacy/data collection policies?
  Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
- boringuser2 1 year ago
  One of the major reasons why I don't use or recommend NextDNS is because they force you to use their DNS resolver when a DNS resolver like Quad9 has vastly superior threat intelligence.
- illiac786 1 year ago
  Can nextDNS differentiate between clients coming from the same public IP? Do you get individual DNS IPs?
- sitzkrieg 1 year ago
  i switched to nextdns all in a handful of months ago and mostly recommend it too
- 1vuio0pswjnm7 1 year ago
  NextDNS sends EDNS client subnet (ECS). If challenged on privacy grounds they can claim it is for performance but a primary benefit of ECS, whether intentional or not, is to serve online advertising interests.^1
  1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
  For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
  Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
  2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
  Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
zukzuk 1 year ago
I looked at Pi-hole recently but went with AdGuard Home. Nicer UI and nicer everything by all appearances. There's also a surprising amount of customization for something this slick, like being able to defer to my internal DNS for local private domain queries, etc.
I'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
- andix 1 year ago
  Yes, it’s really awesome. The split-dns feature has all the options you would imagine.
  I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
  Edit: here are the docs: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuratio...
- andix 1 year ago
  About the give-away-for-free aspect I was also wondering. Do they maybe configure their dns servers as default upstream and hope many people keep the defaults? DNS is one of the best technologies to do data mining and sell the data. I guess it's also why all those easy to remember dns servers like 8.8.8.8 and 1.1.1.1 exist. Google and Cloudflare for sure don't do it just to be nice.
  Disclaimer: adguard claims not to sell any customer data.
- madduci 1 year ago
  They can expand their user base and when they have acquired a certain amount of people, switch to a licensed model?
  - andix 1 year ago
    The main repo is GPLv3: https://github.com/AdguardTeam/AdGuardHome
    They already have many other commercials products and I guess also the default filter rules are very good because of their experience in the domain.
    But I think you can use it completely without the AdGuard servers and use other filter list sources.
- Brajeshwar 1 year ago
  > I'm not entirely sure why AdGuard is giving this away
  Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
  I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
  See, I just got five of my friends to download and buy the service in that dinner party.
  I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
- zymhan 1 year ago
  > like being able to defer to my internal DNS for local private domain queries, etc.
  PiHole supports Conditional forwarding
- throwaway742 1 year ago
  Does AdGuard support regex matching?
seanieb 1 year ago
AdGuard is a Russian company, with Russian engineers, the majority of AdGuard developers and other employees working from Moscow, registered in Cyprus. Not a great recipe. Hard pass on security grounds.
- 19h 1 year ago
  It’s open source software.
  MacPaw lists Russian-developed software as a risk because the government can access your data at any time — this is self-hosted open-source software though.
  The FSB can’t just access your local server with an arbitrary court order.
  Therefore this doesn’t feel like a legitimate concern but more like Russophobia, which I understand but also think is utterly unasked for as I know first hand how much Russian developers are suffering from the stupidity of their government.
  - seanieb 1 year ago
    You're swapping out your DNS for a Russian controlled DNS service. Seems dumb IMO.
    - illiac786 1 year ago
      Russian controlled? It runs on your network and it's open source. Where is the "russian control" on this?
- tills13 1 year ago
  It's open source you can verify it yourself.
  - mrcarruthers 1 year ago
    Technically, yes you can. But do you really have the time to sit down to understand a piece of software enough to know if it's doing anything nefarious?
    - Sammi 1 year ago
      It only takes one obfuscated line of code buried somewhere deep where you wouldn't expect it.
  - Sammi 1 year ago
    Good luck with that.
- modzu 1 year ago
  and your macbook was built in china. uh oh
  - seanieb 1 year ago
    Apple is an American company and we’re not actively paying for a hot war against China.
time4tea 1 year ago
You might be interested in py-hole. It's just a python script and some dnsmasq configuration, it runs on openwrt, is free and close to zero cpu usage.
https://github.com/time4tea-net/py-hole
int_19h 1 year ago
One other neat thing about AdGuard is that it is available as a Home Assistant addin - and it does integrate with the rest of HA, so you can e.g. have a switch to enable/disable blocking as part of your dashboard.
- fignews 1 year ago
  NextDNS also, just set it up :)
smarterhome 1 year ago
AdGuard Home is amazing! I used PiHole for a time but did run into small issues quite at lot. Mind you nothing serious but things like these are only really useful if they just work. Adguard Home works without any issues on my Pi setup via docker-compose [1] and it even runs on a second Pi as backup using a cool container called adguardhome-sync [2] to keep their configurations in sync. I am not seeing any ads in my network anymore and it is quite interesting to see how many tracking/ad requests are sent by some devices...
1 - https://thesmarthomejourney.com/2021/05/24/adguard-pihole-dn...
2 - https://thesmarthomejourney.com/2023/02/12/adguardhome-sync-...
- vin047 1 year ago
  The real eye-opener is when you start redirecting DNS 53 requests to your own DNS server and block DoT/DoQ/DoH – so many devices/apps just trying to reach out to their hardcoded DNS servers for tracking/ad targeting.
  - briHass 1 year ago
    Unsurprisingly, Google and Facebook IoT junk is the worst. They both hardcode their own DNS, and I've caught Google devices ignoring the DNS IP from DHCP (not the gateway) and attempting to resolve from the gateway (with external blocked)
ittan 1 year ago
Unsure if anyone here uses Technitium DNS(Opensource and free). It works on minimal hardware. I am running it on an Orange Pi 3 LTS.
https://technitium.com/dns/
- yumraj 1 year ago
  This looks great.
  Qs: this says “ Technitium DNS Server is an open source authoritative as well as recursive DNS server”
  Are pi-hole/Adgyard also recursive DNS server or just a blockers?
  Edit: I’ve been using pi-hole for ages, trying to figure out if this has any advantage.
  - roach360 1 year ago
    Can't speak to Adguard:
    PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
    - yumraj 1 year ago
      Thanks, I’ll take a look at Unbound. I have it running on a Pi.
      I had a pfsense, which died a few days ago while upgrading from 2.6 to 2.7. I believe it was running Unbound.
- mianos 1 year ago
  And you can load the ad blocking lists into anyway so you get solid DNS, ad blocking and none of those random youtube spinners from rando dns issues. For nothing but a little configuration.
- az09mugen 1 year ago
  Yup, running it on a pi 4. Simple to set up and use, happy with it. I didn't know about Adguard but I don't want to try it even if it seems good.
- FuriouslyAdrift 1 year ago
  I've been using it for years and love it. .Net based, so it is cross platform, too! There's a docker image if you want to go that route.
- vin047 1 year ago
  Decided against it due to being written in C#/NET and being relatively new. Went with Unbound
  - neonsunset 1 year ago
    Why?
    - vin047 1 year ago
      Because it’s written in C# and relatively new. Unbound is written in C so should consume less resources, has been around longer and has been vetted – FreeBSD and OpenBSD replaced BIND with Unbound.
      The one downside to Unbound is that there’s no GUI so it can be a bit intimidating to set up. But the docs are excellent and Unbound defaults are secure, so it’s not as hard as it seems.
hbcondo714 1 year ago
There are a few mostly positive comments here about NextDNS but I'll start a new comment since I'm thinking about switching away from NextDNS. Why? I'm on a Mac / Safari now and would like to enable their "Hide IP address from trackers" feature but if I do, then I start seeing advertisements on websites that would normally be blocked by NextDNS. So I have to uncheck this option and can't use Apple's feature. Overall, I guess the two can't be used together, per an issue reported on the NextDNS Help site:
https://help.nextdns.io/t/q6yq4xy/nextdns-stops-working-prop...
Does anyone by chance know if this is a known issue with AdGuard or even Pi-hole?
- pseufaux 1 year ago
  Are you referring to iCloud Private Relay? If so that's expected behavior for with any DNS based ad blocker. Turning on the relay proxies your connection and your local network's DNS server will not be used. Doesn't matter if it's PiHole, NextDNS, or AdGaurd.
  - _kb 1 year ago
    It does with encrypted DNS (I think - still mid setup). If you use a configuration profile [0] to explicitly set a DNS over HTTPS or DNS over TLS server this is still honoured within private relay.
    IMO vanilla private relay is much neater and simpler if privacy is your goal. It uses Oblivious DNS over HTTPS [1] which is pretty neat.
    To trade some of that privacy to reduce ads setting up encrypted DNS restores filtering control. This does mean you then need to funnel those queries somewhere likely less oblivious though. Current setup I'm playing with in the homelab uses Adguard Home for filtering. This then forwards to a local Unbound instance acting as a recursive resolver with strict DNSSEC [2] and QNAME minimisation [3]. End result is the DNS traffic is still open, but does not all go to any one single entity (apart from my ISP, which can see TLS SNI anyway).
    [0]: https://dns.notjakob.com
    [1]: https://datatracker.ietf.org/doc/html/rfc9230
    [2]: https://datatracker.ietf.org/doc/html/rfc7816
    [3]: https://datatracker.ietf.org/doc/html/rfc9364
  - hbcondo714 1 year ago
    Thanks, I did not think of that but iCloud Private Relay requires an iCloud+ subscription[1] which I do not have.
    I'm referring to the "Limit IP Address Tracking" option[2] in Safari/iOS and "Hide IP address from trackers" option[3] in MacOS/Safari
    [1] https://support.apple.com/guide/icloud/set-up-icloud-private...
    [2] https://support.apple.com/library/content/dam/edam/applecare...
    [3] https://appletoolbox.com/wp-content/uploads/2014/02/Hide-IP-...
- rahimnathwani 1 year ago
  You're using one product that blocks ads and trackers, but then bypassing that with another product that deliberately provides access to ads and trackers, but via a third party.
  What is the point of the latter?
  - hbcondo714 1 year ago
    I subscribed + configured my router to use NextDNS years ago so ads + trackers are blocked on my IoT devices. More recently, I inherited a MacBook and now an iPhone and naturally enabled their built-in blocking capabilities. I think I assumed two blockers are better than one but now I just leave Apple's IP limiting features off and let NextDNS do its thing but it just feels weird to deliberately turn off a privacy feature.
    - illiac786 1 year ago
      This is not two ad blockers. One is an ad blocker the other is a tracking blocker. They conflict simply.
      If you want both across all apps (not just the Browser) you need a VPN service with included as locking, such as protonVPN, IVPN, Etc. There are a lot.
NoPicklez 1 year ago
I swear there is a set time that HN can't go without a Pi-Hole or Adguard Home post.
- Brajeshwar 1 year ago
  I’ve a bi-annually repeating task on my calendar -- HN: Pi-Hole / AdGuard? ;-)
s0ss 1 year ago
Neat! Similar: If you happen to run pfsense on your network, check out pfblockerng, I really like it!: https://docs.netgate.com/pfsense/en/latest/packages/pfblocke...
dsheets 1 year ago
I contributed improved ipset support to this project. As far as I know, it’s one of the few off-the-shelf DNS servers that can insert result records into Linux ipsets to enable domain-based firewall policy. I run it on OpenWRT and use the ipset support to open the default drop firewall from my “smart” projector on my IoT subnet to NetFlix and YouTube. It sets the ipset entry expiry to the DNS TTL. Now, the only way for the machine to connect to the internet is to resolve a whitelisted domain and it can only access while the record is fresh. I haven’t encountered any issues so far. I take it that some Chinese users use this same functionality to selectively VPN domains to evade GFW.
Crosseye_Jack 1 year ago
Also runs on home assistant. The only thing to remember is when your updating HA (or you forget that your HA pi is not on the UPS, and you trip your GFI when doing home maintenance on your ring main) that your DNS also goes down.
Side note: it’s always DNS…
- Dries007 1 year ago
  Exactly why I run my DNS on an old pi just for that and some minor watchdog stuff.
pandemic_region 1 year ago
Happy AdGuard user here. It's running directly on my EdgerouterX so no need for an extra device to maintain. I really love the high level service blocking as well, blocking the whole of Facebook is just ticking a checkbox!
vladgur 1 year ago
With a self-hosted DNS internally, how do you handle fallback?
For example if the box with Adguard Home or pihole crashes, can you configure your router or your devices in a way that would instead go to say cloudflare or google DNS?
- briHass 1 year ago
  My router (Mikrotik Hex) redirects all DNS requests it receives to the Adguard server (with masquerade.) DHCP hands out the router for DNS.
  A recurring script attempts to resolve a domain from Adguard every 30s, and if that fails, the NAT rules are disabled and the router would handle the DNS directly.
  Downside to this approach is AG doesn't have client IPs, since they all come redirected by the router. I think DNS has a way to tag original IPs, but AG doesn't support it. I just use multiple DHCP configs to hand out AG directly to devices that are bad actors (and not critical), and critical stuff gets the method above.
- 1 year ago
- jerezzprime 1 year ago
  I dealt with a less-than-ideally reliable pihole by configuring the pihole as the primary DNS, and an external DNS server as the secondary (most devices accept 2 or more IPs for DNS).
  - 293984j29384 1 year ago
    On Windows that means your requests are queried against all DNS servers listed.
- moontear 1 year ago
  Honestly? Have two instances and point to both via your router dhcp dns. Very Client will use them and you are good to go. There are also solutions like adguardhome-sync to keep both installations in sync.
- lurking_swe 1 year ago
  most routers let you set a primary dns server and a secondary. just set the secondary to something like google or cloud flare dns.
  - smarkov 1 year ago
    I believe this only works if your ad blocking DNS is configured to return 0.0.0.0 for all blocked domains rather than NXDOMAIN, since then services might try using the secondary DNS instead and that would result in nothing getting blocked. Ideally your secondary DNS should be a copy of the primary.
    - vladgur 1 year ago
      do you know if pihole or Adguard can configured to support confirming to the router or the client that resolution took place, rather than try the secondary DNS.
      If i understand you correctly, if you have a blocking internal DNS running pihole or Adguard and an external general DNS such as google or cloudflare, unless what you described can be configured, the requests that come back "blocked" from pihole would then simply be resolved by google/cloudflare, thus negating the point of pihole.
  - moontear 1 year ago
    There is no primary and secondary dns on windows. Both dns servers are queried, if one goes down you are fine but you won’t hit your local dns all the time.
readscore 1 year ago
I'm experienced in DNS but have never seen the point in DNS blocklists. It feels like the wrong layer.
I do adblocking with a browser extension. The adblocking has more context, can modify the page, and has easy UI integration for debugging and turning it off.
What else are DNS blocklists for? Clients except browsers?
For the record, on my desktop I use systemd-resolved (for DNSSEC) and dnscrypt-proxy2 (for encryption). On my router I run unbound as recursive resolver for other devices.
On my phone I use quad9, and adblocking via Firefox.
- Larrikin 1 year ago
  I enjoy having ads blocked in apps and on my iPad, where ad blocking is extremely limited otherwise.
  If you look at the logs from your media box, (whether that is your TV, Roku, or whatever) there's a massive amount of tracking that gets sent up.
  Combined with Tail scale I can even block ads and tracking on my devices when I'm not home.
  - readscore 1 year ago
    Thanks I understand now.
    All my devices are plain Linux distro machines, or Android.
- muppetman 1 year ago
  Adblocking via the browser is the best option if it's available. All the games the kids play on their iPad try to insert ads, track them, all that sort of stuff and DNS based Adblocking stops that. My wife's iPhone isn't subject to ads when she's reading the news in Safari. On my Google Pixel I don't see ads in browsers either, Firefox I use uBlock but even the Google Newsfeed uses Chrome for webview, so DNS adblocking stops me having to see the sponsered stuff in there.
  There's so many places other than "the browser" to see ads, to even question that seems like not really having knowledge of what the Internet is used for in 2024. Edit: Sorry that's a bit rude, I just meant maybe you don't use it the same way a lot of others do. Sorry for sounding obnoxious and rude.
  DNS blocking doesn't stop stuff like ads in Instagram, or Youtueb etc, but it certainly helps in a lot of other situations like Ads in the Imgur app etc etc.
  - readscore 1 year ago
    > There's so many places other than "the browser" to see ads, to even question that seems like not really having knowledge of what the Internet is used for in 2024.
    I understand that many people use apps and smart TV sticks, but I'd forgotten that many have ads. I use some apps, but none that have ads.
    My family use apps but say that they appreciate targeted ads.
    - muppetman 1 year ago
      Yea sorry I've updated my comment to reflect the fact the way I phrased that was quite rude - my apologies.
      For the silly games my kids play on their iPad, blocking ads means they can "skip" ahead quite often instead of being forced to watch an ad before they're allowed to try again/progress to the new level. They're subject to enough advertising with Youtube anyway, just from all the content they watch that's subtle advertising.
- NamTaf 1 year ago
  My ISP-supplied router tries to ping back to some “AI driven wifi analytics” bullshit every 30 seconds. I put in a custom block for that. My TV would also probably love to phone home if I connected it to wifi to use the applications on it.
  The value is not just that I can block at the network level rather than the application/device level, it’s also that I can see what random connected devices that aren’t general computing devices are trying to do. If they have hard-programmed DNS servers, blocking 53 for any device besides my Adguard server quickly solves that.
Brajeshwar 1 year ago
I used Pi-Hole, then went to NextDNS, then to AdGuard DNS, tinkered with AdGuard Home, and currently testing Control-D. They are all actually pretty good, similar features, and it has become just a matter of personal choice.
In all fairness, when I have some time and can invest in decent hardwares, I might go back to AdGuard Home with one of the paid services as backup for travel, and for the other family members.
Pi-Hole works really well but once-a-while, when I'm traveling, it will decide to act up and it's a whole IT support with the family over phone for minutes if not hours. I'm not smart enough to setup a secure enough tunnel and the like, and haven't read up enough on the topic. This follows similar pattern with AdGuard Home.
NextDNS, AdGuard DNS, Control-D are easy and just works, especially with the devices that the family uses. I think I bought one of those AdGuard Lifetime license, so I use that to block client-side rendered ads in conjunction with either AdGuard DNS or NextDNS or Control-D. Right now, Control-D is doing pretty good with my test-drive.
Edit: The other reason is that many websites such as the Governments’, Banks (at-least in India) seldom works with Pi-Hole or AdGuard Home. With the other tools, I can turn off for a while, and go Internet-Naked and do the transactions, pay the insurance, etc.
https://adguard-dns.io
https://nextdns.io
https://controld.com
linuxandrew 1 year ago
I wonder how much DNS blocking would contribute to a unique browser fingerprint? Like a tracker could use a range of domains, some of which are known to be blocked by certain end-user software, to build a fingerprint.
I currently use a vanilla LibreWolf which has uBlock Origin and reasonable defaults out of the box for this reason.
My only other line of thinking is that a combination of DNS, IP and in-browser blocking could be more effective than just in-browser alone.
dang 1 year ago
Related:
AdGuard Home: Network-wide ads and trackers blocking DNS server - https://news.ycombinator.com/item?id=33387678 - Oct 2022 (113 comments)
Show HN: AdGuard Home – an open source network-wide ad blocker - https://news.ycombinator.com/item?id=18238503 - Oct 2018 (2 comments)
triyambakam 1 year ago
Coincidentally I just set up OpenWRT [1] on a NanoPi from FriendlyElectric.
How would this fit into using Wireguard? Or, how would I go about that? It seems like there might be something conflicting about running both, but I am very new to it all.
[1] It is actually running their FriendyWRT variation which came with the precompiled drivers for getting a Realtek USB wifi adapter to work, otherwise stock OpenWRT would work as well
35mm 1 year ago
Those who are using DNS level ad blocking: how much do sites break? And how easy is it to unblock them?
I currently use browser based blocking and find a lot of sites don’t work at all. Typically SPAs.
But if I have to use them, I can disable the adblocker in two clicks. How does that compare?
- LeoPanthera 1 year ago
  It entirely depends on which blocklist(s) you use. I had to stop using the StevenBlack list because it started breaking a lot of things, apparently intentionally.
  I recommend using only one list, rather than a combination of several. I switched to the https://oisd.nl Big List, which has been great... although it did break GitHub yesterday. That was the first breakage since I switched, and it was fixed when I reported. But still, keeping an eye on it.
  - vin047 1 year ago
    Hagezi blocklists are the current standard now: https://github.com/hagezi/dns-blocklists
    You could go for one of the Lite blocklists for the network wide, family friendly (non-breaking) list.
  - muppetman 1 year ago
    OISD is what I use as well. It's great, the family don't have any issues like we used to with the other lists I used. It doesn't block as much, but I'll take the odd thing slipping through vs not being able to load a page we need.
- ololobus 1 year ago
  I use PiHole, it does break some stuff here and there, and sometimes useful things like Private Relay or iCloud in iOS; or once YouTube history stopped working for me (apparently they use a separate domain to track watched videos and progress!). It also depends on the block lists you upload. It’s pretty easy to unblock, especially web, as you just look on which domain cannot resolve in the browser dev tools and add it to the allow list.
  Yet, DNS-based blockers have a limited usefulness at this moment as some major ad-providers started using the same primary domain for serving ads. For example, YouTube, partially Google, Yandex. I guess they cover everything with top level load-balancer and then route internally to specific service ingresses
- HumblyTossed 1 year ago
  Sites break often if they're shitty. Especially if you click Google's "Sponsored" link by accident after a search because I block Google's ad stuff.
  But, you get used to what sites break and decide if it is worth bothering to fix it or not.
  I can disable my pihole by opening a browser, navigating to pihole and disabling it.
- kodt 1 year ago
  Affiliate links break, which can be annoying for other members of the household who may want them to work.
- lock-the-spock 1 year ago
  I use AdGuard home as part of my HomeAssistant setup and have had no problem at all. Only thing is to turn off the enforced safe search as that quite reduces results.
- nprateem 1 year ago
  Forget about streaming media from amazon prime and various terrestrial broadcast apps. But just create 2 networks, one protected, one not.
- downrightmike 1 year ago
  rarely breaks. Also simple regex blocking goes a long way: .ads. will get rid of most ads domains. .tele. for telemetry etc
amelius 1 year ago
How can this possibly work?
I don't know much about how adtech works, but if I were Google I'd provide ad blocking detection to all of my clients. And it should be pretty simple to detect if parts of the network that are essential to my ads are being blocked.
politelemon 1 year ago
> Runs on your OpenWrt box
Where are you seeing that? The only reference to OpenWRT I see is in the "Projects that use AdGuard Home" section which links to a different project.
Otherwise that's a misleading title - this is a PiHole alternative.
- dsissitka 1 year ago
  https://openwrt.org/docs/guide-user/services/dns/adguard-hom...
- cricalix 1 year ago
  It absolutely runs on OpenWrt - simple as opkg install, then setting it up and sorting DNS redirection as needed.
  - masfuerte 1 year ago
    Yes, but the title suggests that OpenWrt is the only place it runs. Which is misleading.
1 year ago
winstonprivacy 1 year ago
Sadly for the AdGuard team, there isn't much of an audience for this. It's one of those things everyone says they want but few people will actually install one, much less maintain one over time. Add to that the wife-forced uninstalls and the total long-term audience for this is (no kidding) in the thousands.
- breckenedge 1 year ago
  My spouse’s device is on a pihole exclusion list. Can you not do this with AdGuard?
  - jraph 1 year ago
    What is the reason for someone in the network to not want the filtering? Does this break some websites?
    My own devices are covered, I definitely want full filtering even when not at home and my devices are completely hackable, but I'm wondering if such a tool would be a convenience for other people using the network in particular with less hackable devices, and people likely to use my network are likely totally uninterested in ads, but I don't want this to be a pain.
    - breckenedge 1 year ago
      Yes, it breaks some websites and apps that they use for work. My pihole also only runs on my “private” network, the “guest” network is not filtered.
      Apple’s Private Relay also does not work behind a pihole.
    - muppetman 1 year ago
      I used to need my wife's devices on the whitelist too - she had a job working with tracking and needing to see trackers fire when she loaded webpages etc. I once made a mistake and she got unwhitelisted and waited 4 hours wondering why her tracking codes "weren't working"
    - rockooooo 1 year ago
      It breaks a lot of websites, I used NextDNS for about two years but got tired of the headaches.
  - zukzuk 1 year ago
    Yes, you can definitely use it selectively.
- dizhn 1 year ago
  I don't get this comment. It is basically the same kind of tool as the Pihole only much easier to install and maintain. (It's a single go binary) Isn't this a popular class of software?
  - nickthegreek 1 year ago
    It is not a popular class of software to the masses, it is a popular class of software to a niche audience. I don't share as pessimistic attitude as OP though. I'm pretty sure the audience is in the tens of thousands!
    - winstonprivacy 1 year ago
      What's funny is that I was once extremely optimistic about the potential for such a device, to the extent of having sold and delivered a few million in product.
      Hard experience taught us that churn is just crazy high, no matter how compatible it easy to use you make it. Getting tens of thousands of stars is not the hard part because it's such an easy concept to like. But I would be surprised there are more than let's say ten thousand piholes in active use.
    - dizhn 1 year ago
      They have that many stars on GitHub. They actually also have thousands of forks each. The api probably still has a way to count downloads but I didn't bother. I wasn't claiming users in the millions anyway. :)
- bityard 1 year ago
  I guess I'm the exception to the rule, I spent a fair chunk of my previous weekend upgrading the hardware on my opnsense router/firewall so that I could virtualize opnsense and be able to glom on related services exactly like AdGuard Home easily.
raajg 1 year ago
Been 4 months and I'm pretty happy with the following setup: PiHole + RaspberryPi + Tailscale
With Pihole running on a tailnet all my devices use it by default as long as they're on the same tailnet. That way I have seamless ad-blocking even when I'm on cellular data or my friends' wifi networks.
rekabis 1 year ago
What’s the difference between this and just using their DNS addresses with the force redirect option enabled?
- skottenborg 1 year ago
  The internal DNS records are very handy if you host local services.
gotschi_ 1 year ago
Unfortunately it is a 11mb install, which makes it quite unfitting for your usual openwrt device
Naac 1 year ago
Anyone know of an Adguard home or pihole equivalent service I can run as part of OPNSense?
I currently have a different machine dedicated to pihole, but it would be intriguing to have something built in. I would imagine split DNS and firewall rules would be simpler this way.
- cycomanic 1 year ago
  Adguard runs directly on opnsense.
  https://0x2142.com/how-to-set-up-adguard-on-opnsense/
- bityard 1 year ago
  I'm in the process of migrating my OPNSense to a virtual machine so that I can run whatever network-related services I want right along side it in a container or VM. I used to scoff at those enterprising homelabbers who apparently stuck their firewall in a VM just because they could but I get it now. It's super nice to be able to just snapshot and back up the whole VM, and run whatever you want alongside it. (Although I will limit the box to specific network management things like AdGuard Home.)
  - vin047 1 year ago
    Ditto, just recently set mine up this way. Will never go back to ISP or proprietary routers.
- _micheee 1 year ago
  The built-in unbound dns server has support for blocklists, maybe you want to give it a try: https://docs.opnsense.org/manual/unbound.html
- moviuro 1 year ago
  Unbound with tags?
  * https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
  * https://try.popho.be/securing-home3.html
  * https://git.sr.ht/~moviuro/moviuro.bin/tree/master/item/lie-...
- lawn 1 year ago
  I run Adguard Home on my router with OPNSense. I don't remember how I set it up, but it wasn't that difficult.
justaman 1 year ago
Will this work against ads on major streaming apps like prime, hulu, and netflix?
- Ninn 1 year ago
  No
1 year ago
drcongo 1 year ago
I run AdGuard Home on a Pi and it's fantastic. I was running PiHole previously and found it endlessly problematic, I rarely have to even think about AdGuard Home.
NL807 1 year ago
How effective is AdGuard against YouTube ads? Pi-Hole doesn't work as its filtering is at the DNS level, I suspect AdGuard has the same issues?
- vin047 1 year ago
  Doesn’t work for YouTube ads – they no longer load ads via DNS and instead embed them directly into the video feed. Ublock origin via the browser is the best way to block them. If you wish to use a client app, best bet is to sideload a 3rd party app like like SmartTubeNext for Android TV or YTLitePlus for iOS.
- Brajeshwar 1 year ago
  AdGuard blocks at the client level, so it works (so far) as far as I tested in the last couple of weeks (with a non-premium account).
  Disclaimer: YouTube is still very affordable in India, our family subscribe to the YouTube Premium.
stzsch 1 year ago
I got my glinet gl-axt1800 mainly for the adguard support out of the box, as a way to keep my smart tv experience sane. Works pretty well.
- teruakohatu 1 year ago
  Are there allow lists for services such as Apple TV. Do smart tvs not fall back to hardcoded ipv4 addresses?
  - stzsch 1 year ago
    There might be allow lists, but I fine tuned the domains manually when setting up the TV, as they may vary by region.
    My LG A1 does not hardcode addresses. I also rooted it to prevent updates from doing so in the future.
    - teruakohatu 1 year ago
      Thanks for the info
steeve 1 year ago
Currently running this as a Home Assistant addon is
vosper 1 year ago
What does this break, if anything? Anyone run into sites or apps where Adguard Home needed to be disabled? How easy was that?
- mnt3 1 year ago
  Depends on the blocklists you're using. I broke Google search sponsored links, some Slickdeals links, and the meta quest app store. You have the ability to whitelist as well if you want to unblock some things.
  I'm running it in a docker container and then pointing my router at it.
- fursund 1 year ago
  Perhaps obvious, but if you’re using mixpanel or posthog for analytics on anything you build, you’ll have to put them on exclusion lists, in order to be able to use their analytics platform.
karolist 1 year ago
Works fine, beautiful and simple UI, I have it on my Dell R230 homelab server, running inside a container under Proxmox VM
jklinger410 1 year ago
I love the AdGuard plugin as compared to UBlock because it allows me to make a blacklist instead of a whitelist.
aantix 1 year ago
Is there something similar, say a proxy, that rewrites the responses to exclude certain ad patterns?
- miah_ 1 year ago
  Yes, Privoxy
  http://www.privoxy.org/
  It comes with all the limitations of using a HTTP Proxy in today's world where SSL is everywhere.
JoshTriplett 1 year ago
Standing reminder that any device smart enough to run a real web browser shouldn't use one of these and doesn't need one. uBlock Origin works much better for any device capable of running it, both in terms of user experience (the browser understands a block rather than a mysteriously failing request) and because it can block first party ads and clean up page layout.
The primary use case for these is for blocking ads on devices that don't allow running a real browser and yet still shows ads, such as "smart home" devices, TVs, etc.
- johntash 1 year ago
  > Standing reminder that any device smart enough to run a real web browser shouldn't use one of these and doesn't need one.
  Why not? Or why not use both?
  > The primary use case for these is for blocking ads on devices that don't allow running a real browser and yet still shows ads, such as "smart home" devices, TVs, etc.
  What about non-browser apps on mobile devices or even desktops? Lots of apps have invasive ads and are unlikely to offer an extension api to block them with.
  - JoshTriplett 1 year ago
    > Why not? Or why not use both?
    Because DNS-based blockers aren't visible to the browser, so they just look like HTTP errors or worse, and cause a variety of misbehavior. They're much more likely to produce errors that feel like the site just doesn't work. They can't distinguish between requests to different URLs on the same server, and many sites distribute both ads and content from the same servers. So they're always either going to miss ads or break sites, or both.
    Browser-based blockers can block some URLs while allowing others, in addition to many many other improvements like substituting no-op scripts for things the site expects to call (preventing sites from hanging because they're waiting on tracking, for instance).
    > What about non-browser apps on mobile devices or even desktops?
    Ignore "download our app!" prompts and stick with mobile websites wherever possible; Firefox Mobile has excellent adblocking via uBlock Origin. Look for ad-free alternative apps. If that isn't an option, purchase ad-free paid apps.
  - shiroiuma 1 year ago
    >What about non-browser apps on mobile devices or even desktops? Lots of apps have invasive ads and are unlikely to offer an extension api to block them with.
    Simple answer: don't use those apps. Do you really need them?
cyberax 1 year ago
I really hate that all these services break DNSSEC. I guess it can't be helped.
2OEH8eoCRo0 1 year ago
I love AdGuard Home, been using it for years now after PiHole gave me issues.
grebly 1 year ago
How does it compare to pfblockerng on pfsense?
steviedotboston 1 year ago
can this be used in conjunction with tailscale?
- dsheets 1 year ago
  I use it with WireGuard.
rpnx 1 year ago
Don't do this. Network firewalls are harmful. Let people configure their own firewalls on device. Having to VPN around network blocks is annoying to say the least. Network firewalls are harmful and just a lazy excuse for bad client security.
- sn0wf1re 1 year ago
  It isn't a firewall, it's a DNS server that returns fake results for entries in its blocklist.
- 1 year ago
- derwiki 1 year ago
  Is it easier to configure a firewall on my iPhone than I think?