Hey there! Hope you could follow along the last post quite well. I admit that it’s gotten quite long, but hope you could enjoy it nonetheless. ๐ And here I’m back, to show off other services I have running on my home server – yes, I have quite a lot of services running, and just writing about those will be enough to keep my blog updated for about a month… or two weeks if I hurry things up. Let’s see. ๐คช
You probably have internet access – you are reading through this page, after all… But only a handful of folks have a picture of what really happens when you visit a website. It’s quite simple, right? You open your browser, your browser connects to the website server and the server responds with everything you need. Images, style sheets, HTML files… everything!
Well, that’s at least how things worked in the past… I think, I’m quite young and haven’t seen the ages of the internet when most sites are simple and hosted by individuals. ๐ But at least I know about how it works today…
Online ads and trackers. They’re everywhere… Every shopping platform, every social media site, and basically everything else you can imagine of. If used responsibly, they are a pretty solid way to generate revenue as traffic starts to grow, especially for smaller sites…
If used responsibly… ๐ต You get it.
Now you’ve seen how cruel ads can be. I used to have only uBlock Origin to block ads, and that only worked for websites accessed inside the browser. It is already very decent and did its job really well, but when I discovered AdGuard Home, I thought… Hey, why not? ๐
What sets AdGuard Home aside from ordinary ad blockers is the fact that it’s not an plugin for browsers or an application for your OS of choice. Well, AdGuard, the company/brand behind AdGuard Home also offer apps and browser addons to block ads on a per-device basis, but AdGuard Home goes down another path – It replaces the existing DNS server on the network with its own one, so all devices get basic protection from ads, for all network traffic.
I will have to leave out a lot of details here, but if you’re not familiar with DNS, or Domain Name System – it’s a standard for querying IP addresses and other info associated with a hostname or more commonly known as domain names. Since devices on networks only talk to each other with IP addresses, we need a DNS server which holds a list of DNS records – those associate hostnames with IP addresses and other information. There are a handful of so-called authoritative DNS servers on the internet that get notified whenever a domain is registered and DNS records are created, and other “lower-level” DNS servers query those to get their information. Often, a local, “low-level” DNS server runs right on your home router, alongside of a DHCP server which informs the client about the most important network configuration when they join the network, including the DNS server location. It’s quite an interesting topic, and this article from Cloudflare probably explains it much better than I do… But that doesn’t stop me from making a graph nevertheless. ๐
Now, this is what a normal home network looks like. Once AdGuard Home becomes your default DNS server, things will change a bit. You see, AdGuard won’t just go and forward everything to its upstream DNS servers. Instead, it first takes a look at the incoming queries and sees if any of the requested hostnames are found inside one of the so-called blocklists. And if it matches a blocklist rule, it will answer to the client as if the hostname does not exist (NXDOMAIN).
Now onto what AdGuard Home really has to offer. First, configuration is super simple with a sleek web-based first time setup and dashboard, so you don’t have to touch any config files when configuring your DNS settings. I’m always paranoid of messing something up without a GUI, so that’s amazing! In the WebUI, you can configure basically everything – upstream DNS servers, parental control to block unwanted content (for which an AdGuard API is actually leveraged instead of a static list), and of course – filtering configuration. AdGuard comes with one blocklist pre-installed, but you can always add more to block more unwanted hostnames. To block other endpoints that aren’t included in the default list, you can install additional lists from the AdGuard selection or supply your own with an URL.
You can even add custom rewrite rules! This is especially useful if you host a server at home like me, and don’t want to access the WAN IP addresses the whole time… I rewrote crunchystudio.cc to use 192.168.1.1 instead. ๐
And one feature that surprised me was that this AdGuard Home thing – hold your breath – has a DHCP server built-in! I actually had to use this feature when I was still running Ubuntu Server along with my ISP router. I installed AdGuard Home into a Docker container and put it onto the macvlan network Home Assistant was also using. The problem was that the IP address of AdGuard Home was 192.168.0.3. It normally meant configuring the DHCP server on my ISP router so it announces 192.168.0.3 as the DNS server, but the router only showed a toggle for de/activating DHCP altogether and no individual options. So I deactivated the built-in DHCP server on my ISP router and enabled the one in AdGuard Home. Thanks to the devs for thinking of this edge case!
But soon I noticed another problem – IPv6 traffic still used the ISP DNS. And that was because even though I could deactivate DHCPv4 on the ISP router, DHCPv6/SLAAC (auto-configuration mechanisms used in IPv6) is just always active no matter what I do. And no DHCPv6 options are exposed on the router WebUI, so I couldn’t configure my clients to use AdGuard Home instead of what the router told them to use… I didn’t enable DHCP IPv6 on AdGuard Home for some good reasons: We have a changing IPv6 prefix, and you can’t really deactivate the IPv6 auto-configuration mechanisms on the ISP router which would conflict with AGH otherwise. Since most of my devices use IPv6 by default (which is good ๐), that eventually became a reason for me to switch to OpenWrt… So, thanks ISP, I guess…? ๐
As of now, I’m happily running AdGuard Home directly on OpenWrt. I can even use AdGuard Home for IPv6 now since the ULA of the router never changes and OpenWrt allows me to configure which DNS servers to announce in both DHCPv4 and DHCPv6/SLAAC. I deactivated the default Quad9 upstream resolver and set AdGuard Home to use Cloudflare DNS. They claim to have the best resolving speeds of all, and I wanted to see if that’s true. ๐
To avoid conflicts with the default dnsmasq DNS server in OpenWRT: I moved it to listen on port 5353 instead of 53, disabled rebind protection and set AdGuard Home to use 127.0.0.1:5353 for PTR queries, inspired by this guide. Have a look if you want to setup AGH on OpenWRT as well! Running AGH on the same device that routes your traffic is the cleanest way of running AGH at all, in my opinion.
But although we now have AdGuard Home, I still keep my beloved uBlock Origin activated for the time being. The reason for this is that AdGuard Home will only handle DNS, and anything the clients do with the queried information is none of its business anymore. I’m not sure if sites really implement my guess, but if a website (example.com) serves its advertisements from another HTTP path on the same domain (example.com/ads), AdGuard Home wouldn’t be able to help. That’s because DNS won’t handle anything but hostname resolving, and “HTTP paths” are a concept of HTTP which operates on a whole other network level. Think of it as a meetup of the client and the web server – the only task the DNS server has to fulfill is to inform the client about the web server’s “address”. The only thing the DNS server can do is not to say the address of a web server (NXDOMAIN), but once the client knows where the web server “lives”, the DNS server can’t do anything to stop them talking with each other. ๐
The good news is that this is just my guess, and almost all sites will use some sort of third-party ad service. Those can be easily blocked on the DNS level since third-party will basically always mean a different hostname than the accessed website itself. And that goes for all your devices on the network. Crazy, huh? ๐
Alright, that was the introduction of the second service I have running on my home network. I initially thought this wasn’t going to be too in-depth or technical, but I hope you could follow along… Actually, tell me in the comments! I still have a couple of things on my network that I want to show, so make sure you’re subscribed. See you next post!
Leave a Reply