Upgrading PI hole

Once every year, I do server maintainence (during Dec-Jan), this year I updated the our dns server from pi-hole to AGH (both are open source projects..) Just wanted to try an alternative, after using it for a while, the UI & Features on AGH is much better than pi-hole.

Why a custom dns server?

All websites/apis are just ip addresses (just numbers). Nameservers maintains a mapping of the domain names to the ip addresses, so when we make a request, we get the appropriate ip address.

The idea is simple, by running our own dns server, we can prevent our network providers spying on us, on top of that we can intercept & block all ads & trackers.

I get ads, but what are Trackers?

Similar to ads, ever been in a situation where you searched for something in flipkart/amazon.. then later you find the ad to buy the product elsewhere, this is because of trackers.. trackers are worse because they collect your data, the same way we block ads, trackers should be blocked.

How this can help us with ad & trackers blocking?

Can you make a guess how serving ads in app/websites work? they are from a server too, that server has a domain linked to it.. can you see where I am are going with this?

good content -> respond with ip address
ad/tracker -> respond with 0.0.0.0

Not just blocking ads & tracking, you can do much more.. there are other things that you can do in dns level.

  • block windows tracking or updates in windows machines
  • blocking spyware
  • disabling websites for a particular client (ex: blocking instagram on a your phone alone)
  • if you don’t want to keep tracking of your watch history in youtube and many more.

Aren’t there other solutions to blocking trackers and ads?

yes but those come with a disadvantage,

  • Browser extensions.. only applies to browsers (system wide, everywhere and all applications)
  • Android, Iphone (separate apps that use vpn locally to achieve this) - Drains battery alot
  • Rooting android, Jailbreaking ios.

so this does not require any of that.. no addons, no extra apps, no root, no jailbreak.

DNS Over TLS

Introduced in 2016, main idea is wrapping DNS requests and responses via TLS (Transport Layer Security), ensures observer will not be able to track or tamper the contents of the DNS requests.

Shortly after, android introduced DOT as “Private DNS” on Android 9 & up, we will be using this feature in our devices to block all ADS & Trackers.

client -> dot server, dot server -> queries the dns.. (we forward our request to serveral dns servers, load-balancers)

Traditional DNS vs DOT

How do we do it?

We use an existing open source dns resolver.

One options is to go with PI Hole, it is a community favourite open source project that has all the bells and whistles for blocking ads and trackers integrated inside it.

We will be using AG Home, it is also a popular open source project, which is community maintained. up until lastmonth (dec 2022) I was using PI-hole, switched to AG-Home, just to try something new.

Installing

I am assuming that you already have a linux box hosted in aws/google/..etc. DOT works on port 853, so you have to allow incoming and outgoing traffic in port 853.

Docker

To make things easier, I will be using docker images to run the software.

running a docker container.. command


podman run --name dnsServer\
 --restart unless-stopped\
 -p 2346:3000/tcp\
 -p 1853:853/tcp\
 -d adguard/adguardhome

Things to note are, exposed port 3000 is the webport for admin page & 853 is for DOT.

We maintain the configs in a yaml file which will be mounted to the container.. here is an example version.

bind_host: 0.0.0.0
bind_port: 3000
beta_bind_port: 0
users:
#   - name: <your-username>
#     password: <your-passowrd>
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 0.0.0.0
  blocked_response_ttl: 10
  ratelimit: 20
  refuse_any: true
  fastest_timeout: 1s
tls:
  enabled: true
  server_name: dns.bluepie.in
  port_https: 443
  port_dns_over_tls: 853
  certificate_path: /opt/dnsServer/conf/fullchain.pem
  private_key_path: /opt/dnsServer/conf/privkey.pem

Once everything is configured correctly, the service will be up and running.

podman ps

b831cf04743d  docker.io/adguard/adguardhome:latest   --no-check-update...  1 days ago   Up 3 weeks ago   0.0.0.0:1853->853/tcp, 0.0.0.0:2346->3000/tcp  dnsServer

Configuring Domain

First we need a domain name, a paid one if you have it or a free one would be good, I’ll be creating a sub-domain from my domain, (i.e) ‘dns.bluepie.in’ and get SSL certificates chain for the same.

Inorder to uniquely identify clients, we need to create a wildcard sud-domain in our DNS provider, in my case godaddy.

Nginx

We will be using nginx as a reverse proxy for exposing our services to the internet.

Admin Config:

    server_name dns.bluepie.in;
    location / {

        proxy_pass http://localhost:2346/;
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_redirect / / ;
        proxy_cookie_path / /;

        proxy_connect_timeout              15s;
        proxy_send_timeout                 15s;
        proxy_read_timeout                 15s;

    }

    listen 443 ssl;
    ssl_certificate /path/to/fullchain.pem; 
    ssl_certificate_key /path/to/privkey.pem; 
    include /etc/ssl/options-ssl-nginx.conf;
    ssl_dhparam /etc/ssl/ssl-dhparams.pem;

DNS Config:

nginx has a load balancing feature, stream directive to manage tcp and udp. we can use this to forward our requests to dns servers.

stream {

    log_format  basic   '$time_iso8601 $remote_addr '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time $upstream_addr '
    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log  /var/log/nginx/dns-access.log  basic buffer=1k flush=5s;

    upstream dot {
    	zone dot 512k;
      server 127.0.0.1:1853;
    }

    server {
        listen 853;
        proxy_pass dot;
    }

}

Admin portal

Stats page (configured to refresh every 24 hours)

Configuring blocklists

Over the years, I have accustomed to the following blocklists and it works best for me.

Blocklists (entires count taken at the time of writing this post

# Blocks Ads, Mobile Ads, Phishing, Malvertising, Malware, Tracking, Telemetry, CryptoJacking, Analytics, Spyware, Ransomware, Exploit, Fraud, Abuse, Scam, Spam, Hijack, Misleading Marketing.
# ~300,000 entries
https://oisd.nl 

# ~180,000 entries
# Extending and consolidating hosts files from several well-curated sources like adaway.org, mvps.org, malwaredomainlist.com, someonewhocares.org, and potentially others.
github.com/StevenBlack/hosts

# ~480,000 entries
# Automatically updated, moderated and optimized list for blocking ads, trackers and other online garbage.
github.com/notracking/hosts-blocklists

# Specially Designed for Mobile Ad Protection.
# ~200,000 entries
github.com/jerryn70/GoodbyeAds

# Blocking mobile ad providers and some analytics providers.
# ~7,000 entries
github.com/AdAway/adaway.github.io

# A filter composed of several other filters (AdGuard Base filter, Social media filter, Tracking Protection filter, Mobile Ads filter, EasyList and EasyPrivacy) and simplified specifically to be better compatible with DNS-level ad blocking.
# ~50,000 entries
github.com/AdguardTeam/AdguardSDNSFilter

# Protects you from many types of spyware, reduces bandwidth use, blocks certain pop-up traps, prevents user tracking by way of "web bugs" embedded in spam, provides partial protection to IE from certain web-based exploits and blocks most advertising you would otherwise be subjected to on the internet.
# ~11,000 entries
someonewhocares.org/hosts

# Filter that blocks ads on mobile devices. Contains all known mobile ad networks.
# ~1,000 entries
kb.adguard.com/general/adguard-ad-filters#mobile-ads-filter

How do we use it?

Pick a unique word, ex: gopidevice1, then use this word as prefix for ‘dns.bluepie.in’. (i.e) ‘gopidevice1.dns.bluepie.in’, this is the url that you should use in your devices.

Android

IOS - iphone, ipad

Go to dns.bluepie.in/ios/, navigate to ‘tool’, give a name and use your unique url to create a profile.

Mac/Windows

Same as iphone, go to dns.bluepie.in/ios/

Conclusion

Migrating from PI-Hole to AGH was a good move, once you have used this and experienced “no ads”, you can not go back~