# AdGuard Home 自建 DNS 服务器

通过 AdGuard Home 实现 DoH 以及 DoT

项目地址:https://github.com/AdguardTeam/AdGuardHome

# 安装

无需依赖,解压后即可运行

wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
tar -xzvf AdGuardHome_linux_amd64.tar.gz
cd AdGuardHome
./AdGuardHome

程序默认监听所有网卡的 3000 端口,可在运行时添加 -p 指定新的端口

./AdGuardHome -p 5353

在浏览器内输入服务器 IP 和端口号即可开始安装

# 配置

使用加密需要 TLS 证书,可通过Let’s Encrypt获取证书

点击设置 - 加密设置 - 勾选启用加密

注意

无需勾选 HTTPS 自动重定向,稍后使用 Nginx 反向代理

填写:

  • 服务器名称 (域名)
  • HTTPS 端口 (除443以外,例如8080)
  • DNS-over-TLS 端口 (默认853即可)
  • 证书/私钥 (绝对路径)

点击保存配置即可

CtrlC 结束进程,将 AdGuardHome 整个文件夹移动到你想要的位置,这里以 /etc/dns为例

提示

可以给文件夹改名字,后续升级时替换二进制程序即可

# 创建守护进程

新建配置文件

vi /etc/systemd/system/dns.service

填写以下配置

[Unit]
Description=AdGuard Home
After=network.target
Wants=network.target

[Service]
User=root
Group=root
WorkingDirectory=/etc/dns
# 此处指定配置文件和工作目录
ExecStart=/etc/dns/AdGuardHome -c /etc/dns/AdGuardHome.yaml -w /etc/dns
Restart=on-failure
RestartSec=30s
LimitCORE=infinity
LimitNOFILE=1000000
LimitNPROC=1000000

[Install]
WantedBy=multi-user.target

# Nginx 配置

新建配置文件

vi /etc/nginx/dns.conf

填充以下内容

server
{
   listen 80;
   server_name dns.example.com;

   return 301 https://$server_name$request_uri;
}

server
{
   listen 443 ssl http2;
   server_name dns.example.com;

   root /dev/null;

   ssl_certificate /etc/ssl/example.crt;
   ssl_certificate_key /etc/ssl/example.key;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_session_timeout  10m;
   ssl_session_cache shared:SSL:10m;
   ssl_session_tickets off;

   location / {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:5353; # 此处为程序运行时指定的端口
    }

    location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ {
        proxy_pass http://127.0.0.1:5353;
        proxy_set_header Host  $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

    location /dns-query { # 这里的 Path 可以是任意
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_buffering off;
        proxy_redirect off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    # 此处为 https 而不是 http; 端口为上述填写的 HTTPS 端口
        proxy_pass https://dns.example.com:8080/dns-query; # 这里的 Path 必须为 dns-query
    }
}

重启 Nginx

systemctl restart nginx

# 测试

清除浏览器缓存并输入 dns.example.com 跳转到 AdGuard Home Web 界面且正常登录即为正常

验证 DoT 以及 DoH 需要用到这个工具

DNS-over-TLS:

./dnslookup www.google.com tls://dns.example.com

dnslookup v1.2.0
dnslookup result:
;; opcode: QUERY, status: NOERROR, id: 36146
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.        IN       A

;; ANSWER SECTION:
www.google.com. 60      IN      A       199.59.148.140

DNS-over-HTTPS:

./dnslookup www.baidu.com https://dns.example.com/dns-query

dnslookup v1.2.0
dnslookup result:
;; opcode: QUERY, status: NOERROR, id: 20965
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.baidu.com. IN       A

;; ANSWER SECTION:
www.baidu.com.  47      IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       33      IN      A       220.181.38.149
www.a.shifen.com.       33      IN      A       220.181.38.150