AdGuard Home:客製化 DNS 解析伺服器 (支援 DoH/DoT)

硬體配置:

1c 256M 4g 即可(開高我也沒意見)
大量清單建議:2c 4G 16G

安裝方式:

到 Github 選擇對應 OS 安裝包 下載 解壓縮執行安裝即可

wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.105.2/AdGuardHome_linux_amd64.tar.gz
tar zxvf AdGuardHome_linux_amd64.tar.gz
cd AdGuardHome/
sudo ./AdGuardHome -s install

或使用一鍵安裝包:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

IP:3000 進入網頁設定(預設值即可)

一般設置

DNS設置

上游的 DNS 伺服器:

1.1.1.2
1.0.0.2
168.95.192.1
8.8.8.8
quic://dns-unfiltered.adguard.com:784
https://dns.google/dns-query
tls://dns.google
https://dns.cloudflare.com/dns-query
https://security.cloudflare-dns.com/dns-query

自我啟動（Bootstrap）DNS 伺服器:

tls://1.1.1.1
tls://8.8.8.8
tls://8.8.4.4

勾選同時查詢 DNS

---

RBL清單:

預設內建可以全勾之後，以下可以參考新增:

#NeoHost
https://cdn.jsdelivr.net/gh/neoFelhz/[email protected]/127.0.0.1/full/hosts

#CoinBlocker
https://zerodot1.gitlab.io/CoinBlockerLists/hosts

#StevenBlack
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

#CHEF-KOCH NASBlocklist
https://raw.githubusercontent.com/CHEF-KOCH/NSABlocklist/master/HOSTS/HOSTS

#ABP
https://bestpika.github.io/abp/yui.txt
https://gist.github.com/bestpika/5e414a4f60b2a996a6fb31ec592a56b4/raw/hide.txt
https://filters.adtidy.org/extension/ublock/filters/3.txt
https://filters.adtidy.org/extension/ublock/filters/15.txt
https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt
https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt
https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt
https://raw.githubusercontent.com/NanoAdblocker/NanoFilters/master/NanoFilters/NanoTimer.txt
https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjxlist.txt
https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
https://280blocker.net/files/280blocker_adblock.txt
https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-easylist.txt
#AAK
https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
https://raw.githubusercontent.com/jspenguin2017/uBlockProtector/master/uBlockProtectorList.txt
#Other
https://filter.futa.gg/filter.txt
https://filter.futa.gg/hosts.txt
https://raw.githubusercontent.com/gwarser/filter-lists/master/lan-block.txt
https://filter.futa.gg/nofarm_hosts.txt
https://filter.futa.gg/removeparam.txt
https://filter.futa.gg/experimental.txt
https://filter.futa.gg/hide_farm_from_search.txt
https://anti-ad.net/easylist.txt
https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt
https://raw.githubusercontent.com/BlueSkyXN/AdGuardHomeRules/master/all.txt
https://raw.githubusercontent.com/BlueSkyXN/AdGuardHomeRules/master/skyrules.txt
#Xuan2host_Filter
https://pvecli.xuan2host.com/Filter/Xuan2host_Filter.txt

---

自訂過濾規則:

---

Let's Encrypt:

先利用其他域名證書讓 nginx -t 檢查通過之後 CF DNS 直通 Let's Encrypt 簽發證書回傳:

server
{
   listen 80;
   server_name agh.yourdomain;

   return 301 https://$server_name$request_uri;
}

server
{
   listen 443 ssl http2;
   server_name agh.yourdomain;

   root /dev/null;
    ssl_certificate /etc/letsencrypt/live/agh.yourdomain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/agh.yourdomain/privkey.pem; # managed by Certbot
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_session_timeout  10m;
   ssl_session_cache shared:SSL:10m;
   ssl_session_tickets off;

   location / {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://10.0.1.191;
    }

    location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ {
        proxy_pass https://10.0.1.191;
        proxy_set_header Host  $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

    location /dns-query {
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_buffering off;
        proxy_redirect off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://10.0.1.191:443/dns-query;
    }

}

然後利用 proxy 取得的 ssl 證書拷貝至 AdGuard Home 加密頁面， 填寫相同域名，不勾選 HTTP to HTTPS 之後，生效收工。

---

如果不小心開啟安全搜尋請先關閉之後進入 Youtube 將嚴格篩選模式關閉:

---

驗證 DoT 以及 DoH >> https://github.com/ameshkov/dnslookup

apt install golang
git clone https://github.com/ameshkov/dnslookup
cd dnslookup
make
./dnslookup www.google.com https://adg.yourdomain/dns-query

---

or 使用此測試:

time nslookup www.google.com agh.yourdomain

其他封鎖清單:

https://github.com/tasi788/abp

https://github.com/privacy-protection-tools/anti-AD

---

Configuration:

bind_host: 0.0.0.0
bind_port: 80
beta_bind_port: 0
users:
- name: Username
  password: 
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: zh-tw
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
  - 10.0.1.191
  port: 53
  statistics_interval: 90
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 90
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
  - 1.1.1.2
  - 1.0.0.2
  - 168.95.192.1
  - 8.8.8.8
  - 168.95.1.25
  - quic://dns-unfiltered.adguard.com:784
  - https://dns.google/dns-query
  - tls://dns.google
  - https://dns.cloudflare.com/dns-query
  - https://security.cloudflare-dns.com/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
  - tls://1.1.1.1
  - tls://8.8.8.8
  - tls://8.8.4.4
  all_servers: true
  fastest_addr: false
  allowed_clients: []
  disallowed_clients:
  - 195.37.190.77
  - 88.152.11.31
  - 27.115.124.74
  - 47.245.54.133
  blocked_hosts:
  - version.bind
  - id.server
  - hostname.bind
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  bogus_nxdomain: []
  aaaa_disabled: true
  enable_dnssec: true
  edns_client_subnet: false
  max_goroutines: 50
  ipset: []
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  local_domain_name: lan
  resolve_clients: true
  local_ptr_upstreams: []
tls:
  enabled: true
  server_name: agh.
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: |-
  private_key: |-
  certificate_path: ""
  private_key_path: ""
filters:
- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: true
  url: https://adaway.org/hosts.txt
  name: AdAway
  id: 2
- enabled: true
  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
  name: MalwareDomainList.com Hosts List
  id: 4
- enabled: true
  url: https://cdn.jsdelivr.net/gh/neoFelhz/[email protected]/127.0.0.1/full/hosts
  name: neoHosts
  id: 1587358099
- enabled: true
  url: https://zerodot1.gitlab.io/CoinBlockerLists/hosts
  name: CoinBlocker
  id: 1587358920
- enabled: true
  url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  name: StevenBlack
  id: 1587358921
- enabled: true
  url: https://raw.githubusercontent.com/CHEF-KOCH/NSABlocklist/master/HOSTS/HOSTS
  name: CHEF-KOCH NASBlocklist
  id: 1587358922
- enabled: true
  url: https://bestpika.github.io/abp/yui.txt
  name: 廣告退散
  id: 1587659743
- enabled: true
  url: https://gist.github.com/bestpika/5e414a4f60b2a996a6fb31ec592a56b4/raw/hide.txt
  name: 廣告退散 禁則事項
  id: 1587659744
- enabled: true
  url: https://filters.adtidy.org/extension/ublock/filters/3.txt
  name: AdGuard Tracking Protection filter
  id: 1587659745
- enabled: true
  url: https://filters.adtidy.org/extension/ublock/filters/15.txt
  name: AdGuard DNS filter
  id: 1587659747
- enabled: true
  url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt
  name: uBlock filters – Badware risks
  id: 1587659748
- enabled: true
  url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt
  name: uBlock filters – Resource abuse
  id: 1587659749
- enabled: true
  url: https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt
  name: Anti popads.net
  id: 1587659750
- enabled: true
  url: https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjxlist.txt
  name: CJX's EasyList Lite
  id: 1587659752
- enabled: true
  url: https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
  name: CJX's Annoyance List
  id: 1587659753
- enabled: true
  url: https://280blocker.net/files/280blocker_adblock.txt
  name: 280blocker for japanese mobile site
  id: 1587659754
- enabled: true
  url: https://raw.githubusercontent.com/jspenguin2017/uBlockProtector/master/uBlockProtectorList.txt
  name: uBlockProtectorList
  id: 1587659756
- enabled: true
  url: https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-easylist.txt
  name: anti-ad-easylist
  id: 1587659757
- enabled: true
  url: https://futaguard.github.io/FutaFilter/hosts.txt
  name: FutaFilter_Hosts
  id: 1589653537
- enabled: true
  url: https://futaguard.github.io/FutaFilter/filter.txt
  name: Make futa great again!
  id: 1589653538
- enabled: true
  url: https://raw.githubusercontent.com/gwarser/filter-lists/master/lan-block.txt
  name: Block access to LAN
  id: 1590951368
- enabled: true
  url: https://filter.futa.gg/nofarm_hosts.txt
  name: nofarm_hosts
  id: 1590951369
- enabled: true
  url: https://filter.futa.gg/removeparam.txt
  name: removeparam
  id: 1615659718
- enabled: true
  url: https://filter.futa.gg/experimental.txt
  name: experimental
  id: 1615659719
- enabled: true
  url: https://raw.githubusercontent.com/BlueSkyXN/AdGuardHomeRules/master/skyrules.txt
  name: skyrules
  id: 1618162488
- enabled: true
  url: https://raw.githubusercontent.com/BlueSkyXN/AdGuardHomeRules/master/all.txt
  name: BlueSkyXN
  id: 1618162489
- enabled: true
  url: https://filter.futa.gg/hide_farm_from_search.txt
  name: hide_farm_from_search
  id: 1618162490
- enabled: true
  url: https://anti-ad.net/easylist.txt
  name: 'CHN: anti-AD'
  id: 1618162491
- enabled: true
  url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt
  name: filter_17_TrackParam
  id: 1618162492
- enabled: true
  url: https://pvecli.xuan2host.com/Filter/Xuan2host_Filter.txt
  name: Xuan2host_Filter
  id: 1623523461
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
schema_version: 10