最近使用了 Adguard Home 来过滤跟踪器和广告,效果甚佳,下面写一些安装和配置上的一些步骤和问题
GitHub 项目地址:AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)
总 Wiki 页面,写得非常详尽,需要各种进阶配置的可以查看该 Wiki:Home · AdguardTeam/AdGuardHome Wiki (github.com)
What is Adguard Home
AdGuard Home is a free and open-source DNS server that can be used to block ads, trackers, and malware on your network. It is easy to install and comes with a user-friendly web interface that allows you to configure it to your specific needs.
简述安装步骤
多数主流平台都支持部署 Adguard Home,从 docker 或是从源码安装等的可以直接看官方的 installation 教程,下面内容以 Adguard Home 为二进制,在 Linux 86_x64 环境部署为例
自动部署
#第一条命令通过 curl 进行安装
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
#第二条命令通过 wget 进行安装
wget --no-verbose -O - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
#第三条命令通过 fetch 进行安装
fetch -o - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
-c <channel>
切换至对应(测试)通道,如下-r
重装 Adguard Home-u
卸载 Adguard Home-v
详细输出
注意 -r
与 -u
选项是互斥的,如若切换至对应测试频道,可采用命令如下
#第一条命令可切换安装至 beta 通道
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c beta
#第二条命令可切换安装至 edge 通道
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge
源码部署方式
AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)
Docker部署方式
adguard/adguardhome - Docker Image | Docker Hub
简述配置步骤
设置
常规设置
勾选使用过滤器和host文件以拦截指定域名,时间间隔默认即可,建议勾选“使用 AdGuard【浏览安全】网页服务”和“使用安全搜索”,若家庭可以勾选”使用 AdGuard 【家长控制】服务“
统计配置一栏中,如果配置 Adguard Home 的机器磁盘空间小,可以减少时间间隔
DNS设置
DNS 设置为重点,解析速度和质量就要看这里是否设置正确
根据部署所用机器使用的网络环境选择上游服务器,尽量选择延迟较低的,选择 HTTPS/DoH/DoQ/DoT 等加密必须要先在在加密模式配置
#Adguard
https://dns.adguard-dns.com/dns-query
tls://dns.adguard-dns.com
quic://dns.adguard-dns.com
#Quad9
https://dns11.quad9.net/dns-query
tls://dns11.quad9.net
默认选择”负载均衡“模式,如需要加快解析速度,可选择”并行请求“这个选项,不推荐选择”最快的 IP 地址“这个选项
Bootstrap DNS 服务器即下游服务器,用于解析您指定为上游的 DoH / DoT 解析器的 IP 地址,根据你本地所使用的网络环境而变。如在中国大陆可选择阿里和腾讯的 DNS IP
速度限制为每个客户端每秒钟查询次数的限制。设置为 0 意味着不限制,默认值为每秒 20。不限制速度可以带来更快的解析速度,但也会带来被 DDoS 的隐患。如果想要自己在使用解析服务时解除速度限制,可以见下面的其它配置及相关问题一栏
加密设置
需要则选择”启用加密(HTTPS、DNS-over-HTTPS、DNS-over-TLS)“这个选项,如果有其它服务暂用 443 端口就要改至其它端口,在 100-1000 选择一个没被暂用的端口比较合适,DoT 和 DoQ 端口默认 853,可以不用修改,DoT 和 DoQ 端口可以共用
客户端设置
主要是为使用 Adguard Home DNS 的设备设置标识符,便于统计使用情况或是设置特定规则。如果客户端 IP 更换频繁,可以在此设置。DoH, DoT 和 DoQ 设置客户端标识符 ID 均需要 Adguard Home 支持以域名方式访问并且需要通配符证书
如服务器名称为 dns.example.dev
,所添加的客户端标识符为 my-client
,则在客户端设备上如下所示配置
DNS-over-HTTPS (DoH): https://dns.example.dev/dns-query/my-client
,Adguard Home 在 v0.108.0-b.18 后遗弃: https://my-client.dns.example.dev
DNS-over-QUIC (DoQ): quic://my-client.dns.example.dev
DNS-over-TLS (DoT): tls://my-client.dns.example.dev
HTTP3 (带有强制 HTTP/3 的加密 DNS-over-HTTPS,实验性功能,需要在配置文件中开启): h3://dns.example.dev/dns-query/my-client
or h3://my-client.dns.example.dev/dns-query
设置客户端标识符主要配合客户端白名单使用,可至 DNS 设置 -> 访问设置进行添加
https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid
https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.14...v0.107.15
DHCP设置
此选项适用于当 Adguard Home 在路由器上部署的情况,若在伺服器上部署则一般不设置此项
过滤器
DNS黑名单
你可以自行添加自己设定的封锁清单,也可以直接引用 Adguard 官方推荐的清单或是其它自定义清单,需要符合 adblock 或是 hosts 语法,支持正则表达
https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists
DNS白名单
与黑名单相对,来自白名单的域名将被允许
DNS重写
类似于主机的 host,重写域名使其指向有效 IP
https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite
已阻止的服务
可以阻止访问特定热门网站的服务,如 BiliBili
、 QQ
、TikTok
等。在此处设置是全局设置,对所有客户端生效。如需要对指定客户端设置阻止访问特定服务,可以在客户端设置处设置
自定义过滤规则
每行只输入一条规则,用户自己根据语法添加
其它配置及相关问题
高级配置可以直接修改 yaml 文件,该文件是在第一次初始设定时生成的 yaml 文件,即 Adguard 运行目录下的 AdGuardHome.yaml
,需要懂 YAML 格式的相关知识
bind_host: 0.0.0.0
bind_port: 9000
users:
- name: Microcharon
password: $2a$10$.aJppmrRwhxX8ajTBqqlYekWeScXl.DIGjfmvOjVRta.Llmt23OdC
- name: Team
password: $2a$10$Z1z6TgA.V9KIy134G6rfCug4v4NWI6vNugOuxN0.pXH8dV6S6hnYy
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: zh-cn
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 0.0.0.0
port: 53
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- '#Adguard'
- https://dns.adguard-dns.com/dns-query
- tls://dns.adguard-dns.com
- quic://dns.adguard-dns.com
- '#Quad9'
- https://dns11.quad9.net/dns-query
- tls://dns11.quad9.net
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 20971520
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: true
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: true
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams: []
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: true
server_name: 38.59.243.18
force_https: true
port_https: 455
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: /usr/local/nginx/conf/cert/fullchain.crt
private_key_path: /usr/local/nginx/conf/cert/private.key
strict_sni_check: false
querylog:
enabled: true
file_enabled: true
interval: 168h
size_memory: 1000
ignored: []
statistics:
enabled: true
interval: 1
ignored: []
filters:
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt
name: 'CHN: anti-AD'
id: 1676202984
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
name: Dandelion Sprout's Anti-Malware List
id: 1676536918
whitelist_filters: []
user_rules:
- ""
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 17
命令行参数
在 Adguard Home 当前目录下执行
$ ./AdGuardHome --help
Usage:
./AdGuardHome [options]
Options:
-c, --config VALUE Path to the config file.
-w, --work-dir VALUE Path to the working directory.
-h, --host VALUE Host address to bind HTTP server on.
-p, --port VALUE Port to serve HTTP pages on.
-s, --service VALUE Service control action: status, install, uninstall, start, stop, restart, reload (configuration).
-l, --logfile VALUE Path to log file. If empty: write to stdout; if 'syslog': write to system log.
--pidfile VALUE Path to a file where PID is stored.
--check-config Check configuration and exit.
--no-check-update Don't check for updates.
--update Update the current binary and restart the service in case it's installed.
--no-mem-optimization Deprecated. Disable memory optimization.
--no-etc-hosts Deprecated. Do not use the OS-provided hosts.
--local-frontend Use local frontend directories.
-v, --verbose Enable verbose output.
--glinet Run in GL-Inet compatibility mode.
--version Show the version and exit. Show more detailed version description with -v.
--help Print this help.
如何添加多名用户或者修改密码
Adguard Home 的 Web UI 界面目前是不支持添加多名管理用户的,不过可以通过修改 yaml 文件来增加其他的管理用户
Adguard Home 的用户密码采用 Bcrypt 进行加密,重置或者添加新用户密码时需要先进行 Bcrypt 加密后才能进行下一步的配置
users:
- name: Microcharon
password: $2a$10$.aJppmrRwhxX8ajTBqqlYekWeScXl.DIGjfmvOjVRta.Llmt23OdC
- name: Team
password: $2a$10$Z1z6TgA.V9KIy134G6rfCug4v4NWI6vNugOuxN0.pXH8dV6S6hnYy
Bcrypt Password Generator | Create Valid Bcrypt Password Hashes! (purecalculators.com)
设置快捷路径
利用 Linux 已有方法 alias,设置别名如下,可省去每次需要填写路径的烦恼,当然你可以将别名换为其它的名字,如 adg
adguard
等等
#设置别名为 AdguardHome
alias AdGuardHome=/opt/AdGuardHome/AdGuardHome
#取消别名
unalias AdGuardHome
解除速度限制
在 AdguardHome.yml
配置 ratelimit_whitelist
白名单参数,将需要排除速度限制的 IP 放在此处
DNScrypt
主是没什么需求,官网 wiki 也讲得非常详尽,下面简单说一下
下载并解压 DNScrypt,可以进入 release 页面查找对应版本
wget https://github.com/ameshkov/dnscrypt/releases/download/v2.2.7/dnscrypt-linux-amd64-v2.2.7.tar.gz
tar -f ./dnscrypt-linux-amd64-v2.2.7.tar.gz -v -x -z
生成密钥并输出为 yaml,provide-name 跟接参数为你的 Adguard Home 的域名
./dnscrypt generate --provider-name '2.dnscrypt-cert.your-domain.com'\
--out ./dnscrypt.yaml
移动或 copy dnscrypt.yaml
至 Adguard Home 目录,并在在 Adguard Home 的配置文件修改 tls 这一块的内容,然后重启 Adguard Home systemctl restart AdGuardHome
'tls':
# N.B. The encryption must be enabled.
'enabled': true
# …
'port_dnscrypt': 5443
'dnscrypt_config_file': './dnscrypt.yaml'
tls:
enabled: true
server_name: your-domain.com
force_https: true
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 5443
dnscrypt_config_file: "./dnscrypt.yaml"
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: /usr/local/nginx/conf/cert/fullchain.crt
private_key_path: /usr/local/nginx/conf/cert/private.key
strict_sni_check: false
查看配置文件 dnscrypt.yaml 中的内容,可以得到 public_key
provider_name: 2.dnscrypt-cert.your-domain.com
public_key: 493F8471B4C0F15BD4TF98538D7707BDE7CC2E3A4E702BCAE323C1AE2F24A1A2
private_key: DE724BF244168CE1B2CEE5C5185ECA98143E6D314R5DB56B64F80F9873E70302493F8471B4C0F15BD8EF98538D7707BDE7CC2E3A4E702BCAE323C1AE2F24A1A2
resolver_secret: 60FA427FC12CA284C02DCF23AA3937DFBE5FV6FFCC2EE054D366FC6F4EFE5336
resolver_public: 9AE697314B01CC0DA2482FE3E2C6CCEBE762E7E435699B3A672B3FA6B7DB1954
es_version: 1
certificate_ttl: 0s
在 DNSCrypt 上获得 stamp
检查 dnscrypt 是否安装正常
./dnscrypt lookup-stamp\
--domain 'your-domain.com'\
--stamp 'sdns://AQcAAAAAAAAAETM4LjU5LjI1Ni4yNDo1NDQzIL_6TboCdS9c9eFzuAB3Y2HKmQCQGIThHAznqb8N_RGhHDIuZG5zY3J5cHQtY2VydC4zOC41OS4yNTYuMjQ'\
--type 'a'
输出结果如下所示
{
"certificate": {
"serial": 1679480711,
"encryption": "XSalsa20Poly1300",
"not_after": "2024-03-21T10:27:02Z",
"not_before": "2023-03-22T10:27:02Z"
},
"reply": {
"Id": 17960,
"Response": true,
"Opcode": 0,
"Authoritative": false,
"Truncated": false,
"RecursionDesired": true,
"RecursionAvailable": true,
"Zero": false,
"AuthenticatedData": false,
"CheckingDisabled": false,
"Rcode": 3,
"Question": [
{
"Name": "your-domain.com.",
"Qtype": 1,
"Qclass": 1
}
],
"Answer": null,
"Ns": [
{
"Hdr": {
"Name": ".",
"Rrtype": 6,
"Class": 1,
"Ttl": 3600,
"Rdlength": 64
},
"Ns": "a.root-servers.net.",
"Mbox": "nstld.verisign-grs.com.",
"Serial": 2023032102,
"Refresh": 1800,
"Retry": 900,
"Expire": 604800,
"Minttl": 86400
}
],
"Extra": [
{
"Hdr": {
"Name": ".",
"Rrtype": 41,
"Class": 4096,
"Ttl": 0,
"Rdlength": 0
},
"Option": null
}
]
}
}
当然 dnscrypt 的使用端口自定义,此处默认选择 5443
tls:
enabled: true
server_name: your-domain.com
port_dnscrypt: 5443
dnscry_config_file: "./dnscrypt.yaml"
然后将 sdns 链接添加至上游 DNS,测试成功后保存即可
DNSCrypt - DNS Stamps online calculator
DNSCrypt · AdguardTeam/AdGuardHome Wiki (github.com)
参考资料
AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server (github.com)