Jump to content
Not connected, Your IP: 18.225.72.181
Viaica

(How to) Using custom DNS blocklists with Adguard Home and AirVPN DNS

Recommended Posts

I was first about to post this in the Hagezi request thread but it seemed too off topic, it can be moved somewhere else. This kind of evolved into a guide 😅.
Anyway if you want to use Hagezi or other custom DNS blocklists on your computer (or make your own rules) and still use Airvpn's DNS but don't have your own server/Pi it is still possible to achieve with Adguard Home (free and open source), which acts as a DNS filter-server service between user and the actual DNS server. Even though it's mostly meant to be installed on server-type/always-online machines, AGH can also be run on your regular Windows/Linux/Etc desktop as well as I've recently learned.

Basic installation for Adguard Home
https://adguard-dns.io/kb/adguard-home/getting-started/
For manually installing AGH follow the guide in the link, or use automated scripts (for non-Windows OS) from their Github.
On Windows I'd recommend extracting the release .zip in C:\Program Files\ escpecially with the latest releases as they have new permission restrictions. Then with admin terminal cd into C:\Program Files\AdGuardHome\ and run .\Adguard.exe
I would first run it from the terminal to run the initial setup and for the first test runs after that, so you'd get any possible error messages straight in the terminal. Then install it as a service when everything is good.

Airvpn's DNS
The trick to use Adguard Home with Airvpn's DNS is to run Eddie and AGH on the same machine and set AGH to run on the 10.* interface/IP of the VPN, in which the IP is actually the IP of the AirVPN "Device" you log into so it always stays the same even if you disconnect or switch between servers. The IP can be chosen from the list on the AGH setup page (you must be connected to AirVPN) and can always be checked with ipconfig.exe for example.
I have also set the Admin Web Interface for AGH to be on localhost 127.0.0.1.

Then set Adguard Home to use the AirVPN's internal DNS "10.128.0.1" as it's Upstream and Bootstrap servers. (I don't think the Bootstrap server is actually used in this scenario as it is for DoH/DoT, but if there are no IPs set for it AGH will fill it with it's own default servers which has potential for leaks).
I've also set my 10.* IP as the only Allowed Client in AGH's DNS settings which likely doesn't effect anything in this case but it's always good to have different restrictions 😁.

Finally set Eddie to use the previously mentioned 10.* IP as it's DNS server to complete the loop. So Eddie will use AGH for it's DNS which in turn uses AirVPN's DNS server. The "Check AirVPN DNS" option in Eddie probably does not work in this setup but can still be left checked.

Pictures for the setup:

Setup page for AGH
Adguard1.thumb.png.f53ef5206dbbf61f48369f734efd3d31.png

 
DNS settings for AGH
dns2.thumb.png.54444041302f7dc84d3e4dc652278176.png

Eddie's DNS settings
EddieDNS1.png.956d3bb87bf2900418dd5ca7b7afde62.png
 


If you would exit Eddie and use your "normal" non-VPN internet it should not be affected by this, as it would not use AGH at all. But AGH would still run on the background uselessly if not stopped manually. You could maybe have two different config .yaml files for AGH: one for running with Eddie and another one for running on localhost with "normal" DNS servers. And then switch between them with scripts if you would want to use the blocklists on both networks. I only use VPN so I'm just guessing.

Some possible lists
I have mainly been using "HaGeZi's Ultimate Blocklist", "HaGeZi's Threat Intelligence Feeds" & "Threat Intelligence Feeds - IPs" which are about a million block rules altogether. There are a bunch of other lists and different recommendations on the Hagezi Github for their own and outside lists as well like a smaller "Dandelion Sprout's Anti-Malware List", "HaGeZi's Badware Hoster Blocklist" and "HaGeZi's The World's Most Abused TLDs" (This has had the most amount of unnecessary blocks due to the nature of the list. For a related example ".website" is blocked but "eddie.website" is on a denyallow rule. But unblocking sites from the Query Log is easy every time you need to do it, just don't make too permissive rules at once ;)).
Using these lists for me on Windows hasn't had any ill effect on performance, but using HUGE lists like (not Hagezi's but linked on their Github) "Newly Registered Domains (NRDs)-blocklist" which has 7 million domains makes Adguard Home use up to 1GB of RAM. (But unused RAM is wasted RAM, right?)

It is not just hosts blocking as AGH uses Adblock-style syntax so you can even block the whole internet with one rule! (well at least the DNS part of the internet). One of my hobbies recently has been blocking all the possible Microsoft domains there are, and only punching holes for updates/store/time synchronization/certificates/NCSI and some web content to name a few. And this specifically is something I'd rather do on a system level than on VPN level so it's easier to unfark things when all goes south.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...