I recently noticed that home assistant offers an AdGuard Home add-on. While I already block adds and tracking in the web with uBlock Origin on my laptops and Android phone, I'm still annoyed and concerned by all the tracking that happens for example by apps.
Installing the Add-on
Installing is as easy as going to http://homeassistant.local:8123/hassio/store and selecting the AdGuard Home add-on.
According to the AdGuard Home add-on install docs one should configure the network to use a static IP address: http://homeassistant.local:8123/config/network
Configuring AdGuard Home
For some reason the AdGuard Home add-on only listens on the local interface instead of all interfaces so it won't be reachable from outside. As instructed by https://community.home-assistant.io/t/adguard-listening-on-127-0-0-1-instead-of-the-hassio-ip/310137/9 I changed the add-on configuration accordingly:
Configuring Router
There are two main ways to set up your router when wanting to use AdGuard Home:
- Adding it as the DNS server your router uses
- Adding it as the DNS server that's distributed via DHCP
The first option has the advantage that local names will still be resolved by the router, while the second one gives better statistics on which clients use the AdGuard Home DNS server.
Since I didn't want to break stuff in my network I decided to first go with option one. Also I kept one of the original DNS servers just in case for the first test run.
Statistics
After a few days of usage without any problems the statistics looked like this:
As you can see there are quite some blocked requests and all request originate from one client, my router.
Use AdGuard Directly as the DNS Server
Since the usage went without any problems I decided to configure my router to directly use AdGuard Home as the DNS server for its clients.
To make sure that the important local names still resolve (NAS, HomeAssistant, SnapCast, ...) I added them manually as DNS rewrites.
When using the DNS server directly we see in the statistics which clients create the most DNS queries and can also get some insight in what domains are queried by the WiFi switches for example.
IPv6 troubles
I also noticed that around 25% of the requests are still coming from the router. Since all clients should use the AdGuard DNS server directly, this seemed a bit strange. It turns out there are two reasons for that:
- HomeAssistant itself is configured to use the router DNS directly, which is probably smart to avoid trouble if the AdGuard DNS server would misbehave.
- My router advertises IPv6 DNS servers as well, but doesn't allow to change them in the configuration, thus it still promotes itself as the DNS server there.
I found out about the IPv6 thing when I looked into the systemd-resolve
status:
$ systemd-resolve --status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
Link 2 (enp38s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS DNSSEC=no/unsupported
Link 4 (wlan0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: $ROUTER_IPv6_ADDRESS
DNS Servers: $AD_GUARD_IPv4_ADDRESS $ROUTER_IPv6_ADDRESS
So IPv6 is now available since more then 20 years but there is still very bad support for it available in network hardware. My options for fixing this include
- Disabling IPv6 on my router
- Deactivating DHCP on my router and use HomeAssistant as my DHCP server
- Override DNS servers on my clients
But for now I'll just live with the slightly worse statistics on AdGuard.