Adding AdGuard Home to my Home Assistant

I recently noticed that home assistant offers an AdGuard Home add-on. While I already block adds and tracking in the web with uBlock Origin on my laptops and Android phone, I'm still annoyed and concerned by all the tracking that happens for example by apps.

Installing the Add-on

Installing is as easy as going to http://homeassistant.local:8123/hassio/store and selecting the AdGuard Home add-on.

According to the AdGuard Home add-on install docs one should configure the network to use a static IP address: http://homeassistant.local:8123/config/network

The Home Assistant network configuration

Configuring AdGuard Home

For some reason the AdGuard Home add-on only listens on the local interface instead of all interfaces so it won't be reachable from outside. As instructed by https://community.home-assistant.io/t/adguard-listening-on-127-0-0-1-instead-of-the-hassio-ip/310137/9 I changed the add-on configuration accordingly:

The Home Assistant AdGuard add-on configuration

Configuring Router

There are two main ways to set up your router when wanting to use AdGuard Home:

  1. Adding it as the DNS server your router uses
  2. Adding it as the DNS server that's distributed via DHCP

The first option has the advantage that local names will still be resolved by the router, while the second one gives better statistics on which clients use the AdGuard Home DNS server.

Since I didn't want to break stuff in my network I decided to first go with option one. Also I kept one of the original DNS servers just in case for the first test run.

Router DNS configuration

Statistics

After a few days of usage without any problems the statistics looked like this:

AdGuard statistics

As you can see there are quite some blocked requests and all request originate from one client, my router.

Use AdGuard Directly as the DNS Server

Since the usage went without any problems I decided to configure my router to directly use AdGuard Home as the DNS server for its clients.

Router DHCP configuration

To make sure that the important local names still resolve (NAS, HomeAssistant, SnapCast, ...) I added them manually as DNS rewrites.

Router DHCP configuration

When using the DNS server directly we see in the statistics which clients create the most DNS queries and can also get some insight in what domains are queried by the WiFi switches for example.

AdGuard statistics for individual clients

IPv6 troubles

I also noticed that around 25% of the requests are still coming from the router. Since all clients should use the AdGuard DNS server directly, this seemed a bit strange. It turns out there are two reasons for that:

  1. HomeAssistant itself is configured to use the router DNS directly, which is probably smart to avoid trouble if the AdGuard DNS server would misbehave.
  2. My router advertises IPv6 DNS servers as well, but doesn't allow to change them in the configuration, thus it still promotes itself as the DNS server there.

I found out about the IPv6 thing when I looked into the systemd-resolve status:

$ systemd-resolve --status
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (enp38s0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS DNSSEC=no/unsupported

Link 4 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: $ROUTER_IPv6_ADDRESS
       DNS Servers: $AD_GUARD_IPv4_ADDRESS $ROUTER_IPv6_ADDRESS

So IPv6 is now available since more then 20 years but there is still very bad support for it available in network hardware. My options for fixing this include

  • Disabling IPv6 on my router
  • Deactivating DHCP on my router and use HomeAssistant as my DHCP server
  • Override DNS servers on my clients

But for now I'll just live with the slightly worse statistics on AdGuard.

blogroll

social