Secure Your DNS with DNSSEC: AdGuard Home and Pi-Hole Integration with Stubby

Secure Your DNS with DNSSEC: AdGuard Home and Pi-Hole Integration with Stubby

In Uncategorized by dbtech

Stubby for Pi-Hole and AdGuard

We’ve spent a fair amount of time talking about Pi-Hole, AdGuard Home, and other ways to protect yourself online.

In this video I want to show how to add DNSSEC to your Pi-Hole or AdGuard setup by installing and configuring a “stubby” container.

‘Stubby’ is an application that acts as a local DNS privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

A stub resolver converts name resolution requests from applications like web browsers into DNS request messages.

For our DNS privacy resolver, we’re going to use a 3rd party DNSSEC provider called NextDNS, but there are other options out there that will accomplish the same goal.

If you’re not interested in using a 3rd party provider, then this video may not be for you and, but hopefully you’ll check out some of my other content instead of this video.

Now, with that said, in order to follow this tutorial, you’ll need an account at nextdns.io. You can use the “free tier” for testing or if you’re getting fewer than 300k DNS requests per month.

If you’d like to get their pro plan for $1.99/month of $19.99/year, there’s an affiliate link in the video description. (https://nextdns.io/?from=xkj8cs9p)

DNS issue resolution

If you run into any issues with port 53 being used by something else already, do the following:

cd /etc/systemd
nano resolved.conf

Under the “[Resolve]” section change:

#DNSStubListener=yes

to:
DNSStubListener=no

Then save and exit the file. Then run this command to restart systemd:

sudo systemctl restart systemd-resolved

Creating a stubby.yml file

The first thing we need to do is create a file called “stubby.yml”. I’m just going to put this in the home directory just to keep things easy.

Then we’ll paste the following into it:

dns_transport_list: 
 - GETDNS_TRANSPORT_TLS
dnssec: GETDNS_EXTENSION_TRUE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_min_version: GETDNS_TLS1_3
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
 - 0.0.0.0
 - 0:0:0:0:0:0:0:0
# The following information can be found at my.nextdns.io/xxxxxxx/setup and then scroll down to "Stubby" and copy/paste from there to here.
round_robin_upstreams: 1
upstream_recursive_servers:
 - address_data: 45.90.28.0
   tls_auth_name: "xxxxxx.dns.nextdns.io"
 - address_data: 2a07:a8c0::0
   tls_auth_name: "xxxxxx.dns.nextdns.io"
 - address_data: 45.90.30.0
   tls_auth_name: "xxxxxx.dns.nextdns.io"
 - address_data: 2a07:a8c1::0
   tls_auth_name: "xxxxxx.dns.nextdns.io"

This Stubby can be found here:
https://code.dbt3ch.com/YpCQgZ1i

Place this file on your server. Make note of the path. You’ll need it in the docker-compose.yml file.

Make the appropriate changes to the upstream_recursive_servers. You can find this information in the nextdns.io setup setup tab in your account. Just scroll down to the setup guide and click “Linux”. Then you should see the Stubby information below that.

Creating Docker Networks

But first, we need to create a docker network to attach our containers to.

We’re going to run the following commands:

First we’ll create a docker network.

Here’s what I would use for the Pi-Hole network:
docker network create pihole_local_network –subnet=172.25.0.0/24

Here’s what I would use for the AdGuard Home network:
docker network create adguard_local_network –subnet=172.25.0.0/24

And then we’ll list the docker networks available on our machine.
docker network ls

Find the network we just created and save that information for later.

We’ll end up putting the created network name in the ‘networks’ in both services and the network declaration at the bottom of the docker-compose.

Creating a docker-compose.yml file

Because we’ve already done videos on both Pi-Hole and AdGuard Home, we’re not going to spend a lot of time digging into the intricacies of either service. But we’ll talk about the docker-compose files and what’s going on in each one. Then you can choose the ad blocker you want to use in your own setup.

Now that we have our network created, we’ll go ahead and create our docker-compose file.

Go back to your home directory and run the command:
nano docker-compose.yml

If you want to use Pi-Hole, here is the docker compose for it:

version: "3"
services:
 pihole:
   container_name: pihole
   image: pihole/pihole:latest
   ports:
     - "53:53/tcp"
     - "53:53/udp"
     - "67:67/udp"
     - "8082:80/tcp"
   environment:
     - TZ=${TZ} # change this to your timezone
     - WEBPASSWORD=${WEBPASSWORD} # put in the password you want to use to login to pi-hole
   # Volumes store your data between container upgrades
   volumes:
     - '/opt/pihole/etc/pihole:/etc/pihole'
     - '/opt/pihole/etc/dnsmasq.d:/etc/dnsmasq.d'
     - '/opt/pihole/etc/resolv.conf:/etc/resolv.conf'
   restart: unless-stopped
   networks:
     pihole_local_network:
       ipv4_address: 172.25.0.10    
       
 stubby:
   image: carterfields/stubby
   restart: unless-stopped
   volumes:
     - '/home/stubby.yml:/usr/local/etc/stubby/stubby.yml'
   networks:
     pihole_local_network:
       ipv4_address: 172.25.0.11

networks:
 pihole_local_network:
   external: true

This Pi-Hole / Stubby file can be found here:
https://code.dbt3ch.com/hZnc9L8r

If you want to use AdGuard Home, here is the docker compose for it:

version: '3.3'
services:
   adguard:
       container_name: adguardhome
       restart: unless-stopped
       volumes:
           - '/opt/adguard/work:/opt/adguardhome/work'
           - '/opt/adguard/confdir:/opt/adguardhome/conf'
       ports:
           - '53:53/tcp'
           - '53:53/udp'
           - '67:67/udp'
           - '80:80/tcp'
           - '443:443/tcp'
           - '443:443/udp'
           - '3000:3000/tcp'
           - '853:853/tcp'
           - '784:784/udp'
           - '853:853/udp'
           - '8853:8853/udp'
           - '5443:5443/tcp'
           - '5443:5443/udp'
       image: adguard/adguardhome:latest
       networks:
         adguard_local_network:
           ipv4_address: 172.25.0.10    
   stubby:
       #image: tschaffter/getdns-stubby
       image: carterfields/stubby
       restart: unless-stopped
       volumes:
         - '/home/stubby.yml:/usr/local/etc/stubby/stubby.yml'
       networks:
         adguard_local_network:
           ipv4_address: 172.25.0.11 # this will be your AdGuard Upstream DNS Server. Settings > DNS > Upstream DNS Settings

networks:
 adguard_local_network:
   external: true

This AdGuard / Stubby file can be found here:
https://code.dbt3ch.com/k0oSo2VS

Setting Upstream DNS

Now login to your ad-blocker and set the upstream server to the IP address of the stubby container’s local_network that was defined in the docker-compose files from earlier.

Pi-Hole: /admin/settings.php?tab=dns
AdGuard: /#dns

Special Thanks

Thanks to Mattchis for his help on this!

His socials are the following:
Twitter: mattchis
Mastodon: @[email protected]
Github: mattchis

Timestamps

Intro

0:00 Intro

2:01 Pre-emptive DNS Fix

Stubby Setup

3:53 Configuring stubby.yml

5:52 Side Note

Pi-Hole Setup and Config

6:20 Creating Pi-Hole Network

7:22 Creating Pi-Hole Docker-Compose

10:43 Deploying Pi-Hole and stubby

11:43 Troubleshooting

13:52 Logging Into Pi-Hole

14:20 Configuring Upstream DNS

15:05 Changing Local DNS to Point to Pi-Hole

16:51 Testing Ad Blocking

AdGuard Setup and Config

18:59 Getting into AdGuard

19:33 Creating AdGuard Network

20:16 Creating AdGuard Docker-Compose

24:09 Deploying AdGuard and Stubby

25:05 First Configuring of AdGuard

25:38 Logging into AdGuard

25:41 Configuring Upstream DNS

26:46 Changing Local DNS to Point to AdGuard

27:06 Testing Ad Blocking

28:03 Troubleshooting

28:31 Validating Fix