Skip to content

Describe AdGuard Home encryption#401

Open
EugeneOne1 wants to merge 5 commits intomasterfrom
AGDNS-3568-home-encryption
Open

Describe AdGuard Home encryption#401
EugeneOne1 wants to merge 5 commits intomasterfrom
AGDNS-3568-home-encryption

Conversation

@EugeneOne1
Copy link
Member

Moving pages from wiki.

Copy link
Contributor

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

@EugeneOne1
Copy link
Member Author

In faq.md (and getting-started.md) links to the GitHub wiki page should be changed to the KB.

Copy link
Contributor

@ainar-g ainar-g left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs/adguard-home/encryption.md:127:235 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/adguard-home/encryption.md:147:442 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/adguard-home/encryption.md:200:36 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/adguard-home/encryption.md:200:63 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]


:::

This guide explains how to setup a "Secure DNS" server with AdGuard Home.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd replace "Secure DNS" with encrypted DNS without the quotation marks.


### Android

- Android 9 supports `DNS-over-TLS` natively. To configure it, go to *Settings* → *Network & internet* → *Advanced* → *Private DNS* and enter your domain name there.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

9 and above

?


### iOS

- iOS 14 and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to *Setup Guide* → *DNS Privacy* and scroll to iOS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same?


## Configuring DNSCrypt {#configure-dnscrypt}

Since v0.105.0, AdGuard Home is able to work as a DNSCrypt server. However, this feature is only available via configuration file, and can't be set up using the Web UI. This guide explains how to do this.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that mention of the version is necessary anymore.


Here is how to generate a DNSCrypt configuration file and point AdGuard Home to it:

1. :::info Important
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird list. Perhaps, leave the Info outside of the list?

@github-actions
Copy link

Preview was deployed to: https://pull-request-401.kb-dns.pages.dev/

@EugeneOne1 EugeneOne1 requested a review from ainar-g February 25, 2026 12:20

:::note

AdGuard Home also supports [DNSCrypt][dnscrypt-info] (both client-side and server-side). See [this section](#configure-dnscrypt) to learn about configuring AdGuard Home as a DNSCrypt server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
AdGuard Home also supports [DNSCrypt][dnscrypt-info] (both client-side and server-side). See [this section](#configure-dnscrypt) to learn about configuring AdGuard Home as a DNSCrypt server.
AdGuard Home supports both client-side and server-side [DNSCrypt][dnscrypt-info]. [Learn how to configure AdGuard Home as a DNSCrypt server](#configure-dnscrypt).


## Server installation {#server-installation}

The purpose of securing the DNS traffic is to secure it from third-parties that might be analyzing or modifying it, e.g. from ISP.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The purpose of securing the DNS traffic is to secure it from third-parties that might be analyzing or modifying it, e.g. from ISP.
The purpose of securing the DNS traffic is to secure it from third parties that might be analyzing or modifying it, e.g., from ISP.


## Get an SSL certificate {#certificate}

Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption][tls-wikipedia] so in order to use them, you will need to acquire an SSL certificate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption][tls-wikipedia] so in order to use them, you will need to acquire an SSL certificate.
Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption][tls-wikipedia], so you will need an SSL certificate to use them.


Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption][tls-wikipedia] so in order to use them, you will need to acquire an SSL certificate.

An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.
An SSL certificate can be bought from a Certificate Authority (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.


An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.

Alternatively, you can get the certificate for free from ["Let's Encrypt" CA][letsencrypt], a free certificate authority developed by the Internet Security Research Group (ISRG).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Alternatively, you can get the certificate for free from ["Let's Encrypt" CA][letsencrypt], a free certificate authority developed by the Internet Security Research Group (ISRG).
Alternatively, you can get the certificate for free from the [Lets Encrypt CA][letsencrypt], a free certificate authority developed by the Internet Security Research Group (ISRG).

There's also a really nice and easy-to-use alternative to CertBot called [LEGO][lego-source].

1. Install it using [an appropriate method][lego-install].
1. Choose your DNS provider from [the list][lego-provider] and follow the instruction to obtain a certificate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Choose your DNS provider from [the list][lego-provider] and follow the instruction to obtain a certificate.
1. Choose your DNS provider from [the list][lego-provider] and follow the instructions to obtain a certificate.

1. Install it using [an appropriate method][lego-install].
1. Choose your DNS provider from [the list][lego-provider] and follow the instruction to obtain a certificate.

Also, here's [a simple script][legoagh] that you can use to automate certificates generation and renewal.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Also, here's [a simple script][legoagh] that you can use to automate certificates generation and renewal.
Also, heres [a simple script][legoagh] that you can use to automate certificates generation and renewal.


:::note

If a certificate and/or a private key is specified by file path, AdGuard Home will automatically reload them when they change. The reload may also be triggered by a SIGHUP signal.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If a certificate and/or a private key is specified by file path, AdGuard Home will automatically reload them when they change. The reload may also be triggered by a SIGHUP signal.
AdGuard Home will automatically reload certificates and/or private keys specified by file path when they change. A reload may also be triggered by a SIGHUP signal.


We already have a [guide][reverse-proxy-faq] on configuring a reverse proxy server for accessing AdGuard Home web UI.

AdGuard Home is able to restrict DNS-over-HTTPS requests which came from the proxy server not included into "trusted" list. By default, it's configured to accept requests from IPv4 and IPv6 loopback addresses.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use quote marks and apostrophes according to our editorial policy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(here and below)


:::note

Enter the host with your custom port!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Enter the host with your custom port!
Enter the host with your custom port.

@ainar-g ainar-g self-assigned this Feb 27, 2026
@github-actions
Copy link

Preview was deployed to: https://pull-request-401.kb-dns.pages.dev/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants