#
Adding DoT support
#
Adding DNS entry
The Cloudflare proxies only support traffic on a limited set of ports. The DoT port is not one of these, which means we cannot route our DoT requests through the proxy. To solve this, you need to create a new, separate DNS entry in Cloudflare for the subdomain you want to serve DNS requests on. As before, we will be using dns.your.domain
as our example.
To do this, open dash.cloudflare.com, navigate to your website and the DNS settings page. There, click Add record
and create four entries:
The wildcard entries are required for user authentication down the line. Should your server not have an IPv4 or IPv6 address, you may skip the related entries.
It is integral to disable the Cloudflare Proxy for all of the entries you create here.
#
Adjusting the Firewall
The following steps only apply to you if you've followed the instructions under Firewall Setup, or have done your own changes to the Firewall.
Your firewall should currently only allow traffic on port 443 coming from Cloudflare IPs, and on your SSH port coming from any IP. Since DoT traffic runs on its own port 853, you need to add another firewall exception for this port and from any IP. Only then can devices anywhere freely access the DNS server.
As the firewall restricts access on port 443 to the Cloudflare servers, and the dns.your.domain
DNS entry bypasses that proxy, the AdGuard dashboard is also no longer reachable under this address. The dns.
subdomain is now exclusive for DNS DoT traffic, nothing else. To get back into the AdGuard page, you need to create a new, separate host for it, e.g. adguard.your.domain
. It uses the same adguard
hostname and 443
port as before, and the regular Cloudflare SSL certificate.
To summarize:
dns.your.domain
allows access to the DoT port 853. Use this address in clients that are supposed to use DoT.adguard.your.domain
runs through Cloudflare and allows access to the AdGuard dashboard, as well as DoH.
If you want to remove this split, you have to remove the firewall rule limiting access to port 443, and allow any IP to access that port. You can then use both DoT and DoH on the dns.your.domain
address. As a side-effect, DoH-requests bypass the Cloudflare proxy, reducing the response time.
Since both DoH and DoT require an encrypted connection, and therefore access via the web address, removing the restriction on port 443 should not pose any security risk. Nonetheless, if you find an alternative approach that enables only the DNS traffic to be allowed from any IP, please open a GitHub issue.
#
Exposing port 853
The compose file from the main guide already had the lines for exposing port 853 included, but commented out. To use port 853, you need to expose it on the container first. To do this, open the compose.yml
in your text editor, and remove the #-signs from the two lines related to the port 853:
services:
adguard:
image: adguard/adguardhome
container_name: adguard
restart: unless-stopped
ports:
- 853:853/tcp
volumes:
- work:/opt/adguardhome/work
- conf:/opt/adguardhome/conf
- nginx_nginx:/opt/adguardhome/cert:ro
networks:
- nginx_default
volumes:
work:
conf:
nginx_nginx:
external: true
networks:
nginx_default:
external: true
To apply these changes, save and quit out of the editor and run docker compose up -d
again. No need to shut down the container first, it will simply be recreated. If you want, you can run docker port adguard
and/or lsof -Pni | grep docker
to confirm that the port 853 has successfully been opened.
#
Configuring AdGuard
All you need to adjust in AdGuard to allow for DoT use is adding the port in the settings page. To do this, open the dashboard, go to Settings
> Encryption
and enter "853" into the DNS-over-TLS port
field. Confirm your changes with the "Save" button at the bottom.
#
Using AdGuards DoT
With this, you've finished setting up AdGuard to resolve DoT requests. To use it, switch to the Setup Guide
tab at the top, followed by the DNS Privacy
tab below, and read about how to set it up on the different devices.
Note also that you're encouraged to use Client IDs, which are additional identifiers to keep apart devices, enhance logging and statistics, and enable fine-grained access controls. To use Client IDs with DoT, add an additional subdomain in front of the DNS subdomain when supplying the DNS address.
For example, instead of entering dns.your.domain
, enter phone.dns.your.domain
. This way, the requests coming from this phone will show up as a separate entry. This will be especially important when you want to secure your server against unauthorized use.