Skip to content

Latest commit

 

History

History
331 lines (167 loc) · 12.9 KB

README.md

File metadata and controls

331 lines (167 loc) · 12.9 KB

adguard-home-settings

My recommendations for the ultimate AdGuard Home Configuration :)

For AdGuard DNS, see here.

NOTE: This project can be found on both Codeberg, which will act as the main & preferred way to contribute, and GitHub.

General settings

Block domains using filters and hosts files -> ✅

Filter update interval -> 1 hour (You can set this to 12 hours if it causes you any issues)

Use AdGuard browsing security web service -> ❌ (See DNS settings below)

Enable log -> ✅ (Having logs on is important for troubleshooting breakage)

Anonymize client IP -> ✅

Query logs rotation -> Custom -> 1 hour

Make sure to select Save.

Enable statistics -> ✅

Statistics retention -> Custom -> 1 hour

Make sure to select Save.

DNS settings

Upstream DNS servers ->

I would strongly recommend setting this to be Quad9 for the following reasons:

  • ⭐️ Based in Switzerland
  • ⭐️ Non-profit
  • ⭐️ Extremely effective at blocking malicious domains and threats right as they arise, moreso than AdGuard's protection above and most other DNS providers, see here for a comparison.

Therefore, I would recommend setting this box to:

https://dns.quad9.net/dns-query

tls://dns.quad9.net

Make sure no other entries are present, so that Quad9's blocking is not bypassed.


Parallel requests -> ✅

Fallback DNS servers -> Leave empty

Bootstrap DNS servers -> Remove any entries that are already present, and set this box to the following for Quad9:

9.9.9.9

149.112.112.112

2620:fe::fe

2620:fe::9

You can now select Test upstreams to ensure that you configured this correctly, and then don't forget to select Apply.


Rate limit -> 0

Enable EDNS client subnet -> ❌

Enable DNSSEC -> ✅

Disable resolving of IPv6 addresses -> ❌ (Should be default, IPv6 is important)

Blocking mode -> Default (Other options can cause issues)

Select Save.

Encryption settings

This is out of scope for this guide, I'll probably make a separate guide dedicated just to setting this up. In the meantime, here's AdGuard's documentation on this. I would recommend configuring it if possible.


The following settings are under Filters

DNS blocklists

Here's where it gets fun.

Despite popular opinion, due to the reasons WaLLy3K has listed here, I think it's a good idea to use multiple lists and sources, rather than just limiting yourself to one or two giant lists. I myself constantly notice domains being blocked that were caught by only one or two lists and missed by others. I'm not saying you should go overboard, but I do think it's a good idea to use a variety of high quality lists for the best coverage possible.

I would generally recommend using the following built-in lists:

  • ⭐️ AdAway Default Blocklist (Appears to be included, but not checked/enabled by default or even listed on the selection screen here)

General

  • ⭐️ AdGuard DNS filter (Enabled by default)

  • ⭐️ AdGuard DNS Popup Hosts filter

  • ⭐️ AWAvenue Ads Rule

  • ⭐️ Dan Pollock's List

  • ⭐️ HaGeZi's Pro++ Blocklist

  • ⭐️ OISD Blocklist Big

  • ⭐️ Peter Lowe's Blocklist

  • ⭐️ Steven Black's List

If you're fine with a little breakage, I would highly recommend using HaGeZi's Ultimate Blocklist instead of HaGeZi's Pro++ Blocklist.

Other

  • ⭐️ Dandelion Sprout's Anti Push Notifications

  • ⭐️ Dandelion Sprout's Game Console Adblock List

  • ⭐️ HaGeZi's Allowlist Referral (See Custom filtering rules section below)

  • ⭐️ Perflyst and Dandelion Sprout's Smart-TV Blocklist

  • ⭐️ WindowsSpyBlocker - Hosts spy rules

Security

  • ⭐️ Phishing URL Blocklist (PhishTank and OpenPhish)

  • ⭐️ Dandelion Sprout's Anti-Malware List

  • ⭐️ HaGeZi's Badware Hoster Blocklist

  • ⭐️ HaGeZi's DynDNS Blocklist

  • ⭐️ HaGeZi's The World's Most Abused TLDs (Causes rare breakage but heavily improves security, I've seen this work in real-time, blocking scam/spam domains before they were picked up by any lists)

  • ⭐️ HaGeZi's Threat Intelligence Feeds

  • ⭐️ NoCoin Filter List

  • ⭐️ Phishing Army

  • ⭐️ Scam Blocklist by DurableNapkin

  • ⭐️ ShadowWhisperer's Malware List

  • ⭐️ Stalkerware Indicators List

  • ⭐️ The Big List of Hacked Malware Web Sites

  • ⭐️ uBlock filters - Badware risks

  • ⭐️ Malicious URL Blocklist (URLHaus)

Custom lists

I would additionally recommend adding the following lists:

  • ⭐️ Admiral: https://v.firebog.net/hosts/Admiral.txt

  • ⭐️ Ad Wars: https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts

  • ⭐️ anudeepND's Blacklist: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt

  • ⭐️ My BadBlock: https://badblock.celenity.dev/abp/badblock.txt

  • ⭐️ CAMELEON: https://sysctl.org/cameleon/hosts

  • ⭐️ CoinBlocker: https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser

  • ⭐️ DeveloperDan Ads & Tracking: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

  • ⭐️ Digital Side Threat Intel: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt

  • ⭐️ Divested Combined Blocklist: https://divested.dev/hosts-domains-wildcards

  • ⭐️ EasyList: https://v.firebog.net/hosts/Easylist.txt

  • ⭐️ EasyPrivacy: https://v.firebog.net/hosts/Easyprivacy.txt

  • ⭐️ Feudo Tracker Abuse: https://feodotracker.abuse.ch/downloads/ipblocklist.txt

  • ⭐️ FMHY Unsafe sites filterlist - Plus: https://raw.githubusercontent.com/fmhy/FMHYFilterlist/main/filterlist.txt

  • ⭐️ FrogEye First Party Trackers: https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt

  • ⭐️ HaGeZi's Encrypted DNS Servers: https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/doh.txt

  • ⭐️ HaGeZi/xRuffKez's Newly Registered Domains (14 days): https://raw.githubusercontent.com/xRuffKez/NRD/main/lists/14-day/adblock/nrd-14day_adblock.txt

  • ⭐️ HaGeZi's Threat Intelligence Feeds - IPs: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif-ips.txt

  • ⭐️ hBlock: https://hblock.molinero.dev/hosts_adblock.txt

  • ⭐️ hostsVN: https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts

  • ⭐️ KADhosts: https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt

  • ⭐️ Maltrail Malware Domains: https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt

  • ⭐️ Prigent-Ads: https://v.firebog.net/hosts/Prigent-Ads.txt

  • ⭐️ Prigent-Crypto https://v.firebog.net/hosts/Prigent-Crypto.txt

  • ⭐️ Prigent-Malware: https://v.firebog.net/hosts/Prigent-Malware.txt

  • ⭐️ Quidsup NoTrack Malware Blocklist: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt

  • ⭐️ Quidsup NoTrack Tracker Blocklist: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt

  • ⭐️ RPiList-Malware: https://v.firebog.net/hosts/RPiList-Malware.txt

  • ⭐️ RPiList-Phishing: https://v.firebog.net/hosts/RPiList-Phishing.txt

  • ⭐️ Spam404: https://raw.githubusercontent.com/Spam404/lists/master/adblock-list.txt

  • ⭐️ Ut1 Cryptojacking Domains: https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/cryptojacking/domains

  • ⭐️ Ut1 Malware Domains: https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/malware/domains

  • ⭐️ Ut1 Phishing Domains: https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/phishing/domains

  • ⭐️ WaLLy3K's Personal Blocklist: https://v.firebog.net/hosts/static/w3kbl.txt

Additionally, if you're fine with a little breakage, I would highly recommend:

  • 1Hosts (Pro): https://o0.pages.dev/Pro/adblock.txt

  • My BadBlock + instead of BadBlock: https://badblock.celenity.dev/abp/badblock_plus.txt

  • HaGeZi's Encrypted DNS Servers - IPs: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-ips.txt

It might seem like a lot, but these are carefully picked high quality lists with strong coverage, and it doesn't really hurt to use multiple like this.

You could also consider, depending on your preference:

  • DeveloperDan's AMP Blocklist: https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt - Blocks AMP websites

  • BadBlock - DRM: https://badblock.celenity.dev/abp/drm.txt - Blocks websites associated with DRM technology/its provisioning

DNS allowlists

I would recommending adding the following here:

  • ⭐️ BadBlock Whitelist: https://badblock.celenity.dev/abp/whitelist.txt

  • ⭐️ HaGeZi's URL Shorteners: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt

Blocked services

You should use this feature to your advantage and block any services that you don't use or care about. This can dramatically improve your privacy by preventing connections to them from even being made. If you use a service, don't block it, just block what you're comfortable with and works best for you.

I usually block the following:

  • Facebook

  • Instagram (Facebook)

  • LinkedIn

  • QQ

  • Rakuten Viki

  • Snapchat

  • Spotify

  • TikTok

  • Viber (Rakuten)

  • VK.com

  • WeChat

  • WhatsApp (Facebook)

Then select Apply.

Custom filtering rules

While being nice from a usability perspective, HaGeZi's Referral Allowlist and the AdGuard DNS filter list do allow some questionable ad/tracking domains we don't want unblocked. I would recommend adding the following to your filtering rules:

||adservice.google.*^$important

||adsterra.com^$important

||amplitude.com^$important

||analytics.edgekey.net^$important

||analytics.twitter.com^$important

||app.adjust.*^$important

||app.*.adjust.com^$important

||app.appsflyer.com^$important

||doubleclick.net^$important

||googleadservices.com^$important

||guce.advertising.com^$important

||metric.gstatic.com^$important

||mmstat.com^$important

||statcounter.com^$important

Now select Apply.

Additional recommendations