转载自
https://www.right.com.cn/FORUM/thread-4043333-1-2.html

之前在新三区发布过一篇adguardhome设置的教程,经长期使用之后得出结论,新三由于内存等限制,哪怕在挂载U盘之后还是无法完美发挥AdguardHome的效用
经不断测试,前前后后使用过如下方式:

  1. 新三AdguardHome、AdguardHome+SmartDNS解析、kpr单去广告。最终测试结论!新三太弱鸡,没办法,硬件限制了好东西的发挥
  2. 软路由单AdguardHome,此种方式原理上是可以实现DNS解析和去广告,但是一段时间之后,网络会抽风,某些网站会自动解析到外网,ping值1000多ms,酸爽
  3. 软路由AdguardHome+smartdns+怕死内外网分流,不同端口定向解析。此种方式是比较稳定也比较顺畅的,但是一个原因,一碰上openwrt大更新,无法保留配置升级的时候。酸爽了,又得重新配置一遍。如何把这部分单拉出来,然后不论系统怎么升级,只需简单几步就配置好的方式。

最终,在测试了Linux+pi-Hole+smartdns、Linux+AD、linux+SmartDNS、Linux+Smartdns+AdguardHome之后,选定Linux+Smartdns+AdguardHome这种最优方式,以下内容依此方式展开,目前也只推荐这一种方式.
大部分小白可以单独使用op单smartdns或者adguardhome,甚至直接运营商dns在日常生活中几乎感觉不到差别,可能网页秒开算一个吧,公共dns没有运营商自带的快,广告少一些是真的,但是真的没必要为了快一点点来折腾。这个是适合喜欢折腾的同学折腾折腾。

截屏2020-07-16_上午9.49.47.png
截屏2020-07-16_上午9.51.07.png

可以看到,虽然过滤器加载了很多,但是网页平均处理速度28ms,之前在openwrt上面单跑ad一般过滤器开多了都是上百甚至更高,并随着时间会提升;但是采用这种方式,最开始安装好的时候第一次解析有100多ms,越用越快,因为Linux相当于一个Dns缓存服务器。

一、所需工具及软件:

  1. 软路由一台并已安装好Esxi或者Pve,原理相同
  2. Linux系统镜像,经筛选,建议使用Debian10
  3. Opnwrt系统
  4. 一双灵活的手,懂得思考的脑子

debian系统安装配置

  1. 载官方精简Debian10系统debian-10.4.0-amd64-netinst.iso并安装。
  2. 安装常用软件
    apt-get install wget
apt-get install curl
apt-get install vim
  3. 使用vim修改root账户登录权限,使debian可以使用外部ssh客户端登录
    vi /etc/ssh/sshd_config
将
#PermitRootLogin prohibit-password
改为
PermitRootLogin yes
重启ssh服务
/etc/init.d/ssh restart
  4. 查看debian当前ip地址发现为10.10.10.196

二、smartdns及AdguardHome安装

  1. 下载smartdns
    wget https://github.com/pymumu/smartdns/releases/download/Release31/smartdns.1.2020.05.04-0005.x86_64-linux-all.tar.gz
  2. 解压文件包
    tar xvf smartdns.1.2020.05.04-0005.x86_64-linux-all.tar.gz
  3. 赋予文件权限
    chmod +x ./smartdns/install
  4. 安装smartdns
    ./smartdns/install -i
  5. 配置smartdns,编辑/etc/smartdns/smartdns.conf
# dns server name, default is host name
# server-name, 
# example:
#   server-name smartdns
#

# Include another configuration options
# conf-file [file]
# conf-file blacklist-ip.conf

# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
# bind udp server
#   bind [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tcp server
#   bind-tcp [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# option:
#   -group: set domain request to use the appropriate server group.
#   -no-rule-addr: skip address rule.
#   -no-rule-nameserver: skip nameserver rule.
#   -no-rule-ipset: skip ipset rule.
#   -no-speed-check: do not check speed.
#   -no-cache: skip cache.
#   -no-rule-soa: Skip address SOA(#) rules.
#   -no-dualstack-selection: Disable dualstack ip selection.
#   -force-aaaa-soa: force AAAA query return SOA.
# example: 
#  IPV4: 
#    bind :53
#    bind :6053 -group office -no-speed-check
#  IPV6:
#    bind [::]:53
#    bind-tcp [::]:53
bind [::]:8053 -group china -no-speed-check -group out -no-dualstack-selection
bind-tcp [::]:8053 -group china -no-speed-check -group out -no-dualstack-selection
bind [::]:7053 -no-speed-check -group out -no-dualstack-selection
bind-tcp [::]:7053 -no-speed-check -group out -no-dualstack-selection


# tcp connection idle timeout
# tcp-idle-time [second]

# dns cache size
# cache-size [number]
#   0: for no cache
cache-size 0

# prefetch domain
# prefetch-domain [yes|no]
# prefetch-domain yes

# cache serve expired 
# serve-expired [yes|no]
# serve-expired yes

# cache serve expired TTL
# serve-expired-ttl [num]
# serve-expired-ttl 0

# List of hosts that supply bogus NX domain results 
# bogus-nxdomain [ip/subnet]

# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
# blacklist-ip [ip/subnet]

# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
# whitelist-ip [ip/subnet]

# List of IPs that will be ignored
# ignore-ip [ip/subnet]

# speed check mode
speed-check-mode ping|tcp:43,tcp:80
# example:
#   speed-check-mode ping,tcp:80
#   speed-check-mode tcp:443,ping
#   speed-check-mode none

# force AAAA query return SOA
force-AAAA-SOA yes

# Enable IPV4, IPV6 dual stack IP optimization selection strategy
# dualstack-ip-selection-threshold [num] (0~1000)
# dualstack-ip-selection [yes|no]
# dualstack-ip-selection yes

# edns client subnet
# edns-client-subnet [ip/subnet]
# edns-client-subnet 192.168.1.1/24
# edns-client-subnet [8::8]/56

# ttl for all resource record
# rr-ttl: ttl for all record
# rr-ttl-min: minimum ttl for resource record
# rr-ttl-max: maximum ttl for resource record
# example:
# rr-ttl 300
# rr-ttl-min 60
# rr-ttl-max 86400

# set log level
# log-level: [level], level=fatal, error, warn, notice, info, debug
# log-file: file path of log file.
# log-size: size of each log file, support k,m,g
# log-num: number of logs
log-level info
# log-file /var/log/smartdns.log
# log-size 128k
# log-num 2

# dns audit
# audit-enable [yes|no]: enable or disable audit.
# audit-enable yes
# audit-SOA [yes|no]: enable or disable log soa result.
# audit-size size of each audit file, support k,m,g
# audit-file /var/log/smartdns-audit.log
# audit-size 128k
# audit-num 2

# certificate file
# ca-file [file]
# ca-file /etc/ssl/certs/ca-certificates.crt

# certificate path
# ca-path [path]
# ca-path /etc/ss/certs

# remote udp dns server list
# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
# default port is 53
#   -blacklist-ip: filter result with blacklist ip
#   -whitelist-ip: filter result whth whitelist ip,  result in whitelist-ip will be accepted.
#   -check-edns: result must exist edns RR, or discard result.
#   -group [group]: set server to group, use with nameserver /domain/group.
#   -exclude-default-group: exclude this server from default group.
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
server 8.8.8.8:53 -group out
server 208.67.222.222:53 -group out
server 166.111.8.28:53 -group out
#server xxx.xxx.xxx.xxx:53
#server xxx.xxx.xxx.xxx:53(此两处处为运营商dns,大家替换为自己的,每个运营商每个地区都不一样)
server 114.114.114.114:53 -group china
server 119.29.29.29:53 -group china
server 180.76.76.76:53 -group china
server 1.2.4.8:53 -group china
server 223.5.5.5:53 -group china
server 1.2.4.8:53 -group china
# remote tcp dns server list
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
# default port is 53
# server-tcp 8.8.8.8

# remote tls dns server list
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -no-check-certificate: no check certificate.
# Get SPKI with this command:
#    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# default port is 853
# server-tls 8.8.8.8
# server-tls 1.0.0.1
server-tls 8.8.8.8:853 -group out
server-tls 149.112.112.112:853 -group out
server-tls 208.67.222.222:853 -group out
server-tls https://i.233py.com/dns-query:853 -group out
server-tls https://dns.233py.com/dns-query:853 -group out

# remote https dns server list
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -http-host: http host.
#   -no-check-certificate: no check certificate.
# default port is 443
# server-https https://cloudflare-dns.com/dns-query
server-https https://dns.quad9.net/dns-query -group out
server-https https://cloudflare-dns.com/dns-query -group out
server-https https://dns.google/dns-query -group out
server-https https://doh.opendns.com/dns-query https -group out
# specific nameserver to domain
# nameserver /domain/[group|-]
# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
# nameserver /www.example.com/-, ignore this domain

# specific address to domain
# address /domain/[ip|-|-4|-6|#|#4|#6]
# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

# enable ipset timeout by ttl feature
# ipset-timeout [yes]

# specific ipset to domain
# ipset /domain/[ipset|-]
# ipset /www.example.com/block, set ipset with ipset name of block 
# ipset /www.example.com/-, ignore this domain

# set domain rules
# domain-rules /domain/ [-speed-check-mode [...]]
# rules:
#   -speed-check-mode [mode]: speed check mode
#                             speed-check-mode [ping|tcp:port|none|,]
#   -address [address|-]: same as address option
#   -nameserver [group|-]: same as nameserver option
#   -ipset [ipset|-]: same as ipset option
  1. 下载官方AdGuardHome
    wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.102.0/AdGuardHome_linux_amd64.tar.gz
  2. 解压AdGuardHome
    tar xvf AdGuardHome_linux_amd64.tar.gz

    修改debiandns为本地服务,具体操作为在finalshell修改etc里面的resolv.conf,将默认的dns改为127.0.0.1
    这一步得注意,不然还是会默认路由器的dns

  3. 进入AdGuardHome目录
    cd AdGuardHome
  4. 安装AdGuardHome
    ./AdGuardHome -s install
  5. 配置adguardhome
    使用ip:3000登录adguardhome后台
    进入后台之后配置如果小白不会,继续下载我的配置,已经设置好了dns解析及去广告,直接替换就好了
    配置文件替换之后
    账号:root
    密码:password
    替换位置:/root/AdGuardHome中的AdguardHome.yaml
    配置文件如下:
bind_host: 0.0.0.0
bind_port: 80
users:
- name: root
  password: $2a$10$v6cp8/Bkx/opoIDhPBqHMuiWhBgxJAVNeKrQNSi0dnBS2NhmkYB1q
http_proxy: ""
language: ""
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
  bind_host: 0.0.0.0
  port: 53
  statistics_interval: 90
  querylog_enabled: true
  querylog_interval: 90
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
  - 127.0.0.1:8053
  bootstrap_dns:
  - 0.0.0.0
  all_servers: false
  fastest_addr: true
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts: []
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet: false
  filtering_enabled: true
  filters_update_interval: 1
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
filters:
- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: true
  url: https://adaway.org/hosts.txt
  name: AdAway
  id: 2
- enabled: true
  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
  name: MalwareDomainList.com Hosts List
  id: 4
- enabled: true
  url: https://hosts.nfz.moe/127.0.0.1/full/hosts
  name: "127"
  id: 1594706759
- enabled: true
  url: https://easylist.to/easylist/easylist.txt
  name: EasyList
  id: 1594706760
- enabled: true
  url: https://easylist-downloads.adblockplus.org/easylistchina.txt
  name: EasyList China
  id: 1594706761
- enabled: true
  url: https://easylist-downloads.adblockplus.org/easyprivacy.txt
  name: EasyPrivacy
  id: 1594706764
- enabled: true
  url: https://gitee.com/halflife/list/raw/master/ad.txt
  name: My AdFilters
  id: 1594706770
- enabled: true
  url: https://gitee.com/xinggsf/Adblock-Rule/raw/master/rule.txt
  name: chengfeng
  id: 1594706771
- enabled: true
  url: https://gitee.com/xinggsf/Adblock-Rule/raw/master/mv.txt
  name: chegfengmv
  id: 1594706772
- enabled: true
  url: https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
  name: Adblock Warning Removal List
  id: 1594706774
- enabled: true
  url: http://git.oschina.net/halflife/list/raw/master/ad.txt
  name: My AdFilters
  id: 1594706775
- enabled: true
  url: https://gitee.com/privacy-protection-tools/anti-ad/raw/master/easylist.txt
  name: an
  id: 1594706776
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  gateway_ip: ""
  subnet_mask: ""
  range_start: ""
  range_end: ""
  lease_duration: 86400
  icmp_timeout_msec: 1000
clients: []
log_file: ""
verbose: false
schema_version: 6

三、路由器设置

  1. 打开openwrt--网络--防火墙--自定义规则,注释掉系统固件自带53端口dns
    55.png
  2. openwrt--Turbo ACC 网络加速设置-dns加速关掉
    56.png
  3. openwrt--网络--dhcp设置--dns转发里面清空,不要有任何东西
    57.png
  4. openwrt--网络--接口--lan设置--使用自定义的DNS服务
    58.png
  5. openwrt--网络--接口--lan设置--高级设置--DHCP选项取消,有的小伙伴之前可能用了smartdns不同端口DN S通告,所以这里要取消
    59.png
  6. openwrt--vpn代理设置--所有有关DNS的全部丢给上面装的debian的地址
    60.png

四、配置使用心得

SmartDNS添加DNS库很让人费时费神,需要手动指定DNS地址并添加TCP和UDP接口,一不小心添加不上可能导致路由系统死机甚至需要重刷系统。

AdGuard Home的采用的是WEB的登陆模式可以不依赖路由系统可以单独设置,关键是DNS设置可以配置能自动更新的DNS库资源,另外可以粘贴复制命令的形式输入本地DNS库,通过命令就能实现。另外多了一封预加载的机制,这是需要选用本地运营商的DNS来解析后面带53接口配置。细心可注意启用设置显示秒成,瞬间显示上游DNS已更新,反比SMARTDNS需要保存应用加载感觉快N倍。

AdGuard Home多了过滤广告库的功能,过滤规则可以网上查找可以自定义,但是开启后对路由器本身的CPU和缓存都有要求,所以最好外加U盘来支持库的缓存大小。

DNS最快的解析速度不是所有人都相同,需要根据您本地自己的运营商来选择,可以使用DNS测试工具,如DNSBench工具RUN出自己比较快的DNS添加到DNS库里。

AdGuard Home的性能还可以优化:

有两个参数可以明显提升 QPS:

  • ratelimit : DDoS 保护,客户端每秒接收的数据包数。建议禁用该参数(将值改为 0),默认值是 20。
  • blocked_response_ttl : TTL 缓存时间,建议设置为 60

挖掘出一些黑科技高阶功能

转载自: https://www.right.com.cn/forum/thread-2559810-1-2.html
AdGuard Home 专长去广告, SmartDNS专长DNS分组,目前可以同时使用这两者的功能在一台路由器上。

  1. SmartDNS配置两组端口号供给不同策略需求,比如国内一组,国外一组,同时通过PASSWALL的黑科技把国内一端口做解析和国外一端口解析。
    passwall要安装带DNS劫持和可以分组的版本,我这分享一个目前最新版本号luci-app-passwall_3.6-19_all
    bind: 8053 -group cn 8053端口号可以自定义 cn是DNS编组的名称
    bind: 5335 -group usa 同理这是另外一组配置
    这样就可以获得最理想效果,数据流会通过AdGuard Home过滤广告,SmartDNS区分指定第一组和第二组DNS地址给到PASSWALL用于不同的场景找到各场景中最快的DNS线路。
    规避单使用某一组DNS组不理想应用感受。

  2. 关键点来了,SmartDNS 在基本配置中重定向模式要选 无 !!!!!!!!
    有论坛的朋友之前发过的帖子 重定向53端口到SMARTDNS,我发现不对失去了去广告的效果,看视频也卡顿起来了,通过命令查询后,确认很多NO answer 的情况,分析了原因53端口优先级高于AdGuard Home的作为DNSMASQ的上游服务器的端口。
    改回重定向模式后,很快解析出地址
    而AdGuard Home使用其端口肯定也会占用重定向模式,且应选为作为DNSMASQ的上游服务器,注意设置不同的端口号避免冲突。

    PS (既然要用SmartDNS分组进行寻优DNS,就不需要把AdGuard Home在DNS设置中的 通过同时查询所有上游服务器以使用并行查询加速解析)
    因为同时查询很消耗硬路由器的运算资源,CPU,内存消耗会很高,甚至达到100%长期使用,若是软路由到无所谓,怎么任性分配CPU 内存给到软路由都可以,所以问题不大。

原理是这么样的,AdGuard Home同时查询后中给出的最快DNS不一定能满足您的低调上网需求,一般最快都是国内的DNS地址。
正基于此,
原来单独使用一类DNS组会出现经常刷新网页以便找到最快DNS地址而造成断流或降速等不理想应用感受。

  1. 只用SmartDNS服务,也可以配置AdGuard Home的反广告规则关联。
    在SmartDNS的自定义设置敲入conf-file /etc/smartdns/anti-ad-for-smartdns.conf,同时在网上下载AdGuard Home 关联SmartDNS的配置文件通过PUTTY SHELL MOBAXTERM等上传到路由器的/etc/smartdns/路径,就可以获得DNS防污染功能,直接从安全级别30分跃升到及格的档次,辅助测试网址可以参考俄罗斯的 https://checkadblock.ru/

配置文件的网址是 https://gitee.com/privacy-protection-tools/anti-ad/raw/master/anti-ad-for-smartdns.conf

单用SmartDNS通过 https://checkadblock.ru/ 测试防广告结果满分是100分哈。

单用SmartDNS通过敲入一行命令关联 ADH规则就可及格

同时使用SmartDNS分组DNS防污染和AdGuard Home加入过滤广告规则,另外开启浏览器隐私或者无痕浏览测试

上游DNS服务器填入:

https://dns.rubyfish.cn/dns-query
https://hk-dns.233py.com/dns-query
sdns://AgcAAAAAAAAADjE1MC4xMDkuNzQuMTY0ABBoay1kbnMuMjMzcHkuY29tCi9kbnMtcXVlcnk
sdns://AQcAAAAAAAAAEDQ3LjEwMS4xMzYuMzc6MjIgCRIqxqrF-npxg2-xjGLKvzuxvS7hCGgXx_x_4K85yHYZMi5kbnNjcnlwdC1jZXJ0LjIzM3B5LmNvbQ
1.1.1.1
tcp://1.1.1.1
https://1.1.1.1
8.8.4.4
tcp://8.8.4.4
https://8.8.4.4
9.9.9.9
tcp://9.9.9.9
https://9.9.9.9
149.112.112.112
tcp://149.112.112.112
https://149.112.112.112
8.8.8.8
tcp://8.8.8.8
https://8.8.8.8
114.114.114.114
tcp://114.114.114.114
https://114.114.114.114
61.139.2.69
tcp://61.139.2.69
68.11.16.30
tcp://68.11.16.30
66.92.224.2
tcp://66.92.224.2
68.1.18.30
tcp://68.1.18.30
68.87.64.154
tcp://68.87.64.154
74.118.212.1
tcp://74.118.212.1
203.186.217.185
tcp://203.186.217.185
203.186.217.188
tcp://203.186.217.188
https://dns.google/dns-query
tls://dns.google
https://dns.cloudflare.com/dns-query
https://dns.adguard.com/dns-query
tls://dns.adguard.com
176.103.130.130
tcp://176.103.130.130
https://176.103.130.130
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
202.38.93.153
tcp://202.38.93.153
202.141.162.123
tcp://202.141.162.123
https://dns.rubyfish.cn/dns-query
https://sdns.233py.com/dns-query
https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/

广告过滤规则填入:

  1. EasyList China : 国内网站广告过滤的主规则。
    链接:https://easylist-downloads.adblockplus.org/easylistchina.txt
  2. EasyPrivacy : EasyPrivacy 是隐私保护,不被跟踪。
    链接:https://easylist-downloads.adblockplus.org/easyprivacy.txt
  3. CJX's Annoyance List : 过滤烦人的自我推广,并补充 EasyPrivacy 隐私规则。
    链接:https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
  4. 广告净化器规则 : 支持国内大部分视频网站的广告过滤。
    链接:http://tools.yiclear.com/ChinaList2.0.txt
  5. I don't care about cookies : 我不关心 Cookie 的问题,屏蔽网站的 cookies 相关的警告。
    链接:https://www.i-dont-care-about-cookies.eu/abp/
文章目录