DNS Privacy Stack — Resources

Resources¶

Official Documentation¶

Resource	URL	Notes
Unbound docs	unbound.docs.nlnetlabs.nl	Official NLnet Labs documentation
Unbound man page	nlnetlabs.nl/documentation/unbound/unbound.conf	Every config option explained
AdGuard Home wiki	github.com/AdguardTeam/AdGuardHome/wiki	Setup, encryption, configuration
AdGuard encryption guide	AdGuardHome Encryption	DoH/DoT setup for AdGuard
DNS Flag Day	dnsflagday.net	EDNS buffer size recommendations

Guides and Tutorials¶

Resource	URL	Notes
Pi-hole + Unbound guide	docs.pi-hole.net/guides/dns/unbound	Best reference Unbound config (applies to AdGuard too)
Calomel Unbound tutorial	calomel.org/unbound_dns.html	Deep performance tuning guide
AdGuard + Unbound + WireGuard	github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt	Comprehensive self-hosted security guide
Unbound gaming tuning	SNBForums thread	Latency optimization for gaming

Privacy DNS Providers¶

Recommended (No-Log, Non-Five-Eyes)¶

Provider	DoT Address	Logging	Jurisdiction	Extras
Mullvad DNS	`194.242.2.2@853#dns.mullvad.net`	None (Cure53 audited)	Sweden	Also offers ad-blocking variant
Mullvad adblock	`194.242.2.3@853#adblock.dns.mullvad.net`	None	Sweden	Blocks ads + trackers
Quad9	`9.9.9.9@853#dns.quad9.net`	None	Switzerland	Non-profit, malware blocking
Quad9 secondary	`149.112.112.112@853#dns.quad9.net`	None	Switzerland	Anycast redundancy
Quad9 unfiltered	`9.9.9.10@853#dns.quad9.net`	None	Switzerland	No malware filtering
dns0.eu zero	`193.110.81.254@853#zero.dns0.eu`	No personal data	France/EU-only	GDPR-hardened, EU infrastructure only

Other Providers (Use With Caution)¶

Provider	DoT Address	Logging	Jurisdiction	Notes
Cloudflare	`1.1.1.1@853#cloudflare-dns.com`	Partial (24h)	USA	Fast but Five Eyes jurisdiction
Google	`8.8.8.8@853#dns.google`	Yes	USA	Not recommended for privacy

AdGuard Home Fallback DNS¶

These are the encrypted fallback resolvers used by AdGuard Home when Unbound is unavailable:

Priority	Provider	URL	Why
1st	Mullvad DNS	`tls://doh.mullvad.net`	Best anonymity posture, audited
2nd	Quad9	`tls://dns.quad9.net`	Swiss non-profit, reliable
3rd	dns0.eu zero	`tls://zero.dns0.eu`	EU-native, no filtering overlap

ISP DNS Hijacking Detection¶

Resource	URL	Notes
RIPE Labs detection guide	labs.ripe.net	Definitive detection methodology
XDA DNS bypass guide	xda-developers.com	Fixing DNS filter bypass

Blocklists (AdGuard Home)¶

These are the 18 blocklists configured in our setup, organized by category:

Core (Ads & Trackers)¶

List	URL	Notes
AdGuard DNS filter	`https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt`	AdGuard's baseline list
AdAway Default	`https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt`	Mobile ads
OISD Full	`https://big.oisd.nl/`	All-in-one, community-curated, low false positives
HaGeZi Ultimate	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/ultimate.txt`	Most aggressive multi-source list
ppfeufer	`https://github.com/ppfeufer/adguard-filter-list/raw/master/blocklist`	Additional coverage

Security (Malware, Phishing, Threats)¶

List	URL	Notes
HaGeZi Threat Intelligence	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt`	Aggregated threat intel (malware, phishing, C2)
Phishing Army Extended	`https://phishing.army/download/phishing_army_blocklist_extended.txt`	Comprehensive phishing domains
URLhaus Malware	`https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh.txt`	Abuse.ch malware feed
DandelionSprout Anti-Malware	`https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareAdGuardHome.txt`	Well-maintained anti-malware

Privacy & Tracking¶

List	URL	Notes
EasyPrivacy	`https://easylist.to/easylist/easyprivacy.txt`	Classic tracking protection
AdGuard Tracking Protection	`https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_3_Spyware/filter.txt`	AdGuard's own tracker list
HaGeZi DoH/VPN/Proxy Bypass	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-vpn-proxy-bypass.txt`	Prevents apps from bypassing your DNS

Device Telemetry¶

List	URL	Notes
Perflyst Smart-TV	`https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt`	Samsung, LG, Vizio telemetry
Perflyst Android Tracking	`https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt`	Android-specific trackers
HaGeZi Native Amazon	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/native.amazon.txt`	Amazon/Alexa telemetry

Annoyances & Cryptomining¶

List	URL	Notes
AdGuard Annoyances	`https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt`	Cookie banners, popups
Fanboy Annoyance	`https://secure.fanboy.co.nz/fanboy-annoyance.txt`	Social widgets, popups
ZeroDot1 CoinBlocker	`https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser`	Cryptomining/cryptojacking

Aggressive blocklists may break sites

HaGeZi Ultimate and some security lists are aggressive. They may block Facebook, payment processors, or telemetry required for app functionality. A comprehensive allowlist is configured to keep major apps working (YouTube, Instagram, Facebook, WhatsApp, Spotify, Discord, etc.). Always check AdGuard's query log when a site breaks and whitelist the blocked domain with @@||domain.com^$important.

core-stack — AdGuard Home is part of the core infrastructure stack
monitoring-stack — Grafana dashboards for DNS metrics

Previous: 05-troubleshooting