DNS over TLS (DoT) is a security protocol that encrypts DNS queries, providing enhanced privacy and security. This guide will walk you through setting up AdGuard Home to serve DNS over TLS using your custom domain, secured with a Let’s Encrypt certificate. We’ll use Cloudflare for DNS management and integrate Home Assistant for automation. By the end, your Android devices will be able to use secure DNS queries to your AdGuard Home server. We will be focusing on Android devices but iOS devices can use it as well!

Prerequisites

Before starting, ensure you have:

• A registered domain name.
• An active Cloudflare account managing your domain.
• A running instance of Home Assistant.
• AdGuard Home installed and running.

Step 1: Create DNS Records in Cloudflare

To enable DNS over TLS, you’ll need to set up the necessary DNS records in Cloudflare.

Create an A Record:

• Log in to your Cloudflare dashboard.
• Navigate to the DNS settings of your domain.
• Create a new A record with the following details:
  • Name: dns
  • IPv4 Address: Your server's public IP address (this will be updated automatically by the HomeAssistant Cloudflare integration, don’t worry!)
  • TTL: Auto
  • Proxy status: DNS only (unproxied).

Create a CNAME Record:

• Still in DNS settings, create a CNAME record:
  • Name: *.dns
  • Target: dns.yourdomain.com
  • TTL: Auto
  • Proxy status: DNS only (unproxied).

These records ensure that both dns.yourdomain.com and any subdomains will direct traffic to your AdGuard Home instance. This is useful to be able to create clientname.dns.yourdomain.com to identify different clients by different hostnames.

Step 2: Configure Cloudflare Integration in Home Assistant

Home Assistant can automate updating your Cloudflare DNS records if your server’s IP address changes.

Create API Tokens in Cloudflare:

To interact with Cloudflare API we need two different tokens:

1. used in the Cloudflare HomeAssistant Integration to update the DNS record with our IP
2. used in the Let’s Encrypt HomeAssistant add-on to automate DNS challenges for domain validation

To generate those:

• Go to My Profile > API Tokens in your Cloudflare account.
• Click Create Token.
• Use the Create Custom Token button and add the following permissions for your domain Zone:
  • Zone:Zone:Read and Zone:DNS:Edit for Token 1
  • Zone:DNS:Edit for Token 2
• Copy the generated token.

Install and configure the Cloudflare Integration:

• In Home Assistant, go to Settings > Integrations.
• Search for Cloudflare and install the integration.
• Set it to update the dns.yourdomain.com A record whenever your IP changes.

Note: it seems that it doesn’t run automatically as soon as it’s setup, so either you enter your current IP address in previous step, or you run the integration to update it for you using the service cloudflare.update_records. After that, it will run automatically every hour to update your IP.

Step 3: Obtain and Configure Let’s Encrypt Certificates

Next, secure your domain with a Let’s Encrypt SSL certificate to enable DNS over TLS.

Install the Let’s Encrypt Add-on in Home Assistant:

• In Home Assistant, navigate to Supervisor > Add-on Store.
• Find and install the Let’s Encrypt add-on.

Configure the Let’s Encrypt Add-on:

• Set the domains to dns.yourdomain.com and *.dns.yourdomain.com.
• Set the challenge to dns.
• Enter your Cloudflare API token to automate DNS challenges.
• Start the add-on to generate your certificates.

Set Up Automatic Certificate Renewal:

• In Home Assistant, navigate to Settings > Automations and Scenes > Automations
• Click on Create Automation
• Use the following YAML and save the automation

alias: Start Let's Encrypt Add-on at Midnight
description: Start the Let's Encrypt add-on every day at midnight
mode: single
triggers:
  - at: "00:00:00"
    trigger: time
actions:
  - data:
      addon: core_letsencrypt
    action: hassio.addon_start

Step 4: Configure AdGuard Home for DNS over TLS

With the SSL certificate ready, you can now configure AdGuard Home to support DNS over TLS.

• Go to AdGuard Home’s web interface.
• Navigate to Settings > Encryption.
• Set the Server Name to dns.yourdomain.com.
• Use default certificate path as we didn’t change it in Let’s Encrypt add-on configuration
• Ensure certificate chain is validated (green lights)
• Save and Apply Settings

Your AdGuard Home server is now configured to serve DNS over TLS.

Step 5: Configure Android Devices for DNS over TLS

Different Android devices might have slightly different steps to setup DNS over TLS, but generally to use your new DNS over TLS setup on Android devices follow these steps:

• Open Settings > Network & Internet.
• Tap Private DNS.
• Choose Private DNS provider hostname.
• Enter dns.yourdomain.com or clientname.dns.yourdomain.com (if you want to use client names, go to Settings > Client Settings on AdGuard and add needed clients)

Your Android device will now use DNS over TLS with your AdGuard Home server, ensuring encrypted DNS queries. If your device says that your DNS over TLS server doesn’t exist, please check everything is configured above, or wait a bit of time to allow the DNS system to propate your configuration.

Conclusion

By following these steps, you’ve successfully configured AdGuard Home to provide DNS over TLS, secured with a Let’s Encrypt certificate and managed through Cloudflare. Your Android devices are now equipped to handle encrypted DNS queries, enhancing your privacy and security. This setup not only secures your DNS traffic but also allows for easy management and automation using Home Assistant.

Feel free to adjust the steps to fit your environment, and enjoy a more secure internet experience on your Android devices.