I’m still very much new to this, but I know that when it comes to blocking ads, malware, and tracking, I’ll need a multilayer approach. I already have the DNS layer taken care of with Control D. I’m reading that Adguard blocks at the “application level” while Little Snitch blocks at the “system level”. What does that mean? So these two apps complement each other?
Where does Adguard Home in my router fit in the picture if I have Control D and utilize its blocklist?
The main benefit to Adguard Home is far more control, espcially if you’re using Control-D’s free config. Other than that either of them become the default for all devices on your network once you set them up with the router.
Adguard Home is a self hosted DNS server.
DNS queries on your network are unencrypted (unless you registered a domain and obtained a certificate) and sent to the self hosted server and then either answered from Cache or forwarded to the secure DNS service you set up (Adguard by default, but as I recall it can be changed).
The server needs to be set up and running and the router (or alternatively all devices) needs to be set up to use it. You also become responsible for maintaining it and its security configurations and updates of the server.
If you’re happy with Control-D there isn’t much point in going throught the effort of setting it up other than the learning experience. I ran it on a Raspberry Pi with Ubuntu Server installed, but I regularly had DNS queries fail due to taking too long and eventually abandoned it.
It should be possible to set up Control-D or any other DNS service on the router itself with most of the same benefits. Which makes Control-D the default DNS on your home netowrk, so any new or reformatted device wil already be protected by Control-D during the setup. You do still need to set it up if you plan on using it on other networks though.
How exactly this is done depends on the router model and brand.
I think this can cause issues with some ISP’s, but generally speaking it shouldn’t.
Both Control-D and Adguard Home will block network traffic at the domain level. Taking YouTube as an example this will block Google Analytics Domain, but not ads since they are hosted from the YouTube domain directly.
Little Snitch is a firewall which can do the same on a per-app basis. Blocking or Allowing specific domains or IP addresses for specific apps and can be set up to manage the DNS.
Adguard and uBlock Origin Lite (newly released on Mac) are content blockers and mostly apply to Safari. These can do slightly more complex stuff to block ads on sites even when they aren’t from an ad specific domain. But extensions are more restricted in what they can access these days and they don’t block everything. I would choose one or the other.
Very good explanation and thank you for your time.
So basically, it makes no sense to use both Control D and Adguard Home since they’re both working at the DNS level?
To avoid redundancy, I should have something like Control D, Little Snitch, and Adguard on the Mac Mini and it’ll be about as good as it gets?
Yes.
Setting up Adguard Home would be redundant if the Mac already has secure DNS set up.
There are benefits to setting up secure DNS on the router, but only for devices that don’t already have it set up. Any device that uses secure DNS like Control-D will ignore the router setting.
The router should also be perfectly capable of using Control-D which avoids a lot of set-up and configurations where mistakes could reduce security.
It doesn’t really mean anything I think whoever told you that doesn’t know what they’re talking about.
If all devices can utilize even a DNS:53 address, wouldn’t that still negate the need to use Adguard Home?
You don’t need Adguard Home.
By default the router will use your ISP’s DNS service. Adguard Home is a server implementation you can set up instead. But you can set up most routers to use any DNS service you like.
Adguard Home has the significant drawback of managing a server and it still needs to query a DNS service on your behalf.
My ASUS router has both Adguard and Control-D’s free DNS configurations available as default options under WAN network settings.
If the goal is using a secure DNS with content blocking and a privacy policy you like then it’s far simpler to simply select one of those rather than use the ISP’s DNS or setting up an Adguard Home server.
You’re correct that setting up DNS for the router is redundant if you already have Secure DNS set up on all your devices. But new devices or reformatted devices won’t have secure DNS set up. You might also have devices where changing the DNS isn’t possible or simply more effort than having it set up on the device.