xel-serv logo
Xeltor's Ad-blocking DNS

Jump to

Prerequisites

  • Ensure the router firmware supports DNS-over-TLS (DoT) or can run a local stub (Unbound, dnsmasq, AdGuard Home, etc.).
  • Open outbound TCP port 853 in any upstream firewall rules.
  • Upstream resolver IPs: 63.250.54.8 and 86.90.92.105. TLS hostname: dot.xel-serv.com.

Unbound (OPNSense, pfSense, bare metal)

  1. Edit Services → Unbound DNS → General and enable DNS over TLS.
  2. Add the following custom options: 
    forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 63.250.54.8@853#dot.xel-serv.com
  forward-addr: 86.90.92.105@853#dot.xel-serv.com
  3. Clear the resolver cache and restart Unbound.

dnsmasq (OpenWrt, DD-WRT)

  1. Install stubby or https-dns-proxy. Stubby example: 
    opkg update
opkg install stubby
  2. Edit /etc/stubby/stubby.yml and replace the upstreams with:
    upstream_recursive_servers:
  - address_data: 63.250.54.8
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  - address_data: 86.90.92.105
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  3. Point dnsmasq to the stubby listener by adding to /etc/dnsmasq.conf: 
    no-resolv
server=127.0.0.1#5453
  4. Restart both services: /etc/init.d/stubby restart, /etc/init.d/dnsmasq restart.

OPNSense / pfSense GUI walkthrough

  1. Navigate to System → Trust → Authorities and ensure the default trust store is up to date.
  2. Go to Services → Unbound DNS → Advanced and add the following custom options:
    forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 63.250.54.8@853#dot.xel-serv.com
  forward-addr: 86.90.92.105@853#dot.xel-serv.com
  3. Under System → General Setup, remove any ISP DNS servers so DHCP clients inherit only your router IP.
  4. Save and apply changes; Unbound restarts automatically.

AdGuard Home

  1. Open the AdGuard Home dashboard → Settings → DNS settings.
  2. Under Upstream DNS servers, add:
    tls://dot.xel-serv.com
  3. Enable “Bootstrap DNS servers” and supply 63.250.54.8 and 86.90.92.105.
  4. Apply the changes and flush the query log.

Verification

  1. From a LAN client: nslookup ads.facebook.com should return NXDOMAIN.
  2. Check the router logs; TLS handshakes to dot.xel-serv.com:853 should succeed without fallback.

Spring naar

Voorwaarden

  • Zorg dat de firmware DNS-over-TLS ondersteunt of een lokale stub kan draaien (Unbound, dnsmasq, AdGuard Home).
  • Sta uitgaand TCP-poort 853 toe in upstream-firewalls.
  • Upstream IP's: 63.250.54.8 en 86.90.92.105. TLS-hostnaam: dot.xel-serv.com.

Unbound (OPNSense, pfSense, bare metal)

  1. Ga naar Services → Unbound DNS → General en schakel DNS over TLS in.
  2. Voeg onderstaande custom options toe: 
    forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 63.250.54.8@853#dot.xel-serv.com
  forward-addr: 86.90.92.105@853#dot.xel-serv.com
  3. Leeg de resolvercache en herstart Unbound.

dnsmasq (OpenWrt, DD-WRT)

  1. Installeer stubby of https-dns-proxy. Voorbeeld Stubby: 
    opkg update
opkg install stubby
  2. Pas /etc/stubby/stubby.yml aan en vervang de upstreams door:
    upstream_recursive_servers:
  - address_data: 63.250.54.8
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  - address_data: 86.90.92.105
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  3. Laat dnsmasq naar de Stubby-listener verwijzen via /etc/dnsmasq.conf: 
    no-resolv
server=127.0.0.1#5453
  4. Herstart beide services: /etc/init.d/stubby restart, /etc/init.d/dnsmasq restart.

OPNSense / pfSense (GUI)

  1. Controleer onder System → Trust → Authorities of de standaard trust store actueel is.
  2. Ga naar Services → Unbound DNS → Advanced en voeg onderstaande custom options toe:
    forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 63.250.54.8@853#dot.xel-serv.com
  forward-addr: 86.90.92.105@853#dot.xel-serv.com
  3. Verwijder onder System → General Setup eventuele ISP-DNS servers zodat DHCP-clients alleen het router-IP krijgen.
  4. Sla op en pas toe; Unbound wordt automatisch herstart.

AdGuard Home

  1. Open het AdGuard Home-dashboard → Settings → DNS settings.
  2. Voeg onder Upstream DNS servers toe:
    tls://dot.xel-serv.com
  3. Zet “Bootstrap DNS servers” op 63.250.54.8 en 86.90.92.105.
  4. Pas de wijzigingen toe en wis het querylog.

Controleren

  1. Voer vanaf een LAN-client nslookup ads.facebook.com uit; het resultaat moet NXDOMAIN zijn.
  2. Controleer de routerlogs: TLS-handshakes naar dot.xel-serv.com:853 moeten slagen zonder fallback.