Merge branch 'master' into dns-providers

crowdin.yml

@@ -15,8 +15,10 @@ files:
   - source: /i18n/en/**/*
     translation: /i18n/%two_letters_code%/**/%original_file_name%
     languages_mapping: *languages_mapping
+    update_option: 'update_as_unapproved'
   - source: /docs/**/*
     translation: /i18n/%two_letters_code%/docusaurus-plugin-content-docs/current/**/%original_file_name%
     languages_mapping: *languages_mapping
+    update_option: 'update_as_unapproved'
     ignore:
       - "/**/_category_.json"

docs/general/dns-providers.md

@@ -1147,7 +1147,7 @@ Marbled Fennec Networks is hosting DNS resolvers that are capable of resolving b
 
 ### momou! DNS
 
-[momou! DNS](https://dns.momou.ch/) provides DoH & DoT resolvers with three levels of filtering
+[momou! DNS](https://dns.momou.ch/) provides DoH & DoT resolvers with three levels of filtering
 
 #### Standard
 
@@ -1251,6 +1251,7 @@ These servers provide no ad blocking, keep no logs, and have DNSSEC enabled.
 
 | Protocol | Address | |
 |----------------|----------------------------------------------------|----------------|
-| DNS, IPv4 | `103.252.122.187` | [Add to AdGuard](adguard:add_dns_server?address=103.252.122.187&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=103.252.122.187&name=BlackMagiccDNS) |
-| DNS, IPv6 | `2401:4ae0::38` | [Add to AdGuard](adguard:add_dns_server?address=2401:4ae0::38&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=2401:4ae0::38&name=BlackMagiccDNS) |
+| DNS, IPv4 | `103.70.12.129` | [Add to AdGuard](adguard:add_dns_server?address=103.70.12.129&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=103.70.12.129&name=BlackMagiccDNS) |
+| DNS, IPv6 | `2001:df4:4c0:1::399:1` | [Add to AdGuard](adguard:add_dns_server?address=2001:df4:4c0:1::399:1&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=2001:df4:4c0:1::399:1&name=BlackMagiccDNS) |
+| DNS-over-QUIC | `quic://rx.techomespace.com` | [Add to AdGuard](adguard:add_dns_server?address=quic://rx.techomespace.com&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=quic://rx.techomespace.com&name=BlackMagiccDNS)  |
 | DNS-over-HTTPS | `https://rx.techomespace.com/dns-query` | [Add to AdGuard](adguard:add_dns_server?address=https://rx.techomespace.com/dns-query&name=BlackMagiccDNS), [Add to AdGuard VPN](adguardvpn:add_dns_server?address=https://rx.techomespace.com/dns-query&name=BlackMagiccDNS) |

docs/miscellaneous/acknowledgements.md

@@ -1,6 +1,6 @@
 ---
 title: Credits and Acknowledgements
-sidebar_position: 5
+sidebar_position: 3
 ---
 
 Our dev team would like to thank the developers of the third-party software we use in AdGuard DNS, our great beta testers and other engaged users, whose help in finding and eliminating all the bugs, translating AdGuard DNS, and moderating our communities is priceless.

docs/miscellaneous/create-dns-stamp.md

@@ -1,4 +1,7 @@
-# How to create your own DNS stamp for Secure DNS
+---
+title: How to create your own DNS stamp for Secure DNS
+sidebar_position: 4
+---
 
 This guide will show you how to create your own DNS stamp for Secure DNS. Secure DNS is a service that enhances your internet security and privacy by encrypting your DNS queries. This prevents your queries from being intercepted or manipulated by malicious actors.
 

docs/miscellaneous/structured-dns-errors.md

@@ -0,0 +1,57 @@
+---
+title: Structured DNS Errors (SDE)
+sidebar_position: 5
+---
+
+With the release of AdGuard DNS v2.10, AdGuard has become the first public DNS resolver to implement support for [*Structured DNS Errors* (SDE)](https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/09/), an update to [RFC 8914](https://datatracker.ietf.org/doc/rfc8914/). This feature allows DNS servers to provide detailed information about blocked websites directly in the DNS response, rather than relying on generic browser messages. In this article, we'll explain what *Structured DNS Errors* are and how they work.
+
+## What Structured DNS Errors are
+
+When a request to an advertising or tracking domain is blocked, the user may see blank spaces on a website or may not even notice that DNS filtering has occurred. However, if an entire website is blocked at the DNS level, the user will be completely unable to access the page. When trying to access a blocked website, the user may see a generic "This site can't be reached" error displayed by the browser.
+
+!["This site can't be reached" error](https://cdn.adtidy.org/content/blog/dns/dns_error.png)
+
+Such errors don't explain what happened and why. This leaves users confused about why a website is inaccessible, often leading them to assume that their Internet connection or DNS resolver is broken.
+
+To clarify this, DNS servers could redirect users to their own page with an explanation. However, HTTPS websites (which are the majority of websites) would require a separate certificate.
+
+![Certificate error](https://cdn.adtidy.org/content/blog/dns/certificate_error.png?1)
+
+There’s a simpler solution: [Structured DNS Errors (SDE)](https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/09/). The concept of SDE builds on the foundation of [*Extended DNS Errors* (RFC 8914)](https://datatracker.ietf.org/doc/rfc8914/), which introduced the ability to include additional error information in DNS responses. The SDE draft takes this a step further by using [I-JSON](https://www.rfc-editor.org/rfc/rfc7493) (a restricted profile of JSON) to format the information in a way that browsers and client applications can easily parse.
+
+The SDE data is included in the `EXTRA-TEXT` field of the DNS response. It contains:
+
+- `j` (justification): Reason for blocking
+- `c` (contact): Contact information for inquiries if the page was blocked by mistake
+- `o` (organization): Organization responsible for DNS filtering in this case (optional)
+- `s` (suberror): The suberror code for this particular DNS filtering (optional)
+
+Such a system enhances transparency between DNS services and users.
+
+### What is required to implement Structured DNS Errors
+
+Although AdGuard DNS has implemented support for Structured DNS Errors, browsers currently do not natively support parsing and displaying SDE data. For users to see detailed explanations in their browsers when a website is blocked, browser developers need to adopt and support the SDE draft specification.
+
+### AdGuard DNS demo extension for SDE
+
+To showcase how Structured DNS Errors work, AdGuard DNS has developed a demo browser extension that shows how *Structured DNS Errors* could work if browsers supported them. If you try to visit a website blocked by AdGuard DNS with this extension enabled, you will see a detailed explanation page with the information provided via SDE, such as the reason for blocking, contact details, and the organization responsible.
+
+![Explanation page](https://cdn.adtidy.org/blog/new/jlkdbaccess_blocked.png)
+
+You can install the extension from the [Chrome Web Store](https://chromewebstore.google.com/detail/oeinmjfnchfhaabhchfjkbdpmgeageen) or from [GitHub](https://github.com/AdguardTeam/dns-sde-extension/).
+
+If you want to see what it looks like at the DNS level, you can use the `dig` command and look for `EDE` in the output.
+
+```text
+% dig @94.140.14.14 'ad.doubleclick.net' A IN +ednsopt=15:0000
+
+...
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; EDE: 17 (Filtered): ({"j":"Filtered by AdGuard DNS","o":"AdGuard DNS","c":["mailto:[email protected]"]})
+;; QUESTION SECTION:
+;ad.doubleclick.net.  IN A
+
+...
+```

docs/miscellaneous/take-screenshot.md

@@ -1,6 +1,6 @@
 ---
 title: 'How to take a screenshot'
-sidebar_position: 4
+sidebar_position: 2
 ---
 
 Screenshot is a capture of your computer’s or mobile device’s screen, which can be obtained by using standard tools or a special program/app.

docs/miscellaneous/update-kb.md

@@ -1,6 +1,6 @@
 ---
 title: 'Updating the Knowledge Base'
-sidebar_position: 3
+sidebar_position: 1
 ---
 
 The goal of this Knowledge Base is to provide everyone with the most up-to-date information on all kinds of AdGuard DNS-related topics. But things constantly change, and sometimes an article doesn't reflect the current state of things anymore — there are simply not so many of us to keep an eye on every single bit of information and update it accordingly when new versions are released.

docs/private-dns/connect-devices/mobile-and-desktop/linux.md

@@ -21,7 +21,7 @@ You can learn more about this in the [related article](/dns-client/overview/).
 You can set up Private AdGuard DNS using the AdGuard VPN CLI (command-line interface). To get started with AdGuard VPN CLI, you’ll need to use Terminal.
 
 1. Install AdGuard VPN CLI by following [these instructions](https://adguard-vpn.com/kb/adguard-vpn-for-linux/installation/).
-1. Access [settings](https://adguard-vpn.com/kb/adguard-vpn-for-linux/settings/).
+1. Go to [Settings](https://adguard-vpn.com/kb/adguard-vpn-for-linux/settings/).
 1. To set a specific DNS server, use the command: `adguardvpn-cli config set-dns <server_address>`, where `<server_address>` is your private server’s address.
 1. Activate the DNS settings by entering `adguardvpn-cli config set-system-dns on`.
 
@@ -102,6 +102,28 @@ If you see a notification that you are not connected to AdGuard DNS, most likely
 
 :::
 
+## Use EDNS (Extended DNS)
+
+EDNS extends the DNS protocol, enabling larger UDP packets to carry additional data. In AdGuard DNS, it allows passing DeviceID in plain DNS using an extra parameter.
+
+DeviceID, an eight-digit hexadecimal identifier (e.g., `1a2b3c4d`), helps link DNS requests to specific devices. For encrypted DNS, this ID is part of the domain (e.g., `1a2b3c4d.d.adguard-dns.com`). For unencrypted DNS, EDNS is required to transfer this identifier.
+
+AdGuard DNS uses EDNS to retrieve DeviceID by looking for option number `65074`. If such an option exists, it will read DeviceID from there. For this, you can use the `dig` command on the terminal:
+
+```sh
+dig @94.140.14.49 'www.example.com' A IN +ednsopt=65074:3031323334353637
+```
+
+Here, `65074` is the option ID, and `3031323334353637` is its value in hex format (DeviceID: `01234567`).
+
+All done! DeviceID should be displayed.
+
+:::note
+
+The `dig` command is merely an example, you can use any DNS software with an ability to add EDNS options to perform this action.
+
+:::
+
 ## Use plain DNS
 
 If you prefer not to use extra software for DNS configuration, you can opt for unencrypted DNS. You have two choices: using linked IPs or dedicated IPs:

docs/private-dns/connect-devices/other-options/dedicated-ip.md

@@ -11,7 +11,7 @@ If you have a Team or Enterprise subscription, you'll receive several personal d
 
 ## Why do you need a dedicated IP?
 
-Unfortunately, the technical specifications of the connected device may not always allow you to set up an encrypted private AdGuard DNS server. In this case, you will have to use standard unencrypted DNS. There are two ways to set up AdGuard DNS: [using linked IPs](/private-dns/connect-devices/other-options/linked-ip.md) and using dedicated IPs.
+Unfortunately, the technical specifications of the connected device may not always allow you to set up an encrypted Private AdGuard DNS server. In this case, you will have to use standard unencrypted DNS. There are two ways to set up AdGuard DNS: [using linked IPs](/private-dns/connect-devices/other-options/linked-ip.md) and using dedicated IPs.
 
 Dedicated IPs are generally a more stable option. Linked IP has some limitations, such as only residential addresses are allowed, your provider can change the IP, and you'll need to relink the IP address. With dedicated IPs, you get an IP address that is exclusively yours, and all requests will be counted for your device.
 

docs/private-dns/connect-devices/other-options/linked-ip.md

@@ -5,9 +5,7 @@ sidebar_position: 3
 
 ## What linked IPs are and why they are useful
 
-Not all devices can support encrypted DNS protocols. In this case, users should consider setting up unencrypted DNS.
-
-You can use a **linked IP address**: in this setup, the service will consider all standard DNS queries coming from that IP address and for that specific device. The only requirement for a linked IP address is that it must be a residential IP.
+Not all devices support encrypted DNS protocols. In this case, you should consider setting up unencrypted DNS. For example, you can use a **linked IP address**. The only requirement for a linked IP address is that it must be a residential IP.
 
 :::note
 
@@ -16,7 +14,9 @@ A **residential IP address** is assigned to a device connected to a residential
 :::
 
 Sometimes, a residential IP address may already be in use, and if you try to connect to it, AdGuard DNS will prevent the connection.
+
 ![Linked IPv4 address *border](https://cdn.adtidy.org/content/kb/dns/private/new_dns/connect/linked.png)
+
 If that happens, please reach out to support at [[email protected]](mailto:[email protected]), and they’ll assist you with the right configuration settings.
 
 ## How to set up linked IP
@@ -27,11 +27,12 @@ The following instructions explain how to connect to the device via **linking IP
 1. Add a new device or open the settings of a previously connected device.
 1. Go to *Use DNS server addresses*.
 1. Open *Plain DNS server addresses* and connect the linked IP.
+
     ![Linked IP *border](https://cdn.adtidy.org/content/kb/dns/private/new_dns/connect/linked_step4.png)
 
 ## Dynamic DNS: Why it is useful
 
-Every time a device connects to the network, it gets a new dynamic IP address. When a device disconnects, the DHCP server reassigns IP addresses to the remaining devices. This means dynamic IP addresses can change frequently and unpredictably. Consequently, you'll need to update settings whenever the device is rebooted or the network changes.
+Every time a device connects to the network, it gets a new dynamic IP address. When a device disconnects, the DHCP server can assign the released IP address to another device on the network. This means dynamic IP addresses change frequently and unpredictably. Consequently, you'll need to update settings whenever the device is rebooted or the network changes.
 
 To automatically keep the linked IP address updated, you can use DNS. AdGuard DNS will regularly check the IP address of your DDNS domain and link it to your server.
 
@@ -49,11 +50,14 @@ This way, you won’t have to manually update the associated IP address each tim
     - Go to *Router settings* → *Network*
     - Locate the DDNS or the *Dynamic DNS* section
     - Navigate to it and verify that the settings are indeed supported. *This is just an example of what it may look like. It may vary depending on your router*
+
     ![DDNS supported *mobile_border](https://cdn.adtidy.org/content/kb/dns/private/new_dns/connect/dynamic_dns.png)
+
 1. Register your domain with a popular service like [DynDNS](https://dyn.com/remote-access/), [NO-IP](https://www.noip.com/), or any other DDNS provider you prefer.
 1. Enter the domain in your router settings and sync the configurations.
 1. Go to the Linked IP settings to connect the address, then navigate to *Advanced Settings* and click *Configure DDNS*.
 1. Input the domain you registered earlier and click *Configure DDNS*.
+
     ![Configure DDNS *border](https://cdn.adtidy.org/content/kb/dns/private/new_dns/connect/dns_supported.png)
 
 All done, you've successfully set up DDNS!

docs/private-dns/connect-devices/routers/asus.md

@@ -15,7 +15,7 @@ If necessary: Configure DNS-over-TLS on ASUS, install the [ASUS Merlin firmware]
 1. Enter the administrator username (usually, it’s admin) and router password.
 1. In the *Advanced Settings* sidebar, navigate to the WAN section.
 1. In the *WAN DNS Settings* section, set *Connect to DNS Server automatically* to *No*.
-1. Set *Forward local queries*, *Enable DNS Rebind*, and *Enable DNSSEC* to *No*.
+1. Set *Forward local queries*, *Enable DNS Rebind protection*, and *Enable DNSSEC suppport* to *No*.
 1. Change DNS Privacy Protocol to DNS-over-TLS (DoT).
 1. Make sure the *DNS-over-TLS Profile* is set to *Strict*.
 1. Scroll down to the *DNS-over-TLS Servers List* section. In the *Address* field, enter one of the addresses below:
@@ -37,6 +37,5 @@ If necessary: Configure DNS-over-TLS on ASUS, install the [ASUS Merlin firmware]
     - IPv6: `2a10:50c0:0:0:0:0:ded:ff` and `2a10:50c0:0:0:0:0:dad:ff`
 1. Save the settings.
 1. Link your IP (or your dedicated IP if you have a Team subscription).
-
-- [Dedicated IPs](/private-dns/connect-devices/other-options/dedicated-ip.md)
-- [Linked IPs](/private-dns/connect-devices/other-options/linked-ip.md)
+    - [Dedicated IPs](/private-dns/connect-devices/other-options/dedicated-ip.md)
+    - [Linked IPs](/private-dns/connect-devices/other-options/linked-ip.md)

docs/private-dns/connect-devices/routers/keenetic.md

@@ -14,7 +14,7 @@ Keenetic routers are known for their stability and flexible configurations, and
 1. In *Utilities and services*, select DNS-over-HTTPS proxy and install it.
 1. Head to *Menu* → *Network rules* → *Internet safety*.
 1. Navigate to DNS-over-HTTPS servers and click *Add DNS-over-HTTPS server*.
-1. Enter the URL of the private AdGuard DNS server in the `https://d.adguard-dns.com/dns-query/{Your_Device_ID}` field.
+1. Enter the URL of the Private AdGuard DNS server in the `https://d.adguard-dns.com/dns-query/{Your_Device_ID}` field.
 1. Click *Save*.
 
 ## Configure DNS-over-TLS
@@ -23,9 +23,9 @@ Keenetic routers are known for their stability and flexible configurations, and
 1. Press the menu button at the bottom of the screen and select *Management*.
 1. Open *System settings*.
 1. Press *Component options* → *System component options*.
-1. In *Utilities and services*, select DNS-over-HTTPS proxy and install it.
+1. In *Utilities and services*, select DNS-over-TLS proxy and install it.
 1. Head to *Menu* → *Network rules* → *Internet safety*.
-1. Navigate to DNS-over-HTTPS servers and click *Add DNS-over-HTTPS server*.
+1. Navigate to DNS-over-TLS servers and click *Add DNS-over-TLS server*.
 1. Enter the URL of the private AdGuard DNS server in the `tls://*********.d.adguard-dns.com` field.
 1. Click *Save*.