# WIP: MikroTik AdGuard Home with DoT/DoH

**Status:** In Progress  
**Started:** 2026-01-25  

---

## Objective

Single DNS endpoint with failover:
- External: dns.xtrm-lab.org (DoT 853, DoH 443)
- Internal: 192.168.31.1 (all LAN clients)
- Failover: Unraid AdGuard (192.168.31.4) as upstream backup

## Architecture

```
External ──► dns.xtrm-lab.org ──► NAT ──┐
            (DoT 853, DoH 443)          │
                                        ▼
Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard
            (LAN clients)          (container)
                                        │
                                        ▼
                                  Upstreams:
                                  - 192.168.31.4 (Unraid AdGuard)
                                  - 8.8.8.8 (Google)
                                  - 1.1.1.1 (Cloudflare)
```

## Implementation Steps

- [ ] 1. Install AdGuard container on MikroTik
- [ ] 2. Configure veth interface with IP
- [ ] 3. Configure AdGuard upstreams
- [ ] 4. Enable DoT/DoH in AdGuard
- [ ] 5. Generate/configure TLS certificates
- [ ] 6. Update NAT rules (DoT/DoH → container)
- [ ] 7. Update DNS redirect rules (LAN → container)
- [ ] 8. Test internal DNS
- [ ] 9. Test external DoT/DoH
- [ ] 10. Update documentation

## Container Configuration

- **Image:** adguard/adguardhome:latest
- **Root dir:** /usb1/adguard
- **Interface:** veth-adguard
- **Mounts:** Config persistence

## Network Configuration

| Service | Port | Target |
|---------|------|--------|
| DNS | 53 | Container |
| DoT | 853 | Container |
| DoH | 443 | Container |
| Web UI | 3000 | Container |

## Notes

- Using script from: https://github.com/maximpri/mikrotik-adguardhome
- Previous MikroTik containers removed (storage issues)
- Unraid AdGuard (192.168.31.4) remains as backup upstream