Set Up Trusted Upstream Providers

When a paid service is created, it defaults to domestic upstream servers that are relatively fast, including Alibaba’s IPv4 and IPv6 as well as DoT services.

Some providers may have resolution errors, resolving certain overseas domains to incorrect IP addresses and causing access failures. A common symptom is the browser reporting a certificate error.

To avoid such resolution errors, you can switch upstream providers and use Cloudflare’s services. When using these services, make sure to adopt DoH or DoT protocols to prevent hijacking.

At the same time, you should disable domestic upstream servers because they are geographically closer and faster, and AdGuard will prefer them.

Simply prepend a # to the IP of the corresponding upstream server to disable it.

Avoid Resolution Errors

After configuration, click Test upstreams to ensure the upstream servers are available, then click Apply once confirmed.

Avoid Resolution Errors - Apply

However, using only overseas servers will degrade the experience of domestic apps, because domestic apps usually direct overseas resolutions to specific external servers, which are slower when accessed from within China.

If you only need to avoid resolution errors for commonly used services, you can manually specify a particular resolution address for domains that are incorrectly resolved; unspecified domains will continue to use the default domestic upstream servers.

In the AdGuard dashboard, go to SettingsDNS settingsUpstream DNS servers, add incorrectly resolved domains in the format [/example1.com/example2.com/]tls://1.0.0.1 under Custom DNS servers, then click Save configuration.

Set Upstream Servers

Set Upstream Servers

public2.adguardprivate.svc.cluster.local is our internally provided resolver without resolution errors, whose upstream is Cloudflare. Compared to users specifying an overseas upstream themselves, it offers faster resolution speeds at the cost of a small delay when domain records are updated. If you have no specialized requirements, you can use this resolver we provide.

If you prefer to use external resolvers such as Cloudflare or Google, you need to specify IP addresses using DoT/DoH. You can refer to the following:

#tls://1.1.1.1
tls://1.0.0.1
tls://[2606:4700:4700::1111]
tls://[2606:4700:4700::1001]
tls://[2606:4700:4700::64]
tls://[2606:4700:4700::6400]
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://[2606:4700:4700::1111]/dns-query
https://[2606:4700:4700::1001]/dns-query
#tls://8.8.8.8
#tls://8.8.4.4
tls://[2001:4860:4860::8888]
tls://[2001:4860:4860::8844]
tls://[2001:4860:4860::64]
tls://[2001:4860:4860::6464]
#https://8.8.8.8/dns-query
#https://8.8.4.4/dns-query
#https://[2001:4860:4860::8888]/dns-query
https://[2001:4860:4860::8844]/dns-query

Addresses commented with # are currently blocked by the firewall and unavailable.

This site fully supports IPv6, which is one of our advantages. You can use IPv6 upstream addresses for more stable resolution speeds.