How to setup Adguard Home and Unbound?

BrokenRouter · March 13, 2026, 12:10pm

Hello,

I have setup Adguard Home following this guide: https://openwrt.org/docs/guide-user/services/dns/adguard-home

I would like to setup Unbound alongside it for better privacy, however the Unbound with DoT guide does not cover Unbound + AGH.

I used Claude to help with the setup verifying what it was saying as I went along and at first all was fine, but after a few hours everything went wrong so I reset the router and started fresh.

My OpenWRT router is connected to my ISP router which connects to a modem.

Any guidance around this?

OpenWRT router: Flint 2 MT6000
ISP Router: SR213

Thank you!

frollic · March 13, 2026, 12:12pm

AFAIK AGH supports DoT/DoH, what does unbound provide on top of that ?

BrokenRouter · March 13, 2026, 12:24pm

Full recursion so no upstream provider sees my queries at all and Qname minimisation which reduces what each DNS server in the chain sees.

frollic · March 13, 2026, 1:50pm

even if old, it's probably still pretty accurate - OpenWrt AdGuard Home 101 ( UNBOUND ).

dibdot · March 13, 2026, 2:33pm

Just use the adblock package with LuCI and native Unbound support ... and give AdGuard a miss (it’s just bloated Go code).

BrokenRouter · March 13, 2026, 2:40pm

My assumption was AGH is the go to solution everyone used.

I can see LuCI has adblock + luci-app-adblock and adblock-fast + luci-app-adblock-fast.

Which one of these is the recommended?

egc · March 13, 2026, 2:42pm

Not at all, AGH is a resource and memory hog.

Sure you want adblock and secure DNS but with an adblock package like adblock and luci-app-adblock and https-dns-proxy or another secure DNS resolution like unbound you are good to go.

frollic · March 13, 2026, 2:43pm

AGH is the bloated solution for routers with too much flash space and free RAM.

BrokenRouter · March 13, 2026, 11:08pm

I've gone with adblock.

Are these the only settings I need to change to get it working with unbound and dnsmasq?

Adblock > Advanced DNS Settings > DNS Backend = unbound
Unbound > Enable Unbound
Unbound > Enable DNSSEC
Unbound > DHCP > DHCP Link = dnsmasq
Followed this section: https://openwrt.org/docs/guide-user/services/dns/dot_unbound?s[]=unbound&s[]=dot#configure_unbound_with_dnsmasq
Firewall rules:

firewall.@redirect[0].name='Intercept-DNS'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='53'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest_port='53'

firewall.@rule[15].name='Block-Public-DNS'
firewall.@rule[15].src='lan'
firewall.@rule[15].dest='wan'
firewall.@rule[15].dest_port='53 853 5353'
firewall.@rule[15].target='REJECT'
firewall.@rule[15].proto='tcp udp'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'

Thank you.

darkjrtk75 · March 14, 2026, 1:26am

The thing is adblock home uses about 30mb of space, in my case I found Linksys MX 4300 for $20 dollars that model has 2 GB of space and with openwrt 25 is running like a dream machine. My ideal device will be a fast cpu with 3 gb of memory and the form factor of a MR7350.
Glad to hear you got things working for you.

frollic · March 14, 2026, 7:03am

Add another $10 and you get 5GB (512MB + 4.5GB) when you buy the SAX1V1K.

dibdot · March 14, 2026, 7:35am

Just note: You can handle the firewall stuff much more effective in adblock as well. Check the readme and the "Firewall Settings" tab, e.g. for a VLAN segregated setup:

BrokenRouter · March 14, 2026, 8:42am

That should clean things up nicely!

I was also setting rules to intercept DoH

davygravy · March 14, 2026, 1:47pm

THAT is very true.

darkjrtk75 · March 14, 2026, 3:01pm

Question for BrokenRouter. I am wondering with with those options the DNS processing for the queries is parallel? Because after reading how you did it. I am considering following your steps there, I mean if is working fine for you.

darkjrtk75 · March 14, 2026, 3:18pm

Sorry I do not mean to highjack this thread

Frolic I see the Spectrum SAX1V1K supports Openwrt, have you play with this device?
https://openwrt.org/toh/spectrum/sax1v1k

Looks interesting and coming from Spectrum it should get pretty popular, actually I looked it up and found a couple units being sold on Ebay at around 35 dollars.

But doing a deep search found this model Spectrum WiFi 7 Tri Band SBE1V1K for about 55 dollars. Frollic you are god send man!!! I had no idea about these devices. Thank you

frollic · March 14, 2026, 3:19pm

Just a heads-up, SBE isn't supported, WIP, SAX is.

Both are a PITA to flash

BrokenRouter · March 16, 2026, 1:38pm

Everything was working fine until today, router rebooted and now I am offline, need to investigate the cause.

ISP router is fine and connects to the internet, Flint 2 seems to be the issue.

frollic · March 16, 2026, 1:48pm

if pinging IPs from the clients work, but not FQDNs, DNS is down, one way or the other.

BrokenRouter · March 16, 2026, 2:10pm

Looks to be, although unbound is online, not sure why requests are not routing.