OpenWrt AdGuard Home 101 ( DNSMASQ )

RE :

Also you should warn users that your changes
 will make AGH the primary webserver on their 
router and move luci's interface to port 8080 
(and also its https interface if you use AGH secure interface)

Luci is still available on Port 1443 in the example that I gave in the tutorial. I then can log into AGH on Port 8080 without Encryption and if Encryption enabled AGH Login = Port 443
There is an option to enable automatic HTTPS REDIRECT in the AGH WEB GUI under Settings > Encryption. Just trying to set the record straight.


1 Like

thats fine. Just explaining what you are doing and why is important when you integrate products like this which change how users have been using their device. Its why when i did my posts i tried to always explain why and what was changed so they understood what was happening.

1 Like

Good Idea - I will go back and clean up the finer points in the very near future. Thanks for your advice and guidance.

1 Like

Any idea how/when blocked sites are classified as threats? So far none of the blocks logged show up as "phishing sites" or whatever, even when the site was blocked because of being in a phishing list.

After a few days the status page still shows "0 malware/phishing sites blocked", even after adding, which I tested by deliberately visiting a few sites in the list. They were blocked as they should be, but not logged as phishing sites and that number remains 0.

Is this classification scheme only for Adguard's own lists?

Its for using their DNS which gives those definitions.

You will only see Blocked lists showing for your results from your filter lists.

If you enable the browsing security and parental control options from under the settings then you will get those counters updating as it uses AGH DNS to do it.

(edit) its explained here in their blog :


Limited space routers.

AGH binary takes up 35mb and during its update it will download the new binary compressed, backup your old binary and then extract and replace the old binary with the new one. This means you require 35mb x2 and the compressed file space and extraction space.

To manually do this, do an upgrade from the control panel and look for what version it wants to upgrade to in your syslog.

AdGuardHome[5830]: 2021/11/10 16:03:30.149784 [info] Updating from v0.107.0-a.199+2fc10848 to v0.107.0-a.203+6fd9e72f. URL:

SSH into your router and stop AGH.

/etc/init.d/AdGuardHome stop

download the new version to your routers /tmp area or to your laptop/pc. Then either unpack AGH binary from the compressed download over the existing binary or unpack the binary on your laptop/pc and copy it over the existing binary using something like WinSCP or equivalent.

Now restart AGH.

/etc/init.d/AdGuardHome start

(Edit) commands to do this below.

#Stop AGH
/etc/init.d/AdGuardHome stop 

#Grab updated AGH from server and save to /tmp
wget -P /tmp

#unzip updated file over top of AGH in /opt
tar x -vzf /tmp/AdGuardHome_linux_mips_softfloat.tar.gz -C /opt

#cleanup /tmp
rm /tmp/AdGuardHome_linux_mips_softfloat.tar.gz

#Restart AGH
/etc/init.d/AdGuardHome start

With the new "Optimisitc Caching" feature, can we make it work with OpenWRT's DNSMasq?

I have tried disabling the cache feature on DNSMasq (set to 0) and enabling Optimisitic Caching. However, I am getting issues and losing connectivity to the internet.

With Optimisitic Caching disabled. And DNSMasq set to 8192 cache (as recommended in the guide), everything is working smoothly albeit 80ms average processing time.

I am looking to make it 30ms or below by enabling the feature of Optimisitc Caching.


Does it really work like this?

that looks like you are feeding all dns requests via your routers dnsmasq instead of directly to AGH.

I just followed the guide using a freshly formatted OpenWRT. Do I need to disable dnsmasq?


Is your AGH your primary DNS? or the Router primary DNS?

if you have AGH installed on router just move dnsmasq to port 5353 and make AGH primary DNS on port 53.

If AGH is on a separate machine just make it a DHCP option.

uci add_list dhcp.lan.dhcp_option='6,' 
uci add_list dhcp.lan.dhcp_option='3,' 

uci commit dhcp

/etc/init.d/dnsmasq restart

I don't understand what you are doing with your list servers. pretty sure that 8080 one is wrong for starters.

1 Like

Then in AGH do this. That will tell AGH to look at DNSMasq 5353 to look up internal lan names.
(Edit change from localhost to whatever ip you have your AGH on if it is NOT on the local router)

1 Like
  1. Is your AGH your primary DNS? or the Router primary DNS?

I want AGH to be my primary DNS while using NextDNS as my upstream server (paid for a subscription and I'm using this when I'm on cellular data)

  1. if you have AGH installed on router just move dnsmasq to port 5353 and make AGH primary DNS on port 53.

  2. I have AGH on my router, I just moved DNSMasq to port 5353 using

root@OpenWrt:~# uci set dhcp.@dnsmasq[0].cachesize='1000'
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].noresolv='1'
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].server=''
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].port='5353'
root@OpenWrt:~# uci commit dhcp
  1. I don't understand what you are doing with your list servers. pretty sure that 8080 one is wrong for starters.

I followed the guide here:

Thank you!

Just double check your AGH yaml file to ensure its looking at the correct ports. (This is usually done on install and is as of yet not able to be redone via webinterface once it is installed. It is marked as a ToDo on AGH issues page however)

Also do the fix i mentioned above so AGH can lookup your internal clients DNS.

  - ::1
  port: 53

(Edit : I do have one question however. Why are you using AGH when NextDNS does similar to AGH?)

It is. Thank you! Everything is working and I'm now getting 10ms average processing time, but I think it is skewed cos most of the requests are done locally. lol


Is this normal? Can I hide these requests counts on the DNS queries to get the real average processing time.

EDIT: I'll give you guys an update soon. Hopefully my issue can help others since I did a fresh image of the latest OpenWRT 21.0.2 with factory defaults and installed AdGuardHome first doing sqm, etc.

Look a here - go to here BowserLeaks to test your DNS :

Here is what I get to prove that AdGuardHome is using the specified Upstream DNS Servers in my


configuration file - I only am using one due to file limits

This DNS Leak Test -

BowserLeaks is the best - I do not know why mercygroundabyss tries to complicate this - you are asking about caching - which is different than setting up AdGuardHome itself on OpenWRT using DNSMASQ . There is more than one way to fry chicken. Moving DNSMASQ to port 53 is ill advised.
The original guide uses Port 5353 for AdGuardHome and this is the best practice. It works

Go reboot everything. If you have properly setup everything then DNS should be served by AGH and the only localhost/router queries you should see is the router itself. Everything else should be talking to AGH.

Because you are double looking up.

By making AGH the primary DNS it looks upstream for whatever provider you set it up with (and uses encrypted DNS and DNSSec), looks downstream to DNSMasq for internal DHCP addresses.

By having DNSMasq on 53 and AGH on 5353 you introduce another hop to dns and repeat effort. Also it doubles the load on the router and increases memory use as DNSMasq forks for every request.

As i have said previously, if AGH can sort their DHCP services out properly it would be far better to disable DHCP on OpenWRT and hand DNS and DHCP over fully to AGH.

Right now the recommended use is OpenWRTs DHCP and drop DNSMasq to background and let AGH be DNS.

Thank you! I also think with the guide setup, you can only see OpenWRT lookups and no IP specific lookups.

Would you mind sharing your dnsmasq settings?

Does the caching of dnsmasq matter now that its on the background?

I am now 10 minutes in Optimistic Caching feature and I still have an internet compared to the guide setup where when I enable Optimistic Caching, I lose internet connection after a minute or so.