OpenWrt AdGuard Home 101 ( DNSMASQ )

Go reboot everything. If you have properly setup everything then DNS should be served by AGH and the only localhost/router queries you should see is the router itself. Everything else should be talking to AGH.

Because you are double looking up.

By making AGH the primary DNS it looks upstream for whatever provider you set it up with (and uses encrypted DNS and DNSSec), looks downstream to DNSMasq for internal DHCP addresses.

By having DNSMasq on 53 and AGH on 5353 you introduce another hop to dns and repeat effort. Also it doubles the load on the router and increases memory use as DNSMasq forks for every request.

As i have said previously, if AGH can sort their DHCP services out properly it would be far better to disable DHCP on OpenWRT and hand DNS and DHCP over fully to AGH.

Right now the recommended use is OpenWRTs DHCP and drop DNSMasq to background and let AGH be DNS.

Thank you! I also think with the guide setup, you can only see OpenWRT lookups and no IP specific lookups.

Would you mind sharing your dnsmasq settings?

Does the caching of dnsmasq matter now that its on the background?

I am now 10 minutes in Optimistic Caching feature and I still have an internet compared to the guide setup where when I enable Optimistic Caching, I lose internet connection after a minute or so.

OK - I will try the setup you are recommending and edit this tutorial accordingly - however your comment

I don't understand what you are doing with your list servers. pretty sure that 8080 one is wrong for starters.

I answered this in the guide

uci add_list dhcp.@dnsmasq[-1].server='' # Port used for Web Interface

Port used for Web Interface has been in every guide I have seen

Anyway - I will go back in The Lab - thanks

You are aware that NextDNS gives that functionality?

The *Privacy -> Blocklist* tab looks like this:

So it looks like you just need a NextDNS client on your router?

I mean you can use AGH and use NextDNS upstream but it seems more efficient to manage NextDNS from the control panel and have ONE dns controller instead of 2?

The NextDNS client on OpenWRT is problematic. Before discovering AdGuardHome, I have made a ticket on the NextDNS Support and I was recommended to use AdGuardHome and just using NextDNS as my upstream server.

Network Latency Issues - Philippines - Bug Reports - NextDNS Help Center


So my current setup:

  1. All devices that supports NextDNS (Apple devices mainly, will use the NextDNS Profile)
  2. All devices that do not natively support NextDNS or requires running an app to function goes to AGH.

Both NextDNS and AGH use the same list. OISD + 1Hosts (Lite).

In the end, I would be using NextDNS over AdGuard's browsing security service

And NextDNS just overtook Google in the DNS Performance Charts.

DNSMasq doesn't need to know about the web port. It only needs to talk to the dns server.

Luci runs on 80 by default. The reasoning for putting AGH on 8080 is so they don't conflict.

One thing i haven't bothered sorting out for my setup is that if you want SSL enabling you have to configure and setup both Luci and AGH and ensure they are on separate ports to avoid clashes.
As you rightly point out in your tutorial you must do a certificate and enable SSL if u want that option in AGH. I have avoided doing this as i am only serving internally. For those also using AGH externally SSL is a must.

Thanks for the information - I appreciate it


Ok. That makes more sense and I agree. My only point would be "if i'm using AGH and can use encrypted DNS from anywhere... why am i paying you?" :stuck_out_tongue:

Because at that point i'd honestly just point my upstream at Cloudflare and then configure my filters as i saw fit.

Ah true. But our household goes out most of the time and I can't setup my own VPN/Wireguard since our ISP only provide CGNAT IPs.

So having NextDNS as a reliable DNS was the best option, plus its performing very well.

DNS Performance - Compare the speed and uptime of enterprise and commercial DNS services | DNSPerf

Again, as I said above. I am also using NextDNS' AI for threat intelligence, etc.

1 Like

Thank you mercygroundabyss and directnupe!

1 Like

No problem.

I do suggest being careful with your filters however. Ideally i'd suggest you do filters via NextDNS only so you don't run into filter clashes between NextDNS and AGH.

If you require exceptions you can do that from AGH panel but you will also have to do that via NextDNS panel too.

1 Like

The other reason for bumping OpenWRTs DNSMasq out to background is because you run into the error that Nikojaro ran into in that all his DNS queries came from the router and he was unable to see the clients.

What we are doing is essentially replacing OpenWRTs DNS with AGH but still using OpenWRTs DNS to lookup DHCP clients.

Ideally in future we could disable OpenWRTs DNS and DHCP and move all that to AGH. They have done a number of fixes to the 107 branch. I may have a go at experimenting with the newer builds to see if we can simplify the setup further by just disabling DNS/DHCP and doing a full rip/replace that way.

With firewall rules you can see the clients.

I am going to follow your guidance and attempt the setup you have advised. I ran into a bit of a problem when trying to setup AGH. Do you advise moving DNSMASQ to port 5353 before AGH installation -

something like :

uci set 'dhcp.@dnsmasq[0].port=5353'
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci commit dhcp

because I originally followed brokenpipe from [HowTo] Running Adguard Home on OpenWrt

steps 2 OP - see below :

2. Configuration

After AdguardHome is started on the router, open the browser and start the AdGuard Home web interface

2.1 DNS Port
I have the Adguard Home DNS server running at

2.1 HTTP Port
web interface at

I just wonder will I be able to setup AGH after moving DNSMASQ to port 5353 - I guess I am asking when in the process should I change DNSMASQ port ?

Let me grab my script. I did similar to you in that i disabled ISP DNS upstream then moved DNSMasq.

However the gotcha is the exact steps. You have to pull and install AGH, then move DNSMasq, then configure AGH (and thus take over DNS). And then u have to tweak the listen addresses via the yaml file.

# Switch to Adguard setup
# Grab packages for AGH and updates.
opkg update
opkg install sudo ca-certificates ca-bundle curl wget tar unzip libustream-mbedtls libustream-openssl libwolfssl libustream-wolfssl

#grab and install AGH
curl -s -S -L | sh -s -- -c edge

#now move DNSMasq
uci set dhcp.@dnsmasq[0].cachesize='1000'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].server=''
uci set dhcp.@dnsmasq[0].port='5353'
uci add_list dhcp.lan.dhcp_option='6,' # DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution
uci add_list dhcp.lan.dhcp_option='3,' #DHCP option 3: default router or last resort gateway for this interface
uci set dhcp.lan.leasetime='24h' #24hr DHCP Leases
uci set network.wan.peerdns='0' #Do Not use ISP DNS
uci set network.wan.dns='' '' #set WAN dns to Cloudflare

uci commit dhcp
uci commit network
# Save changes

# Restart network + dnsmasq service to reflect changes
/etc/init.d/network restart
/etc/init.d/dnsmasq restart

echo 'Goto and configure AdGuardHome.'

Missing from my script is ipv6 as my ISP still doesn't support it so you need to potentially edit those entries if your ISP properly supports it.

Thanks Friend


Factory reset my OpenWRT this morning to try this out. Works fine except when you use a DoH server you cannot update your opkg.

I fixed it by running

uci set network.wan.peerdns='0'
uci set network.wan.dns=''
uci set network.wan6.peerdns='0'
uci set network.wan6.dns='0::1'
uci commit && reload_config

I have my router dns pointed at cloudflare for this reason.
That way it can load the WAN connection and do updates and NTP while AGH loads.

While you can point it at your AGH you run into the issue of AGH being unavailable while the router brings up the wan connection and thus updates and ntp fails till AGH loads.

1 Like

Thanks again, I will test this out without updating any settings for the next 3 days.

Will report back and maybe we can update the guide to just use your script.

A lot simpler and no configurations needed to be made on DNSMasq aside from changing its ports.