OpenWrt AdGuard Home 101 ( DNSMASQ )

I have my router dns pointed at cloudflare for this reason.
That way it can load the WAN connection and do updates and NTP while AGH loads.

While you can point it at your AGH you run into the issue of AGH being unavailable while the router brings up the wan connection and thus updates and ntp fails till AGH loads.

1 Like

Thanks again, I will test this out without updating any settings for the next 3 days.

Will report back and maybe we can update the guide to just use your script.

A lot simpler and no configurations needed to be made on DNSMasq aside from changing its ports.

Would you mind elaborating on this?

1 Like


Which entries in the yaml file do you suggest to tweak after AGH configuration in its GUI?

I can also see that your settings for dnmasq use different index (dhcp.@dnsmasq[0]) from the ones suggested by directnupe (dhcp.@dnsmasq[-1]). What are the reasons for this?


By default AGH in its setup asks you what interfaces to bind to. It either lets you select a single interface or ALL interfaces. (That means if your WAN interface is up you will have DNS listening there. There is an issue in for that to be selectable so you can deselect WAN interfaces. Its currently filed as an improvement for the 108 version i believe)

bind_port: 8080
beta_bind_port: 3001


  - ::1
  port: 53

That config binds AGH to and serves DNS on localhost, and ipv6 ::1

As for the dnsmasq it is just down to the individual router configs. As long as your dnsmasq config id's match its fine.

uci show dhcp

from a ssh shell will list your config.

Other entries you can add are filters. I believe my filter list is around somewhere. I've posted it multiple times. Filters are a personal preference and limited by how much memory your router has. You can also add filters via the AGH interface but i'm lazy and just mass update mine via the yaml file.

That details the yaml file contents if you want to find out more.

Thanks! This works indeed well. Why would you leave as DNS bind host?

As a backup so the router can use AGH. Should pickup any stray requests.

However if you have setup OpenWrt to use Cloudflare or your ISPs DNS services then it shouldnt require it. Its a catch all really. (And the reason you setup OpenWrt to use a different upstream is so when it brings up your connection it can do NTP and updates as AGH will still be loading.)

1 Like


These are words of wisdom indeed.

If one follows the YouTube video

one would get into the situation where OpenWrt cannot update NTP on boot.

On a different note: if clients on LAN use their own DNS and not the system DNS (i.e. not the DNS provided by OpenWrt router and AGH), is it possible to direct these requests to AGH, too?

For example, a browser is set to use its own DNS, most likely not the plain text DNS, but secured DNS. Is it possible to resolve such requests through AGH?

[OpenWrt Wiki] DNS hijacking

Thanks! Seems like this is possible, but will need to go down the rabbit hole to figure out how :slight_smile: Perhaps, you might have come across a ready solution elsewhere?

1 Like

Major Revision To This Guide / Tutorial
Rationale For Major Revision To This Guide / Tutorial
Read Post # 24 in this thread from mercygroundabyss below :

By using AGH on Port 5353 this routing behavior is put into effect :

Because you are double looking up (  DNS queries - with  AGH on Port 5353 ). 
By making AGH the primary DNS ( meaning AGH on Port 53 ) AGH looks upstream 
for whatever provider you set AGH up with (and uses encrypted DNS and DNSSEC), 
and ( AGH ) looks downstream to DNSMASQ for internal DHCP addresses.

By having DNSMASQ on port 53 and AGH on port 5353 you introduce another 
hop to DNS and repeat effort. Also it doubles the load on your router 
and increases memory use as DNSMASQ forks for every request.

I corrected instructions on the tutorial as per your rationale and instructions concerning moving DNSMASQ port ( to port 5353 ) and keeping AGH on Default DNS Port 53 - thanks once again for all you do to advance this project for all of us

Peace and Stay Safe - God Bless


I finally redid all my work and posted up a new thread if you wanted to read exactly how I did things.

1 Like

The closest thing that has ever worked to DNS hijacking is blocking all external DNS servers.

Hi Directnupe: great write up. But I have a question regarding the Unbound setup with Adguardhome in openwrt. I read your guide and I am struck at issuing the last 3 commands after editing Unbound configs to save and apply those settings.
Can you please tell me where should I issue those commands??? Because in ssh it says command unknown.
And also can you please tell me what kind of config adjustments I should do in Unbound for my Rpi4 as Router ( because you have told that to adjust the parameters according to your router)

I once again thank you for your hard work and dedication in helping the people in this forum.

Thanks in advance

Thanks for the tip around making AdGuardHome the main DNS and not having dnsmasq use AGH as an upstream. DNS latency went from around 33ms to 19ms, I didn't know this would have such a performance hit with dnsmasq forking each request until recently and the stats clearly show it. I originally kept dnsmasq as the primary due to using ipset policies, however it appears AdGuardHome supports ipset as well like dnsmasq, so I can basically reduce dnsmasq to local/internal or rDNS requests only.

I must say after using Pi-Hole, Adblock, Stubby etc. AGH seems to be the best package so far that does it all i.e. Adblocking, DNSSEC validation, DoH/DoT in one single package. Hopefully once the 107 release is merged into 21.02, the opkg package will make installation much easier. Currently, it's got a broken binary with 106.3, so you can install the opkg package but have to overwrite the binary from GitHub but you can take advantage of the startup script, config etc.

or just follow this? [How-To-Updated 2021] Installing AdGuardHome on OpenWrt

Because last time i looked, openwrt installs okpg AGH to tmp folder
so every time you reboot. you have to redo AGH.

The opkg package writes the configuration to /etc/ so that won't be lost on a reboot.

But logs and stats will be stored in /tmp yes, so you'll lose those.

The configuration of AGH is persistent though, so you don't have to set it up each time no. You will however want to add /etc/adguardhome.yaml to your backup file list though for sysupgrades.

1 Like