I have both services running in openwrt but the problem I have is that some sites do not load for example in tiktok I get “no internet connection” but if I have internet access and when I try to read the comments of the videos do not load and the second attempt they load I do not know if the problem is in unbound or adguard I tried to whitelist tiktok in adguard but still I still have the same problem.
You need to share the relevant configs first. Remember to remove any sensitive info like passwords or private keys:
ubus call system board
cat /etc/adguardhome.yaml
cat /etc/config/adguardhome
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/network
Also, why are you using Adguard (Home I presume) and unbound?
Get Adguard blocking out of the equation, and you'll know who to blame.
But as @Dante said, why are you using them both ?
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "Intel(R) N100",
"model": "Generic Device",
"board_name": "generic-board",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-xxxxxxxxxx",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-xxxxxxxxxx"
}
}
root@OpenWrt:~# cat /etc/adguardhome.yaml
http:
pprof:
port: 6060
enabled: false
address: 192.168.1.1:8080
session_ttl: 720h
users:
- name: redacted
password: REDACTED
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 192.168.1.1
- 127.0.0.1
port: 53
anonymize_client_ip: false
ratelimit: 0
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- 127.0.0.1:5335
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
fallback_dns:
- 9.9.9.9:53
upstream_mode: load_balance
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 0
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: true
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: false
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 127.0.0.1:1053
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
tls:
enabled: false
server_name: ""
force_https: false
port_https: 400
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
dir_path: ""
ignored: []
interval: 2160h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored: []
interval: 24h
enabled: true
filters:
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt
name: HaGeZi's Ultimate Blocklist
id: 1739756669
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
name: OISD Blocklist Small
id: 1739756670
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
name: 1Hosts (Lite)
id: 1739756671
whitelist_filters: []
user_rules:
- ""
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
filtering:
blocking_mode: refused
protection_enabled: true
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 28
root@OpenWrt:~# cat /etc/config/adguardhome
config adguardhome config
option workdir /var/adguardhome
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option port '1053'
option noresolv '1'
option server '127.0.0.1#5335'
option resolvfile '/tmp/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '3,192.168.1.1'
list dhcp_option '6,192.168.1.1'
list dhcp_option '15,lan'
option dns '192.168.1.1'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Block-Public-DNS'
option src 'lan'
option dest 'wan'
option dest_port '53 853 5353'
option proto 'tcp udp'
option target 'REJECT'
option family 'any'
option enabled '1'
root@OpenWrt:~# cat /etc/config/network
at first with adguard it was fine but after digging a bit deeper I found unbound where what caught my attention was that any query was fetched from the cache and no longer from a third party dns and then I realized that adguard also cached and well I also got carried away because others said it was better and among other things.
The network config is missing. You should add all configs separately.
I'm kind of confused what you were trying to do with this setup. Even before unbound.
So I see dnsmasq running on 5335, adguard on 53 with dnsmasq as upstream and no other upstreams and lan using adguard DNS option dns '192.168.1.1' and advertising it list dhcp_option '6,192.168.1.1' to others. Which uses dnsmasq as upstream.
Where's the unbound config and how does it fit into this?
I feel like it's easier to redo everything from scratch without unbound (Adguard Home has optimistic cache) as there might be more things wrong:
- Make Adguard Home the default DNS on 53, DoT on 853, etc.
- Put dnsmasq on something else like 54
- Don't set any DNS for
lan, (thatoption dns '192.168.1.1'line) - Set secure upstreams in Adguard Home, e.g. tls://1.1.1.1
- Configure proper reverse DNS in Adguard Home (e.g. dnsmasq from the previous point on 127.0.0.1:54)
- Advertise Adguard Home through DHCP, e.g.
6,192.168.1.1 - Optional: configure DNS hijacking to prevent DNS leaks
- Optional: once everything is working, put nginx in front of both LuCi and Adguard for TLS if you want them on the same port
1 Like
in theory i should be using unbound because i have followed these steps https://youtu.be/d1HhcLCJ6gI?si=5qWGCP6cXFgCCg0o
what am I doing wrong? is there a guide?
In theory, why are you even asking us, if you're going to ignore the replies you're getting?
maybe it's the translation since I don't speak English and the google translator is a bit confusing.
There's a guide in the Wiki.
You shouldn't blindly follow guides (including the one in the Wiki) without understanding what you're doing. It seems the video you've mentioned is about unbound, and has nothing to do with Adguard Home. Try to have the basic setup working first (Adguard + dnsmasq), and once you understand all the moving parts (which server provides which data and why) and are unhappy with them, go from there.
I would even go one step back and first consider what you want to achieve.
I want Adblocking and secure DNS so I am perfectly happy with an Adblock package and https-dns-proxy, which is a simpler solution then using Adguard (which of course also has its merits)