Unbound / AdGuard / NextDNS

AdGuard/NextDNS require your primary DNS to be just a forwarder, so forget about recursion.
By the way, the Dnsmasq cache size can be easily adjusted to your needs.

Are you saying that you can not use Unbound and set up the upstream resolver to be NextDNS? I thought that would give you speed from the Unbound recursive caching and ad blocking without any local resource impact by using NextDNS.

If the AdGuard package can both give me speed from caching, control over what filtering is in place for different clients, decent reporting/stats of e.g. what addresses are being blocked and won't exhaust CPU/RAM on my router, then that sounds like the answer.

If members of the household complain about specific blocks, how easy is it with AdGuard to diagnose and whitelist?

He is not saying that, you can use Unbound to setup NextDNS to be the upstream resolver. But what is the point of replacing Dnsmasq, which will do the exact same thing?

Hm. My approach is to put AdGuard on port 53, dnsmasq on 5353 and then add

[/my-local-domain.ext/]127.0.0.1:5353

(where my-local-domain.ext is the domain entered into OpenWRT's general settings for the local domain)

To AdGuard's list of upstreams, so adguard will forward requests for local hosts to dnsmasq but handle everything else natively. It's working well so far, cuts out the middleman and avoids the overhead of dnsmasq forking on every request.

OpenWRT will cache via dnsmasq as long as you have the caching set.

file: /etc/config/dhcp

config dnsmasq
	option nonegcache '0'
	option nonwildcard '1'
	option cachesize '1000'

AGH caches as well.

All configuration is listed there.

You can whitelist directly off the queries page (look for what's blocked. click the unblock and boom you done)

Add as many or little filters as you want (watch out for diskspace and memory usage. I have a about 140k filters)

file: /opt/AdGuardHome/AdGuardHome.yaml - filters section

filters:
- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: false
  url: https://adaway.org/hosts.txt
  name: AdAway Default Blocklist
  id: 2
- enabled: true
  url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
  name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
  id: 1625359387
- enabled: true
  url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
  name: Scam Blocklist by DurableNapkin
  id: 1625359388
- enabled: true
  url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
  name: The Big List of Hacked Malware Web Sites
  id: 1625359389
- enabled: true
  url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  name: https://github.com/StevenBlack/hosts
  id: 1625359390
- enabled: true
  url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
  name: https://firebog.net/  - OSINT.digitalside.it
  id: 1625359391
- enabled: true
  url: https://v.firebog.net/hosts/Easyprivacy.txt
  name: https://firebog.net/  - EasyPrivacy
  id: 1625359393
- enabled: false
  url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
  name: https://www.github.developerdan.com/hosts/
  id: 1633201708
- enabled: true
  url: https://phishing.army/download/phishing_army_blocklist.txt
  name: Phishing Army List
  id: 1635888815
whitelist_filters:
- enabled: true
  url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
  name: https://github.com/anudeepND/whitelist
  id: 1625359392

Thanks for all of the info on AdGuardHome. I think I may have discovered a gotcha – in this guide, it says

I have about 75 MB RAM free, so that looks like a non-prospect.

its recommended. but not required. like i said i have a 128mb (50mb mem free on clean OpenWRT install) router and i manage fine. However you do need at least about 40mb disk space free not the 20mb they say (the AGH binary is 35mb currently)

OK. @mercygroundabyss posted a good link above to a tutorial for installing AdGuard. That tutorial is marked "(DNSMASQ)", and the same author has written another tutorial that describes how to install AdGuard with Unbound. He refers to Unbound as a "Ferrari"...so would seem to suggest that Unbound is better than dnsmasq.

Great, I'll give it a go when I get some spare time to fiddle. Thanks!

check my followup post (the 2nd one in the dnsmasq thread)

You dont need unbound cos you can do encrypted DNS from INSIDE AGH.

He grew up with doing DoQ via unbound and old habits die hard

oh and just use his opkg list of apps and then jump to using the autoscript to install AGH edge 107.

Its really all you need to do. other than bouncing OpenWRT's dnsmasq to port 5353.
then its put AGH on 8080 (so it avoids luci) and let AGH take over port 53 for DNS.

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

dns:
  bind_hosts:
  - 127.0.0.1
  - 192.168.1.1
  - ::1
  port: 53

I amended my tutorial on DNSMASQ to reflect what you said here :

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

I added this to guide :

web_session_ttl: 720
dns:
  bind_hosts:
  - 127.0.0.1
  - 192.168.1.1  # enter your LAN IP ADDRESS HERE
  - ::1
  port: 5353

and I gave you the credit

Thanks as Always

I for the first time " actually " set up AdGuardHome using DNSMASQ. I really tweaked the instructions so that everything is running and humming right along just great. I had a devil of a time trying to install / configure AdGuardHome on Port 53. So, I went back to the first post in the OG thread by brokenpipe. I followed his / her instructions and put AdGuardHome on port 5353 - left dnsmasq on port 53. Anyway, you can look the guide over and see that I have made many improvements since it was first posted. So, please refer folks to the guide as the " definitive " go to documentation from here forward in order to save the both of us any further undo and unnecessary inquiries from " confused "would be users of AdGuardHome. After all, this was the main and primary purpose behind my writing these guides / tutorials in the first place.

Peace

Unbound is designed to handle 1000's of users and is often used as a proxy or anycast-intercept to public facing authoritative servers. It does other fancy things. Once you defer to AdGuard to support a home WIFI network, that is all pointless. Let dnsmasq handle it. You may optionally like unbound with adblock instead of an active third party tool. Unbound memory model can handle a huge static record set a bit better than dnsmasq, if you choose to download the larger block lists.

Exactly. Unbound, Stubby would extend DNSMasq and allow encrypted DNS.

If you are using AGH you can do that internally from AGH and you do not need those external programs.

Interestingly it appears that NextDNS's client is somewhat lacking and current guidance is to use AGH as a proxy to using NextDNS as an upstream provider. So just install AGH, setup NextDNS as upstream, disable any filtering in AGH and you are done.

I have compiled an up to date OpenWrt and AGH install thread here :

Hi Directnupe: can you help me in setting up Unbound along with Adguardhome on Openwrt(RPi4) pls. i tried to follow up your Guide, but somehow i end up breaking the internet and in the end no Internet and not Adblocking + Unbound setup is complete.

Pls guide me

Why is it so difficult to install Unbound in Openwrt compared to Stubby? I could install and configure Stubby under 1 Minute, but almost never Unbound. Why? And there are not enough posts on Internet also regarding this.

I have tried n number of times to setup Unbound but finally gave up.

I am running Stubby with Banip and Adguard with Nextdns as it's upstream server. I am quite happy with its performance. I would have been even more happier if the Unbound setup has finally worked up for me. That's the only incomplete Project I have right now with my Adblock setup in my network.

To be frank I couldn't get Dnscrypt-Proxy 2 also to work. Did you get Dnscrypt-Proxy 2 to work with openwrt?? Also the anonymous Dns???

1. First DNS hijacking to intercept DNS traffic.
2. Replacing dnsmasq with odhcpd and Unbound doing the following in this guide:
   • Remove dnsmasq and use odhcpd for both DHCP and DHCPv6.
   • Use Unbound for DNS.
3. Follow the Command-line instructions to install and enable Unbound.
4. Install Unbound web interface and test.
5. Install luci-app-adblock.

You just have to copy all the commands from the guides and paste at the same time into your SSH Client and voila.

Is it really that simple in installing Unbound on Openwrt??? I was really lost in editing Settings. I will try it today once I come back home.
Can you tell me how to use Nextdns in Unbound here? Should I have to edit any settings in Unbound for example ext.conf/ srv.conf???

Are you sure that I have to edit only those what you have pointed out and nothing else? Just those commands using ssh and I am done setting up Unbound purposely and working???

Thanks in advance

if you are using AdGuardHome as a NextDNS client, you do not need unbound or stubby. AGH replaces them entirely because it uses encrypted dns calls if you set it up that way.

Hi. I agree your point, but I literally see huge difference in processing / opening a website in terms of speed in opening a website and blocking ads while using Stubby / Unbound compared to adguard.
That's what making me go after this Unbound installation or dedicated dns resolver.
Eben after using Dns over Quic in AGH, I am not finding it as fast as Stubby. That's my personal experience...
Maybe you can help with Unbound setup. Can you?