Unbound / AdGuard / NextDNS

Great, I'll give it a go when I get some spare time to fiddle. Thanks!

check my followup post (the 2nd one in the dnsmasq thread)

You dont need unbound cos you can do encrypted DNS from INSIDE AGH.

He grew up with doing DoQ via unbound and old habits die hard :stuck_out_tongue:

oh and just use his opkg list of apps and then jump to using the autoscript to install AGH edge 107.

Its really all you need to do. other than bouncing OpenWRT's dnsmasq to port 5353.
then its put AGH on 8080 (so it avoids luci) and let AGH take over port 53 for DNS.

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

  - ::1
  port: 53
1 Like

I amended my tutorial on DNSMASQ to reflect what you said here :

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

I added this to guide :

web_session_ttl: 720
  -  # enter your LAN IP ADDRESS HERE
  - ::1
  port: 5353

and I gave you the credit

Thanks as Always

1 Like

I for the first time " actually " set up AdGuardHome using DNSMASQ. I really tweaked the instructions so that everything is running and humming right along just great. I had a devil of a time trying to install / configure AdGuardHome on Port 53. So, I went back to the first post in the OG thread by brokenpipe. I followed his / her instructions and put AdGuardHome on port 5353 - left dnsmasq on port 53. Anyway, you can look the guide over and see that I have made many improvements since it was first posted. So, please refer folks to the guide as the " definitive " go to documentation from here forward in order to save the both of us any further undo and unnecessary inquiries from " confused "would be users of AdGuardHome. After all, this was the main and primary purpose behind my writing these guides / tutorials in the first place.


Unbound is designed to handle 1000's of users and is often used as a proxy or anycast-intercept to public facing authoritative servers. It does other fancy things. Once you defer to AdGuard to support a home WIFI network, that is all pointless. Let dnsmasq handle it. You may optionally like unbound with adblock instead of an active third party tool. Unbound memory model can handle a huge static record set a bit better than dnsmasq, if you choose to download the larger block lists.


Exactly. Unbound, Stubby would extend DNSMasq and allow encrypted DNS.

If you are using AGH you can do that internally from AGH and you do not need those external programs.

Interestingly it appears that NextDNS's client is somewhat lacking and current guidance is to use AGH as a proxy to using NextDNS as an upstream provider. So just install AGH, setup NextDNS as upstream, disable any filtering in AGH and you are done.

I have compiled an up to date OpenWrt and AGH install thread here :

Hi Directnupe: can you help me in setting up Unbound along with Adguardhome on Openwrt(RPi4) pls. i tried to follow up your Guide, but somehow i end up breaking the internet and in the end no Internet and not Adblocking + Unbound setup is complete.

Pls guide me

This one:

Why is it so difficult to install Unbound in Openwrt compared to Stubby? I could install and configure Stubby under 1 Minute, but almost never Unbound. Why? And there are not enough posts on Internet also regarding this.

I have tried n number of times to setup Unbound but finally gave up.

I am running Stubby with Banip and Adguard with Nextdns as it's upstream server. I am quite happy with its performance. I would have been even more happier if the Unbound setup has finally worked up for me. That's the only incomplete Project I have right now with my Adblock setup in my network.

To be frank I couldn't get Dnscrypt-Proxy 2 also to work. Did you get Dnscrypt-Proxy 2 to work with openwrt?? Also the anonymous Dns???

  1. First DNS hijacking to intercept DNS traffic.
  2. Replacing dnsmasq with odhcpd and Unbound doing the following in this guide:
    • Remove dnsmasq and use odhcpd for both DHCP and DHCPv6.
    • Use Unbound for DNS.
  3. Follow the Command-line instructions to install and enable Unbound.
  4. Install Unbound web interface and test.
  5. Install luci-app-adblock.

You just have to copy all the commands from the guides and paste at the same time into your SSH Client and voila.

1 Like

Is it really that simple in installing Unbound on Openwrt??? I was really lost in editing Settings. I will try it today once I come back home.
Can you tell me how to use Nextdns in Unbound here? Should I have to edit any settings in Unbound for example ext.conf/ srv.conf???

Are you sure that I have to edit only those what you have pointed out and nothing else? Just those commands using ssh and I am done setting up Unbound purposely and working???

Thanks in advance

if you are using AdGuardHome as a NextDNS client, you do not need unbound or stubby. AGH replaces them entirely because it uses encrypted dns calls if you set it up that way.

I do not understand why so much hype for AdGuardHome, for me luci-app-adblock + any solution for encrypt DNS is much better than AdGuardHome.

Another guide on how to install AdGuardHome:

1 Like

Hi. I agree your point, but I literally see huge difference in processing / opening a website in terms of speed in opening a website and blocking ads while using Stubby / Unbound compared to adguard.
That's what making me go after this Unbound installation or dedicated dns resolver.
Eben after using Dns over Quic in AGH, I am not finding it as fast as Stubby. That's my personal experience...
Maybe you can help with Unbound setup. Can you?

how can you notice/quantify this (without cmds)... I did perceive faster operation when switching from dnsmasq to agh... so yeah...

but how much more faster than that can it get?

Simplicity really.

unbound and stubby was THE way to do encrypted DNS when the standards were set and the start to encrypt DNS began. However they can be tricky to configure and are not easy if you have no knowledge of SSH or editing files under linux.

AGH rolls the DNS encryption into an adblocking client. Once installed it is far easier to configure due to having a webgui. Its one service to setup and maintain instead of multiple interconnecting ones.

Also if you are using NextDNS then AGH is the client they recommend to use as NextDNS's client is problematic.

Why not Adblock + Stubby (it did also DoT and encrypt the dns requests AFAIK right)?
Why are you suggesting Adblock +Dnscrypt-Proxy / Adblock +DoH? Is it having a faster processing speed and less latency compared to my method ( Adblock +Stubby) ??? Pls elaborate, I want to know, that's why you may find my question as silly....

You mean you have only Openwrt +AGH installed for Adblocking and no other dns resolver (DoH /DoT) installed. with your setup, you mean to say AGH is faster than dnsmasq. Is this what you are trying to say??

just making the observation/asking the question about how anything can be "noticably" (much) faster than using AGH on it's own...

i.e. how did you notice / test?
(unless I misunderstood the statement)

re-reading the above... what you are observing is could be the difference of the former not blocking (much?) at all?, or the latter having overloaded lists... etc... and not a reflection of dns much at all...

don't disagree with your claim... just trying to breakdown what exactly was behind the difference... and how you tested that...

And you are free to do it that way.

However AGH does more than just filtering.

You can use it to filter individual clients and apply different filtering depending on requirements (eg filter adult content)

1 Like