I am about to embark on changing my DNS settings and would appreciate some feedback on what people have found to work best. I am using a TL-WDR3600 and not taxing it much - it's got about 60% memory free and the CPU tends to hover around 10-20%.
I am replacing a Pi-Hole as sinkhole and am looking for a local caching DNS solution to speed things up and also offer ad blocking. If it also adds some privacy (TLS) that would be icing on the cake.
I think I will combine Unbound with NextDNS as the upstream resolver. Some people on this forum have combined Unbound and AdGuard, or just gone with AdGuard on its own. I suppose you could combine Unbound, AdGuard and NextDNS so that fewer queries went to NextDNS per month, helping you stay on their free tier.
What are the pros/cons of different combinations of Unbound, AdGuard and NextDNS? What has worked for people?
If I do choose to combine Unbound with NextDNS, then I assume I should not install any NextDNS package but instead configure NextDNS in Unbound?
Just add AdGuardHome to your router, configure it to point at whatever upstreams you want (it does all the encrypted DNS, DoH, DoT, DoQ), add in your filters for adblocking and go on to doing something more important... like opening a new beer.
Use cloudflare or google or even any of the number of privacy focused DNS providers that are free.
Thats the most recent writeup to use AGH. All you have to do is move openwrt's dnsmasq to a different port and then use the installer script. i HIGHLY suggest you use the new 107 edge build and keep an eye on your diskspace. Do NOT use the OpenWRT opkg package. It is version 104 and every time you reboot your router you will have to resetup AGH as it stores its config on the /tmp.
(edit) AGH team are working on improving their DHCP setup so long term you'd just disable DHCP on OpenWRT and handle it all from AGH. Right now thats not advisable unless you have a simple setup as their DHCP is kinda limited and no match for the OpenWRT setup.)
I thought that the small cache in dnsmasq could not compare to the full recursive server capability of Unbound – in other words, I thought that dnsmasq only caches a small amount of addresses and many need to be passed on, while Unbound would be able to answer a lot more itself without using upstream servers. Have I misunderstood?
Are you saying that you can not use Unbound and set up the upstream resolver to be NextDNS? I thought that would give you speed from the Unbound recursive caching and ad blocking without any local resource impact by using NextDNS.
If the AdGuard package can both give me speed from caching, control over what filtering is in place for different clients, decent reporting/stats of e.g. what addresses are being blocked and won't exhaust CPU/RAM on my router, then that sounds like the answer.
If members of the household complain about specific blocks, how easy is it with AdGuard to diagnose and whitelist?
Hm. My approach is to put AdGuard on port 53, dnsmasq on 5353 and then add
(where my-local-domain.ext is the domain entered into OpenWRT's general settings for the local domain)
To AdGuard's list of upstreams, so adguard will forward requests for local hosts to dnsmasq but handle everything else natively. It's working well so far, cuts out the middleman and avoids the overhead of dnsmasq forking on every request.
its recommended. but not required. like i said i have a 128mb (50mb mem free on clean OpenWRT install) router and i manage fine. However you do need at least about 40mb disk space free not the 20mb they say (the AGH binary is 35mb currently)
OK. @mercygroundabyss posted a good link above to a tutorial for installing AdGuard. That tutorial is marked "(DNSMASQ)", and the same author has written another tutorial that describes how to install AdGuard with Unbound. He refers to Unbound as a "Ferrari"...so would seem to suggest that Unbound is better than dnsmasq.
I for the first time " actually " set up AdGuardHome using DNSMASQ. I really tweaked the instructions so that everything is running and humming right along just great. I had a devil of a time trying to install / configure AdGuardHome on Port 53. So, I went back to the first post in the OG thread by brokenpipe. I followed his / her instructions and put AdGuardHome on port 5353 - left dnsmasq on port 53. Anyway, you can look the guide over and see that I have made many improvements since it was first posted. So, please refer folks to the guide as the " definitive " go to documentation from here forward in order to save the both of us any further undo and unnecessary inquiries from " confused "would be users of AdGuardHome. After all, this was the main and primary purpose behind my writing these guides / tutorials in the first place.
Unbound is designed to handle 1000's of users and is often used as a proxy or anycast-intercept to public facing authoritative servers. It does other fancy things. Once you defer to AdGuard to support a home WIFI network, that is all pointless. Let dnsmasq handle it. You may optionally like unbound with adblock instead of an active third party tool. Unbound memory model can handle a huge static record set a bit better than dnsmasq, if you choose to download the larger block lists.