Unbound / AdGuard / NextDNS

I am about to embark on changing my DNS settings and would appreciate some feedback on what people have found to work best. I am using a TL-WDR3600 and not taxing it much - it's got about 60% memory free and the CPU tends to hover around 10-20%.

I am replacing a Pi-Hole as sinkhole and am looking for a local caching DNS solution to speed things up and also offer ad blocking. If it also adds some privacy (TLS) that would be icing on the cake.

I think I will combine Unbound with NextDNS as the upstream resolver. Some people on this forum have combined Unbound and AdGuard, or just gone with AdGuard on its own. I suppose you could combine Unbound, AdGuard and NextDNS so that fewer queries went to NextDNS per month, helping you stay on their free tier.

What are the pros/cons of different combinations of Unbound, AdGuard and NextDNS? What has worked for people?

If I do choose to combine Unbound with NextDNS, then I assume I should not install any NextDNS package but instead configure NextDNS in Unbound?

You are planning to forward DNS to AdGuard or NextDNS anyway.
So, what is the purpose of replacing Dnsmasq with Unbound?


why make it complicated?

Just add AdGuardHome to your router, configure it to point at whatever upstreams you want (it does all the encrypted DNS, DoH, DoT, DoQ), add in your filters for adblocking and go on to doing something more important... like opening a new beer.

Use cloudflare or google or even any of the number of privacy focused DNS providers that are free.

Thats the most recent writeup to use AGH. All you have to do is move openwrt's dnsmasq to a different port and then use the installer script. i HIGHLY suggest you use the new 107 edge build and keep an eye on your diskspace. Do NOT use the OpenWRT opkg package. It is version 104 and every time you reboot your router you will have to resetup AGH as it stores its config on the /tmp.

(edit) AGH team are working on improving their DHCP setup so long term you'd just disable DHCP on OpenWRT and handle it all from AGH. Right now thats not advisable unless you have a simple setup as their DHCP is kinda limited and no match for the OpenWRT setup.)

1 Like

I was looking to NextDNS to give me some analysis and control, which is why I was not going for Google.

I thought that it would speed up (some) requests by caching.

The DNS caching feature is enabled in Dnsmasq by default.
Perhaps you have other reasons?


What sort of control you wanting? Statistics? or adblocking and filtering?

Look at the Stats pic they have. Is that what you after?


I thought that the small cache in dnsmasq could not compare to the full recursive server capability of Unbound – in other words, I thought that dnsmasq only caches a small amount of addresses and many need to be passed on, while Unbound would be able to answer a lot more itself without using upstream servers. Have I misunderstood?

AdGuard/NextDNS require your primary DNS to be just a forwarder, so forget about recursion.
By the way, the Dnsmasq cache size can be easily adjusted to your needs.

1 Like

Are you saying that you can not use Unbound and set up the upstream resolver to be NextDNS? I thought that would give you speed from the Unbound recursive caching and ad blocking without any local resource impact by using NextDNS.

If the AdGuard package can both give me speed from caching, control over what filtering is in place for different clients, decent reporting/stats of e.g. what addresses are being blocked and won't exhaust CPU/RAM on my router, then that sounds like the answer.

If members of the household complain about specific blocks, how easy is it with AdGuard to diagnose and whitelist?

He is not saying that, you can use Unbound to setup NextDNS to be the upstream resolver. But what is the point of replacing Dnsmasq, which will do the exact same thing?

1 Like

Hm. My approach is to put AdGuard on port 53, dnsmasq on 5353 and then add


(where my-local-domain.ext is the domain entered into OpenWRT's general settings for the local domain)

To AdGuard's list of upstreams, so adguard will forward requests for local hosts to dnsmasq but handle everything else natively. It's working well so far, cuts out the middleman and avoids the overhead of dnsmasq forking on every request.


OpenWRT will cache via dnsmasq as long as you have the caching set.

file: /etc/config/dhcp

config dnsmasq
	option nonegcache '0'
	option nonwildcard '1'
	option cachesize '1000'

AGH caches as well.

All configuration is listed there.

You can whitelist directly off the queries page (look for what's blocked. click the unblock and boom you done)

Add as many or little filters as you want (watch out for diskspace and memory usage. I have a about 140k filters)

file: /opt/AdGuardHome/AdGuardHome.yaml - filters section

- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: false
  url: https://adaway.org/hosts.txt
  name: AdAway Default Blocklist
  id: 2
- enabled: true
  url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
  name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
  id: 1625359387
- enabled: true
  url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
  name: Scam Blocklist by DurableNapkin
  id: 1625359388
- enabled: true
  url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
  name: The Big List of Hacked Malware Web Sites
  id: 1625359389
- enabled: true
  url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  name: https://github.com/StevenBlack/hosts
  id: 1625359390
- enabled: true
  url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
  name: https://firebog.net/  - OSINT.digitalside.it
  id: 1625359391
- enabled: true
  url: https://v.firebog.net/hosts/Easyprivacy.txt
  name: https://firebog.net/  - EasyPrivacy
  id: 1625359393
- enabled: false
  url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
  name: https://www.github.developerdan.com/hosts/
  id: 1633201708
- enabled: true
  url: https://phishing.army/download/phishing_army_blocklist.txt
  name: Phishing Army List
  id: 1635888815
- enabled: true
  url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
  name: https://github.com/anudeepND/whitelist
  id: 1625359392

1 Like

Thanks for all of the info on AdGuardHome. I think I may have discovered a gotcha – in this guide, it says

I have about 75 MB RAM free, so that looks like a non-prospect.

its recommended. but not required. like i said i have a 128mb (50mb mem free on clean OpenWRT install) router and i manage fine. However you do need at least about 40mb disk space free not the 20mb they say (the AGH binary is 35mb currently)

OK. @mercygroundabyss posted a good link above to a tutorial for installing AdGuard. That tutorial is marked "(DNSMASQ)", and the same author has written another tutorial that describes how to install AdGuard with Unbound. He refers to Unbound as a "Ferrari"...so would seem to suggest that Unbound is better than dnsmasq.

Great, I'll give it a go when I get some spare time to fiddle. Thanks!

check my followup post (the 2nd one in the dnsmasq thread)

You dont need unbound cos you can do encrypted DNS from INSIDE AGH.

He grew up with doing DoQ via unbound and old habits die hard :stuck_out_tongue:

oh and just use his opkg list of apps and then jump to using the autoscript to install AGH edge 107.

Its really all you need to do. other than bouncing OpenWRT's dnsmasq to port 5353.
then its put AGH on 8080 (so it avoids luci) and let AGH take over port 53 for DNS.

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

  - ::1
  port: 53
1 Like

I amended my tutorial on DNSMASQ to reflect what you said here :

Only other gotcha is to manually edit the interfaces (cos they will bind to the WAN side for DNS as well - I realyl should PR that) so manually editing the yaml file once it is up is needed.

I added this to guide :

web_session_ttl: 720
  -  # enter your LAN IP ADDRESS HERE
  - ::1
  port: 5353

and I gave you the credit

Thanks as Always

1 Like

I for the first time " actually " set up AdGuardHome using DNSMASQ. I really tweaked the instructions so that everything is running and humming right along just great. I had a devil of a time trying to install / configure AdGuardHome on Port 53. So, I went back to the first post in the OG thread by brokenpipe. I followed his / her instructions and put AdGuardHome on port 5353 - left dnsmasq on port 53. Anyway, you can look the guide over and see that I have made many improvements since it was first posted. So, please refer folks to the guide as the " definitive " go to documentation from here forward in order to save the both of us any further undo and unnecessary inquiries from " confused "would be users of AdGuardHome. After all, this was the main and primary purpose behind my writing these guides / tutorials in the first place.


Unbound is designed to handle 1000's of users and is often used as a proxy or anycast-intercept to public facing authoritative servers. It does other fancy things. Once you defer to AdGuard to support a home WIFI network, that is all pointless. Let dnsmasq handle it. You may optionally like unbound with adblock instead of an active third party tool. Unbound memory model can handle a huge static record set a bit better than dnsmasq, if you choose to download the larger block lists.