Unbound / AdGuard / NextDNS

Exactly. Unbound, Stubby would extend DNSMasq and allow encrypted DNS.

If you are using AGH you can do that internally from AGH and you do not need those external programs.

Interestingly it appears that NextDNS's client is somewhat lacking and current guidance is to use AGH as a proxy to using NextDNS as an upstream provider. So just install AGH, setup NextDNS as upstream, disable any filtering in AGH and you are done.

I have compiled an up to date OpenWrt and AGH install thread here :

Hi Directnupe: can you help me in setting up Unbound along with Adguardhome on Openwrt(RPi4) pls. i tried to follow up your Guide, but somehow i end up breaking the internet and in the end no Internet and not Adblocking + Unbound setup is complete.

Pls guide me

This one:

Why is it so difficult to install Unbound in Openwrt compared to Stubby? I could install and configure Stubby under 1 Minute, but almost never Unbound. Why? And there are not enough posts on Internet also regarding this.

I have tried n number of times to setup Unbound but finally gave up.

I am running Stubby with Banip and Adguard with Nextdns as it's upstream server. I am quite happy with its performance. I would have been even more happier if the Unbound setup has finally worked up for me. That's the only incomplete Project I have right now with my Adblock setup in my network.

To be frank I couldn't get Dnscrypt-Proxy 2 also to work. Did you get Dnscrypt-Proxy 2 to work with openwrt?? Also the anonymous Dns???

  1. First DNS hijacking to intercept DNS traffic.
  2. Replacing dnsmasq with odhcpd and Unbound doing the following in this guide:
    • Remove dnsmasq and use odhcpd for both DHCP and DHCPv6.
    • Use Unbound for DNS.
  3. Follow the Command-line instructions to install and enable Unbound.
  4. Install Unbound web interface and test.
  5. Install luci-app-adblock.

You just have to copy all the commands from the guides and paste at the same time into your SSH Client and voila.

1 Like

Is it really that simple in installing Unbound on Openwrt??? I was really lost in editing Settings. I will try it today once I come back home.
Can you tell me how to use Nextdns in Unbound here? Should I have to edit any settings in Unbound for example ext.conf/ srv.conf???

Are you sure that I have to edit only those what you have pointed out and nothing else? Just those commands using ssh and I am done setting up Unbound purposely and working???

Thanks in advance

if you are using AdGuardHome as a NextDNS client, you do not need unbound or stubby. AGH replaces them entirely because it uses encrypted dns calls if you set it up that way.

I do not understand why so much hype for AdGuardHome, for me luci-app-adblock + any solution for encrypt DNS is much better than AdGuardHome.

Another guide on how to install AdGuardHome:

1 Like

Hi. I agree your point, but I literally see huge difference in processing / opening a website in terms of speed in opening a website and blocking ads while using Stubby / Unbound compared to adguard.
That's what making me go after this Unbound installation or dedicated dns resolver.
Eben after using Dns over Quic in AGH, I am not finding it as fast as Stubby. That's my personal experience...
Maybe you can help with Unbound setup. Can you?

how can you notice/quantify this (without cmds)... I did perceive faster operation when switching from dnsmasq to agh... so yeah...

but how much more faster than that can it get?

Simplicity really.

unbound and stubby was THE way to do encrypted DNS when the standards were set and the start to encrypt DNS began. However they can be tricky to configure and are not easy if you have no knowledge of SSH or editing files under linux.

AGH rolls the DNS encryption into an adblocking client. Once installed it is far easier to configure due to having a webgui. Its one service to setup and maintain instead of multiple interconnecting ones.

Also if you are using NextDNS then AGH is the client they recommend to use as NextDNS's client is problematic.

Why not Adblock + Stubby (it did also DoT and encrypt the dns requests AFAIK right)?
Why are you suggesting Adblock +Dnscrypt-Proxy / Adblock +DoH? Is it having a faster processing speed and less latency compared to my method ( Adblock +Stubby) ??? Pls elaborate, I want to know, that's why you may find my question as silly....

You mean you have only Openwrt +AGH installed for Adblocking and no other dns resolver (DoH /DoT) installed. with your setup, you mean to say AGH is faster than dnsmasq. Is this what you are trying to say??

just making the observation/asking the question about how anything can be "noticably" (much) faster than using AGH on it's own...

i.e. how did you notice / test?
(unless I misunderstood the statement)

re-reading the above... what you are observing is could be the difference of the former not blocking (much?) at all?, or the latter having overloaded lists... etc... and not a reflection of dns much at all...

don't disagree with your claim... just trying to breakdown what exactly was behind the difference... and how you tested that...

And you are free to do it that way.

However AGH does more than just filtering.

You can use it to filter individual clients and apply different filtering depending on requirements (eg filter adult content)

1 Like

Yes that is the way you are suppose to set AGH up. OpenWrt's Dnsmasq becomes the local client resolver for PTR lookups and AGH becomes the primary DNS client with whatever upstream you set.

1 Like

Standards were only ratified recently. There are a few providers running DoQ servers but not many. It will most likely spread as services are added.

1 Like

Useless to you. Not useless to family's who want further restrictions on children.

Your blocking is LAN wide and no way of modifying it.

1 Like

That's Safesearch only.

You cannot do filtering on a per device level.

So if you want to block porn sites then it is blocked across your networks for everyone rather than that one device.

1 Like

You missed the point.

AGH does family filtering and different levels of it based off individual clients. Thus far more flexible.

If you are only applying one set of lists globally for an internal network then adblock is fine.

1 Like