I experienced the issue of AdGuard being unable to startup, as unbound already bound to Port 53 (LAN)
The motivation is that AdGuard serves all local DNS-requests, including for .localdomain, but those are forwarded to unbound.
So this is my cfg for the AdGuard Settings > DNS Settings > Upstream DNS servers
https://dns.quad9.net/dns-query
https://dns.google/dns-query
https://dns.cloudflare.com/dns-query
[/localdomain/]127.0.0.1:53
The necessary interface:port-binding that works4me is this:
root@OPNsense:~ # sockstat -4 -l | grep :53
root AdGuardHom 69756 76 udp4 192.168.0.1:53 *:*
unbound unbound 3107 10 tcp4 127.0.0.1:53 *:*
[...]
root@OPNsense:~ # sockstat -4 -l | grep :853
unbound unbound 3107 5 tcp4 127.0.0.1:853 *:*
unbound unbound 3107 7 tcp4 192.168.0.1:853 *:*
[...]
however; in order to achieve this, there is no way in the GUI to specify these port-binding requirements.
I had to override it like this:
root@OPNsense:/usr/local/etc/unbound.opnsense.d # cat 10-localbind.conf
server:
interface-automatic: no
interface: 127.0.0.1@53
interface: 127.0.0.1@853
The only sideeffect is: a GUI Banner for unbound:
The configuration contains manual overwrites, these may interfere with the settings configured here.
Furthermore it was necessary to start unbound like this:
root@OPNsense:/usr/local/etc/rc.syshook.d/start # cat 50-unbound
#!/bin/sh
# Delay + Start Unbound DNS service if not already running
sleep 3
if ! service unbound onestatus >/dev/null 2>&1; then
logger -t unbound "Starting Unbound (delayed boot fix)..."
service unbound start
fi
I wonder ... did I miss something, or is this AdGuard integration so unusual that it's not readily supported in OPNsense's GUI?
Is there a 'clean' way to achieve the above?
I'm new to opnsense, so bear that in mind, but I recently got this setup with the adguard extention.
It looks like you are trying to bind both unbound and adguard to port 53, which is why it isn't starting? IIRC you can't have two services with the same port. The adguard plugin doesn't appear to have a way to change the port from the GUI but unbound and dnsmasq do (General - Listen port).
I have Adguard on port 53, unbound set to 65353, and dnsmasq set to 65354. The only entries in my adguard for DNS are 127.0.0.1:65353
So the requests hit adguard on 53, get filtered, get sent to unbound, at which point they either sent on for DNS over TLS, or if they are internal - sent via query forwarding to dnsmasq.
Specific instructions for the query forward and dns over TLS are here: https://docs.opnsense.org/manual/dnsmasq.html (https://docs.opnsense.org/manual/dnsmasq.html)
yes, initially the problem that prevented AdGuard from start was that it and unbound would like to bind to 192.168.0.1:53 which is, as you've rightly put it, impossible.
however; when AdGuard binds to 192.168.0.1:53 and unbound binds to 127.0.0.1:53 these are two distinct interfaces, so the same port is usable for 2 services.
and localhost/127.0.0.1 is sufficient for a cascaded unbound that is only invoked from the local AdGuard. Whereas the LAN/192.168.0.1:53 is visible for all LAN clients.
your solution with nonstandard yet distict portnumbers certainly works, but it's actually not necessary, as unbound @ 127.0.0.1:53 (insteadof 65353) wouldnt collide with AdGuards LAN:53.
FeatureRequest; I wish all these services (unbound in particular) had an option to specify interface AND port bindings.
Unbound can have a port changed in the UI.
If you want to have AdGuardHome listening on port 53 you just need to tick the "Primary DNS" box.
The "normal" setup is AdGuard on 53 so all clients go to it first and AdGuard is set to go to Unbound on the different port as its upstream resolver.
I'm probably not understanding the requirement. If it is to change the port that AdGuard listens on, then it goes on its config file as there is no option on the plugin ui.