I have Adguard Home set up to receive DNS on 53 from all internal networks and DNSMasq listening on 53053.
For forwarders in Adguard Home I have
[/internal/]127.0.0.1:53053
[//]127.0.0.1:53053
h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query
So internal queries are forwarded the DNSMasq since it assigns DHCP and registers those hosts in its DNS.
And for Private reverse DNS in Adguard I have
127.0.0.1:53053
So config guides I see have Unbound DNS in the mix between Adguard Home and DNSMasq.
Is there any real need for Unbound since Adguard Home does DNS/DOH and can forward internal requests to DNSMasq?
Am I missing something?
I'm using this configuration (AdGuard Home on port 53) and dnsmasq also on port 53053, after previously abandoning a combination of ISC DHCP, Unbound, and AdGuard.
DNS resolution works perfectly. However, I'm experiencing significant problems with DHCP. After a complete system reboot (without any old leases), everything works as expected. After some time, presumably after the lease expires, the DHCP devices lose their connection and cannot reconnect. Unfortunately, I haven't been able to determine the cause of this behavior.
I've tried all available options in dnsmasq, but haven't found a stable solution yet. If you find a stable configuration, it would be great if you could share it here, especially the setting under "Services: Dnsmasq DNS & DHCP: General". My current settings are attached.
I don't know what could be causing that DHCP non-renew issue. There are a lot of folks here way more experienced with this than I am.
Maybe start a new thread.
As I understand it, Unbound provides more privacy than using AdGuard for your DNS service. Unbound is a resolver that directly queries authoritative nameservers, while AdGuard forwards requests to your ISP's (or Google's, etc.) DNS service. DOH will secure your request in transport, but the DNS service you are using will still know your DNS requests.
You can configure AdGuard and Unbound to forward to any upstream resolvers you want.
Right now I have AdGuard to use DNS over HTTPS to Cloudflare and Google. I'd like to try using a non-google DOH resolver as a second service though.
h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query
My ISP isn't seeing ANY DNS requests and can't inspect the ones being sent to CloudFlare
See here and note the links that explain the privacy/reliability advantages: https://nlnetlabs.nl/projects/unbound/about/ (https://nlnetlabs.nl/projects/unbound/about/)
While your ISP can't see your DNS requests because they are encrypted, my understanding is that Google/Cloudflare could. Similar to how you can log into your AdGuard console and can see all of the DNS requests coming into AdGuard from your local devices.
Oh. Right. Once it hits the DNS provider it's decrypted. But, Cloudflare IS an authoritative DNS provider.
AdGuard forwards requests to whatever DNS server I set.
I've since set google DNS DOH as a fallback server. I like Google less than CloudFlare. Google is a data mining company.
I'm comfortable with Adguard sending my DNS requests to Cloudflare and falling back to Google as necessary.
If AGH forwards to your local Unbound and that is run in plain recursive mode without any upstream, then to lookup e.g. forum.opnsense.org:
- a random root server will see a request for the NS records of .org
- a random server from that list will see a request for the NS records of opnsense.org
- a random server from that list will see a request for the A and AAAA records of forum.opnsense.org
No single entity will see all your DNS requests.
That's why I never use public recursive servers.
BTW: Cloudflare is not authoritative for e.g. opnsense.org. Authoritative means "the server with full control of the particular zone".
Huh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?
CloudFlare might not be authoritative. But they certainly think they are.
What settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers
Does Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.
Quote from: JMini on November 27, 2025, 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.
You can configure Unbound as a DoT forwarder.
If your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode. However it's not as simple as that. You have to trust that your DoT provider isn't colluding with other entities to share or sell your data. Furthermore, the encryption between you and the provider is not infallible- certificates can be spoofed. If you're not using a VPN then the ISP can anyway infer your DNS queries by just timing your connections to web servers. If you are using a VPN, then you are again giving all the data to a single entity who may sell/share it on (and as we see playing out now, governments are increasingly pushing to weaken VPNs).
There's no privacy. It's just a matter of who you wish to share with and what features you need. For instance, Quad9 offers malware filtering based on threat intelligence which you may decide is a valuable tradeoff for giving them your DNS queries.
Quote from: JMini on November 26, 2025, 11:41:46 PMHuh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?
Yes. That's the point of running a recursive name server for your clients.
Quote from: JMini on November 26, 2025, 11:41:46 PMWhat settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers
Simply do not configure any upstream servers (aka "forwarders"). DNS was from the start designed as a distributed database that does not need any central service.
Quote from: JMini on November 27, 2025, 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers?
Terminology is important: Unbound in that configuration is a resolver or recursive name server. The servers it queries are the authoritative servers for the particular zone in question.
If you followed my argument and the example I gave for looking up forum.opnsense.org you might wonder how any recursive server gets the list of servers for the root zone. Simple: they "never" change and are compiled in. A major change in the root name servers requires a new release of Unbound.
Actually the first thing Unbound does on start up is fetch an updated list of root name servers, but should the compiled in one diverge too much from reality, that will of course fail. But that way a change of a single one out of the dozen or so can be tolerated. Should that one be picked for the first query, the request will fail and Unbound will try another one.
Quote from: OPNenthu on November 27, 2025, 03:28:55 AMIf your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode. However it's not as simple as that. You have to trust that your DoT provider isn't colluding with other entities to share or sell your data.
Exactly. My ISP is Deutsche Telekom. They are bound by GDPR and a whole lot of EU customer protection laws. Should anybody ever discover they spy on customers' traffic, all hell will break loose.
So I trust them quite a bit more than any DNS provider, possibly located in the US.
What do you recommend for those of us outside the GDPR protections?
The only thing I've come up with to date (as a thought exercise) is to potentially proxy through a foreign hosted VPS, but it would need to be both under the user's strict control and paid for anonymously. I don't think it exists.
Quad9 are located in Switzerland and seem to be ok:
https://quad9.net/about/foundation-council/
I just assume that intelligence sharing takes place with them, but at least I may not be monetized and profiled by domestic companies that I might have relationships or business with.
A lot of good info here. Thanks, all.
I'm located in the US and Verizon is my ISP. I'm pretty sure they mine DNS and sell the data. No GDPR here. CloudFlare has a good reputation for privacy. But any unencrypted DNS will be snooped by Verizon.
I don't care about "intelligence". I'm a nobody home user. They're gonna get what they get. I'd rather just not be snooped on by my ISP and have it sold to advertisers.
So, if I let Unbound use the authoritative servers it has compiled in, it's sending those requests in the clear over port 53 that can be seen by anyone along the way. Using DOH/DOT, it's at least hidden until it gets to CloudFlare/OpenDNS. Then I'm relying on their privacy promises. I get that part.
Thanks for the whole explanation of how the stepped approach to DNS resolution works. I thought there were these centralized DNS repositories that just served up the whole thing. Not org, then opnsense.org, then forums.opnsense.org.
Maybe I'll so some reading on the details of DNS. No idea it was that segmented.
Quote from: Patrick M. Hausen on November 27, 2025, 11:44:07 AMQuad9 are located in Switzerland and seem to be ok:
https://quad9.net/about/foundation-council/
1.1.1.1 also seems O.K. to me (https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) (and it is by far the fastest DNS resolver I know of).
Its interesting to note the privacy feature of Unbound.
Are there any technical downsides to just using DNSmasq for DHCP and Adguard for DNS on the OPNsense host and leaving Unbound turned off?
Without Unbound you must have an upstream recursive nameserver that is not under your control and will see all your requests. If that is a privacy problem or not is yours to decide.