AdGuard Home setup guide

[Imnot A Robot]

Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

 - Google searches: OK

 - Gmail: OK

 - Youtube: OK

 - Instagram: OK

 - Android: OK

 - Playstore: OK

I had to omit some of these from my custom filter rules because they messed up my daughter's Google Classroom:

||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||apis.google.com^

Please update this list or indicate this.

[yeraycito]

Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


 - DNS Servers: all empty

 - Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

 - Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

[hushcoden]

@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

[yeraycito]

@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

If I get it, try accessing it with another browser or check your cookies.

[logi]

Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


 - DNS Servers: all empty

 - Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

 - Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

I like this configuration approach of having AdGuard Home handling all things DNS on default port 53, and disabling UnBound DNS, it's cleaner and has no redirects.

1.- Is there an advantage of keeping UnBound DNS enabled and being the man-in-the-middle?
2.- Is there a disadvantage of disabling UnBound DNS and use ONLY AdGuard Home?

Thanks

[Patrick M. Hausen]

I prefer maintaining my local overrides in Unbound. Also I do not want to use public recursive upstream servers. So port forwarding where applicable --> AGH --> Unbound. Server networks go directly to Unbound. Block DNS and DoT to anything but local firewall, add DoH blocklist to AGH.

[Tabascl]

Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

[logi]

Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

You have to add localhost (127.0.0.1) to the /usr/local/AdGuardHome/AdGuardHome.yaml in the following section:

dns:
  bind_hosts:
    - 127.0.0.1
    - 192.168.1.1 (whatever the OPNsense address is)
  portL 53

After that, restart the AdGuardHome service from the OPNsense console.

[August8828]

Do you guys use the unbound dns as well besides the Adguard homes one? If so: Why?

[9axqe]

I made the experience that AdGuard stopped working when internet was down (not even resolving local DNS) and that having unbound as upstream DNS worked around this issue.

I still run it like this, but that was a while back.

There's also a whole debate about using a recursive DNS resolver vs. using a DNS client.

1/ AdGuard is a simple DNS client to whatever is upstream (you can configure Cloudflare DNS, Google DNS, et,).

Con: whatever is configured upstream sees every single DNS query you make
Pro: DNS lookups are all encrypted (if you configure it) – but this is of limited use until all your connections are made with QUIC, as the full domain is still transmitted in clear text (I believe it's the SNI) for every TLS handshake.

2/ Unbound is a recursive DNS resolver, meaning, it will talk to multiple different DNS servers, depending on what you are trying to resolve. For example, if attempting to resolve "example.com", it will talk to the authoritative server for ".com" and ask "who is authoritative for example.com". And so on.
Con: not all DNS servers out there support DNS over HTTPS/TLS/QUIC, resulting in plain text DNS lookups.
Pro: there is no single entity seeing all your DNS lookups.

My view is that 2/ is what will be the best method in the long term, as DNS over QUIC and QUIC in general gain popularity. But as of today, YMMV.

[OzziGoblin]

I use unbound for reverse DNS and if ADGuard fails it's a quick change to get it working as the primary until I can fix ADGuard.  Tbh though that's only happened once.