Unbound DNS - Forward clients IP to ADGuard home

Started by vamp, July 18, 2023, 09:15:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 18, 2023, 09:15:29 AM
Hello there,

I install ADGuard home a different server and now i forward all DNS request to him. The problem is that now ADGuard only show opnsense IP address and hard to filter the clients.

I read that unbound able to send client IP addresses to upstream DNS server (EDNS settings) but not found any documentation how to handle it in opnsense.

(side note, no not want to install ADGuard home direct to opnsense and also dont want to reverse the direction :) )
July 18, 2023, 01:52:13 PM #1
How are you forwarding DNS requests?  Firewall rules?

Why don't you just set your Adguard DNS server in the DNS option of DHCP?
July 18, 2023, 01:57:10 PM #2
Not firewall rules, i forward it with unbound.

Yes, it easier, but i try to do this way
July 18, 2023, 02:05:43 PM #3
I'm confused.  Is there a specific purpose that you're trying to accomplish by query forwarding with Unbound instead of just providing the Adguard DNS directly to your clients?
July 18, 2023, 02:08:00 PM #4
It is a "labor test" i try to do a same result with adguard+unbound like pihole and dnsmasq

If i follow this article, it work like a charm...

https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/#page-content

But if i try to "translate" it with ADguard+Unbound, no success....
July 18, 2023, 02:20:23 PM #5
I assume because dnsmasq defaults to on while Unbound is off.

According to the docs, you can set custom options with a config file.  https://docs.opnsense.org/manual/unbound.html

Personally, I'd just pass AdGuard via DHCP.  Good luck!
July 18, 2023, 02:25:54 PM #6
I also disabled dnsmasq and enable Unbound.

I already add custom config to unboud. This one

Code Select
server:
  client-subnet-always-forward: yes
  send-client-subnet: 0.0.0.0/0
  send-client-subnet: ::0/0

But not help at all.
July 18, 2023, 04:42:15 PM #7
If I am reading your original post correct, I had the same issue and created a topic and was resolved towards the bottom. Hope it helps.

https://forum.opnsense.org/index.php?topic=34129.msg165379#msg165379
July 18, 2023, 05:26:57 PM #8
Yeah, your sollution is that revert the direction. it is that others say.

But, my idea is that configure opnsense to a DNS server (unbound or dnsmasq), and  forward DNS query to ADguard Home and also information to client IP. (it is the EDNS setting, you able to do this unbound and dnsmasq)

If i use pihole (and dnsmasq on opnsense side) it works as expected. opnsense accept dns query and forward it to pihole (pi hole is the DNS server that i set it on opnsense general setting)

It need to add this to opnsense dnsmasq setting:

Code Select
add-mac
add-subnet=32,128


If i do same with onbound (it is the code that need to add it)

Code Select
server:
  client-subnet-always-forward: yes
  send-client-subnet: 0.0.0.0/0
  send-client-subnet: ::0/0

not working... also pihole and ADGoard home. (AdGuard also not work with dnsmasq)

It also really important, that if use pihole need to add this settings to pihole dns server (it use dnsmasq)

Code Select
strip-subnet
strip-mac

because if we not to do this, pihole forward this data to setting up DNS Server... (google or any that you set it...)

See this pull req:

https://github.com/pi-hole/FTL/pull/1240
July 18, 2023, 06:56:04 PM #9
You should remove unbound from this chain, adguard can do it all without having to use unbound.
Any way, have you tried this :

Unbound:
DHCP Static Mappings    Register DHCP static mappings Ticked
DHCP Registration    Register DHCP leases  Ticked

AdguardHome:
Under Upstream DNS Server (make sure it is the first entry)
[/168.192.in-addr.arpa/]192.168.1.1

Change the adress accordingly to your own network.
July 18, 2023, 09:05:34 PM #10
Not trying to hijack the conversation, but add to it and gain knowledge.
When running OpenVPN clients, would there need to be special Upstream for that as well? Such as the preferred DNS servers by the VPN provider?
July 18, 2023, 10:06:24 PM #11 Last Edit: July 18, 2023, 10:33:37 PM by vamp
hmm seems not possible to do this with unbound...

it need to manually compaile it:

https://discourse.pi-hole.net/t/unbound-with-ecs-and-dnssec/56682

I compiled unbound manually, with the --enable-subnet flag, to enable ECS support. Here is the relevant part of the config (the other 2 files are for DNSSEC, and the one from the pihole docs/guides)

Seems opnsense version not contain ECS support.

edit:

ahhhh... it never working with ADGuard home... this feaure is not implemented yet...

https://github.com/AdguardTeam/AdGuardHome/issues/1727

sad news...
Print
Go Up Pages1
User actions