AdGuard Home setup guide

[jlab]

Question :  How do you edit the interfaces on Adguard to listen to ?

Issue, if you have say 2+ more network's IE vlans or phicical network cards then install adguard, it will  listen to those interfaces, perfect.

Say you want to add another interface and have adguard protect it, there is no where to add the new interface.

I just did a trial on this, installed adguard, then added say a Vlan / inetwork interfact, passed traffic ok but Adguard is not listening and protecting those new interfaces.

Installed New Updated OPNsense added default lan network and 3 new Vlan's set them all up, then installed Adguard fresh & updated POOF all interfaces are being  monitored.

Is there a new version coming out where we can add or remove interfaces ?

AM i wrong or am i drunk 

[RamSense]

So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.

[jlab]

So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.

Yup, i actually Found Matt's website on how to do this : https://0x2142.com/how-to-set-up-adguard-on-opnsense/

Very Bottom.

Example how to add more networks is, Example Default with no additional networks :

In there, you'll see a section like this:
dns:
   bind_hosts:
       - 192.168.1.1

And one with more :

dns:
   bind_hosts:
       - 192.168.1.1
       - 192.168.10.1
       - 192.168.100.1

[hushcoden]

Sorry if it's a dumb question, but for

  1) AdGuard Home – DNS Configuration – Upstream servers
 
  2) AdGuard Home – DNS Configuration – Bootstrap DNS servers

  3) AdGuard Home – DNS Configuration – Private reverse DNS servers

I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353

Are those options exactly the same / should we use both ?

Tia.

[hushcoden]

Opnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

As I'm not interesting in using DoT, if I skip step (6), Unbound will act as my recursive resolver and will contact the root servers directly, is that right?

tia.

[dumbo]

Sorry if it's a dumb question, but for
...

Tia.

Do have nearly the same questions as you.

I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).

Couldn't find the right settings.

[RamSense]

Sorry if it's a dumb question, but for

  1) AdGuard Home – DNS Configuration – Upstream servers
 
  2) AdGuard Home – DNS Configuration – Bootstrap DNS servers

  3) AdGuard Home – DNS Configuration – Private reverse DNS servers

I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353

Are those options exactly the same / should we use both ?

Tia.

127.0.0.1 is called the loopback address, and is the IP a computer uses to refer to itself.
Since you are running adguard home plugin on opnsense, it is running on the same device and points it to opnsense service listening on port 5353, e.g. your unbound listening to port 5353, or e.g. bind.

If you use the ip of your opnsense device, this will work also

no upstream servers in unbound / bind, Root servers are being used indeed

[RamSense]

Sorry if it's a dumb question, but for
...

Tia.

Do have nearly the same questions as you.

I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).

Couldn't find the right settings.

DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber

[dumbo]

DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber

Thx for your help.

So it must be like:

• Upstream DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
• Bootstrap DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
• Private reverse DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number

I would also like to read the host names of my devices - so that's why Private reverse servers DNS - or is it wrong?

[RamSense]

correct, but since you are not using external DNS as upstream, but your unbound on opnsense, it already knows your local devices from unbound, but you can add your ip there in the field in adguard just in case.

[pmhausen]

If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.

I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.

[dumbo]

If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting.

Thx. It's working. I didn't restart Unbound and AGH. That was the problem.

Now I only have to fix my issues with the NAT Port Forward Rule that no hardcoded DNS within my network can bypass my unbound.
The old rule does not work anymore because of my new setup

[pmhausen]

Try to forward to 127.0.0.1 instead of your interface IP address.

[dumbo]

Try to forward to 127.0.0.1 instead of your interface IP address.

You mean this way?

[pmhausen]

Yes.