AdGuard Home setup guide

[hushcoden]

I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.

I recall I read on the AdGuard forum that bootstrap addresses are basically only used to resolve the hosts in the upstream servers (and that's also the comment you see in that section).

[Patrick M. Hausen]

Makes sense. But then I put IP addresses in forwarder configurations, not host names.

[dumbo]

Yes.

Then I'm doing some else wrong. If I go into Firewall > Rules > "Notebook" my test Network called "Notebook" (do also have a NAT Port Forward rule for it), then the upper rule is the one automatically set from the NAT rule.

After that rule I have to create another rule (I think this one is not working correct) that I can get any DNS resolution and the last rule is my rule, that I can access the internet but no RFC1918 Networks.
Maybe this rule is also not correct?

What rules do I need within this "Notebook" network, that the devices can access the internet but not other local networks?

 

[dumbo]

If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.

They are identical, but it does not work. No hostnames showing up - only IPs.

[dumbo]

Maybe I found something. Could it be, that I need to set the Admin Web Interface "Listening Interface" to All instead of my LAN Network?

At the moment it's only listening on the IP of my OPNsense itself (example igc1 - 192.168.1.1).

I could choose:
- All
- WAN
- LAN
- Loopback

Or should I choose the loopback interface 127.0.0.1?

[RamSense]

it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html

p.s. also change the order of the firewall rules. You start with all -> source  * and port * ..... port 53
Than the ones below that one for port 53 will not be reached.
End with the first one en put the other above the allow all/auto rule

[dumbo]

it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html

Within the OPNsense manual there is no manual for the AdGuard Home plugin. Already checked.

[RamSense]

Ah, I was mistaken and thought you were referring to the opnsense gui listening ports.
Adguard listening to all works without thinking, but you can also manually configure it to listen only to your preferred interfaces.

[dumbo]

Thx for your feedback.

The issue I still have is, that it doesn't resolve the host names within AGH. Only showing IPs.
Everything is working.

When I look at my OPNsense within DHCPv4 Leases I can see the hostnames of my devices.

Within unbound I activated:
- Register DHCP static mappings
- Register DHCP leases
- Flush DNS cache during reload
- Enable DNSSEC

Unbound Local Zone Type is: transparent

[dumbo]

As soon as I enter 192.168.1.1:53530 within private reverse DNS servers AGH starts resolving hostnames.

But what confuses me is, that all of you are saying, that it also should work without any entry within this section.

If I leave it blank it stops resolving host names.

[Patrick M. Hausen]

Do you have the same 192.168.1.1:53530 as the regular upstream DNS?

[dumbo]

Do you have the same 192.168.1.1:53530 as the regular upstream DNS?

Yes.

Config is:
ADGUARD:

Code: [Select]

bind_host: 192.168.1.1
bind_port: 3000
beta_bind_port: 0
...
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

AdGuard Webinterface:

Code: [Select]

Upstream DNS servers: 192.168.1.1:53530

UNBOUND:

Code: [Select]

Listen Port: 53530
Interfaces: All
DNSSEC = on
DHCP leases = on
Static mappings = on
Ipv6 link-local = on
Local Zone Type = transparent

OPNsense IP = 192.168.1.1

When the "Private reverse DNS servers" field is empty, then I do noch get any host resolution.
When I enter 192.168.1.1:53530 within Private reverse DNS servers I do get those host names.

[Patrick M. Hausen]

Must be a feature then. I honestly don't know. AGH is a project entirely unrelated to OPNsense. May I suggest checking their documentation?

[dumbo]

Will do.

I also find the documentation/video from the original source:

https://www.max-it.de/adguard-dns-blocker-neues-opnsense-plugin/

He is showing it in an other way.
Going with an other port for AGH and leaving port from Unbound at 53.
Then making a NAT Port Forward to (in this video) 5310.

Why not choosing this way? Is there any downside?

The advantage would be, that the Firewall itself does not need to go through AGH and other networks, which I don't want to can also be Unbound only.

[yeraycito]

Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353