AdGuard Home setup guide

[N0_Klu3]

Yeah, and I find it works much quicker especially vs PiHole or external DNS

[yeraycito]

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

- No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

- In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

- Active Unbound in port 5353

- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption

[yeraycito]

Recommended DNS blocklists: 1Hosts (Pro) - Goodbye Ads - Energized Ultimate - Lightswitch05 - Steven Black - oisd

Installation in Adguard: Filters - DNS blocklist - Add blocking list - Add custom list

- https://hosts.netlify.app/Pro/adblock.txt

- https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt

- https://block.energized.pro/ultimate/formats/hosts.txt

- https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

- https://hosts.oisd.nl/

Extra. in Adguard: Filters - DNS blocklist - Add blocking list  - Choose from the list:

- Perflyst's Smart-TV Blocklist

[Patrick M. Hausen]

@yeraycito thanks for those lists. Which criteria did you apply when picking them?

[yeraycito]

Unlike the ones Adguard comes with, these are much more complete. Each of them includes many other lists. They are the most complete I have found. If you put these in, you don't need any more.

[yeraycito]

Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

- Google searches: OK

- Gmail: OK

- Youtube: OK

- Instagram: OK

- Android: OK

- Playstore: OK

[Jaxon]

@yeraycito

Just a shout out to say thanks for your contributions to this thread. I found them very useful, and have Unbound / AdGuard working well together. Ads are gone, DNS lookups are resolving quickly. Your suggested blocklists are awesome!

That said, I'm still a little (embarrassingly) confused about something. That is, getting the LAN reverse lookups to function. Below I'll show one setup where the reverse looks actually do resolve, but upstream DNS resolver ends up being one of my two ISPS, and a second where upstream resolver is cloudflare, but then the reverse lookups stop working.

I have the following OPNSense Configuration:
Dual WAN, two gateway setup (might not be relevant to the discussion)

System/Settings/General:
- DNS Servers: all empty

Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: enabled
- DHCP Static Mappings: enabled
- Local Zone Type: transparent


AdGuard Settings:

1) With this setup, reverse look ups function. That is, inside AdGuards Top Clients, I can see host names are resolving. However, upstream DNS server is my ISPs DNS server.

Adguard/DNS Settings:
127.0.0.1:5353

Bootstrap DNS servers:
127.0.0.1:5353
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10


2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1



Do you have any suggestions what I might be doing wrong?

[yeraycito]

Hello, for the dns not to be those of your isp you have to put one in unbound. To resolve the hostnames you can add them better in the Adguard configuration.

[yeraycito]

My settings:

System/Settings/General:
- DNS Servers: all empty
- Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: disabled
- DHCP Static Mappings: disabled
- Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

[yeraycito]

A good complement is also to use NextDns dns servers.

[yeraycito]

They are just as fast as Cloudflare's but add more protection and the ability to add blocklists.

[yeraycito]

Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

- Follow the tutorial explained above for Adguard.

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

[Dimi3]

I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?

[wirehire]

hello,

where can i found the logfile? on /var/log i found no adguard file.

Thanks

[Spritzup]

Transfer from PiHole (running on a Pi) to AdGuard on OPNSense went flawlessly.  By using a virtual IP for AdGuard, I didn't even need to change any of my preconfigured rules, which was nice.  I had allocated myself a few hours to get this done, and it ended up taking less than 15 minutes :)

Question though.  One of the "optimizations" that is sometimes recommended when using PiHole in conjunction with Unbound is to disable DNS caching on the pi-hole, so that all DNS lookup is handled by Unbound.  Would this provide any benefit with AdGuard?

Thanks!

EDIT - So an oddity.  Using a virtual IP, it showed no port conflicts using Port 80 or Port 53, and everything worked great a day.  Today I decided to tweak some unbound settings and had to restart the service... and it wouldn't start due to a port conflict.  Any ideas?

~Spritz