AdGuard Home setup guide

[Imnot A Robot]

Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

- Google searches: OK

- Gmail: OK

- Youtube: OK

- Instagram: OK

- Android: OK

- Playstore: OK

I had to omit some of these from my custom filter rules because they messed up my daughter's Google Classroom:

||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||apis.google.com^

Please update this list or indicate this.

[yeraycito]

Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


- DNS Servers: all empty

- Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

- Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

[hushcoden]

@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

[yeraycito]

@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

If I get it, try accessing it with another browser or check your cookies.

[logi]

Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


- DNS Servers: all empty

- Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

- Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

I like this configuration approach of having AdGuard Home handling all things DNS on default port 53, and disabling UnBound DNS, it's cleaner and has no redirects.

1.- Is there an advantage of keeping UnBound DNS enabled and being the man-in-the-middle?
2.- Is there a disadvantage of disabling UnBound DNS and use ONLY AdGuard Home?

Thanks

[Patrick M. Hausen]

I prefer maintaining my local overrides in Unbound. Also I do not want to use public recursive upstream servers. So port forwarding where applicable --> AGH --> Unbound. Server networks go directly to Unbound. Block DNS and DoT to anything but local firewall, add DoH blocklist to AGH.

[Tabascl]

Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

[logi]

Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

You have to add localhost (127.0.0.1) to the /usr/local/AdGuardHome/AdGuardHome.yaml in the following section:

dns:
  bind_hosts:
    - 127.0.0.1
    - 192.168.1.1 (whatever the OPNsense address is)
  portL 53

After that, restart the AdGuardHome service from the OPNsense console.

[August8828]

Do you guys use the unbound dns as well besides the Adguard homes one? If so: Why?

[9axqe]

I made the experience that AdGuard stopped working when internet was down (not even resolving local DNS) and that having unbound as upstream DNS worked around this issue.

I still run it like this, but that was a while back.

There's also a whole debate about using a recursive DNS resolver vs. using a DNS client.

1/ AdGuard is a simple DNS client to whatever is upstream (you can configure Cloudflare DNS, Google DNS, et,).

Con: whatever is configured upstream sees every single DNS query you make
Pro: DNS lookups are all encrypted (if you configure it) – but this is of limited use until all your connections are made with QUIC, as the full domain is still transmitted in clear text (I believe it's the SNI) for every TLS handshake.

2/ Unbound is a recursive DNS resolver, meaning, it will talk to multiple different DNS servers, depending on what you are trying to resolve. For example, if attempting to resolve "example.com", it will talk to the authoritative server for ".com" and ask "who is authoritative for example.com". And so on.
Con: not all DNS servers out there support DNS over HTTPS/TLS/QUIC, resulting in plain text DNS lookups.
Pro: there is no single entity seeing all your DNS lookups.

My view is that 2/ is what will be the best method in the long term, as DNS over QUIC and QUIC in general gain popularity. But as of today, YMMV.

[OzziGoblin]

I use unbound for reverse DNS and if ADGuard fails it's a quick change to get it working as the primary until I can fix ADGuard.  Tbh though that's only happened once.

[steky9]

Been using this happily for years, have just now upgraded to 24.7 and the adguard service doesn't start even after an additional reboot. Have tried via command line and all but nada

Code Select Expand


root@OPNsense:/usr/local/etc/rc.d # ./adguardhome start
Starting adguardhome.
root@OPNsense:/usr/local/etc/rc.d # ./adguardhome status
adguardhome is not running.


I don't see a log file so as to help troubleshoot whats going on, so is there a recommended way to tackle this other than uninstall and then reinstall the package and hope for the best?

Edit: Backed up the yaml file, uninstalled the package, reinstalled it, restored the yaml file, but still the service doesn't start. WIthout some sort of log file I've no idea. I can see the version installed is 1.12, and the Opnsense version is 24.7.9_1

Edit2: In case anyone else runs into this, some additional googling led me to https://forum.opnsense.org/index.php?topic=41610.0 and that starting the application directly rather than via the startup script gives information as to why it fails on startup. In my case it was dropbox rather than yy it had an issue with. Deleting that line from the yaml file, and restarting the service works and I can access the WebUI again. Only slight downside is the lack of stats as they were deleted during the uninstall/reinstall of the package, but I can live with that. 

[fearz]

Hi guys,

I'm running into a problem with one of my WAN interfaces related-DNS issue & wanted to check if that is how ADGuard is supposed to be listening on port 53:

root@OPNsense:/usr/local/AdGuardHome # sockstat -4 -l
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
dhcpd    dhcpd      42496 13  udp4   *:67                  *:*
unbound  unbound    30726 7   udp4   *:5353                *:*
unbound  unbound    30726 8   tcp4   *:5353                *:*
unbound  unbound    30726 11  udp4   *:5353                *:*
unbound  unbound    30726 12  tcp4   *:5353                *:*
unbound  unbound    30726 15  udp4   *:5353                *:*
unbound  unbound    30726 16  tcp4   *:5353                *:*
unbound  unbound    30726 17  tcp4   127.0.0.1:953         *:*
root     eastpect   56118 15  udp4   *:*                   *:*
root     eastpect   56118 17  udp4   *:*                   *:*
root     AdGuardHom 13351 110 udp46  *:53                  *:*
root     AdGuardHom 13351 111 tcp46  *:53                  *:*
root     AdGuardHom 13351 112 tcp46  *:3000                *:*


These are the only 2 instances of Adguard listening on port 53 but as you can see isn't udp/tcp64 is IPv6?

[9axqe]

I use AdGuard only on the LAN bridge intf, not on the WAN, but I do use IPv6 as well and I do not see udp46 and tcp46, only udp4, tcp4, udp6 and tcp6. According to my search-fu, upd46 is a socket that can handle both IPv4 and IPv6. Didn't even know that existed...

[Mark_the_Red]

Long time lurker.  First time Poster.

Opnsense 24.7.4 Installation:

1 - Activate mimugmail's community repository:

  185.253.5.0

Thanks for this awesome instruction.  Adguard working home on my first time opnsense install, previously rocked an Edgerouter4 for almost a decade before I made the jump to +1Gig home internet.

Question:  What do I have to do to setup masquerade / NAT rules to supplment this adguard install for "rogue" devices on my network that have hardcoded DNS lookups?  Is there a link?    All the reddit posts seem to be contradictory to this working instruction here.  For edgerouter, I had to create a NAT rule that anything trying to look up ANY Ip address port:53 would get forced to the router lookup.  It was shocking to me just how many devices were doing this.  I also doin't care about "tricking" these devices into thinking it made it through.  Is this thread still the right way?  https://forum.opnsense.org/index.php?topic=9245.75     Roku can go forth and multiply if it cant DOH as far as I am concerned.

Sorry if this is a dumb question, but with Unbound DNS disabled, I am unsure if NAT / dnsmasq rules are required for this software. 

Hope this makes sense.