Changing the DNS provider

[cookiemonster]

I second that view. I moved from pihole on a vm to AdguardHome on OPN. Both point to Unbound on OPN.
The filtering is done and the stats page are useful on ADG, as it is its main purpose.
The load on OPN has been acceptable and I was able to take a VM out of commission.

[lilsense]

I prefer PiHole which goes deeper than just IP of unbound and allows you to add Regular expressions from the URL to block these from showing adds. I use this at home so that all the no so "Smart TVs" show no advertisements.

[hushcoden]

1. Services --> Dnsmasq DNS
Enable Dnsmasq = False

2. Services --> Unbound DNS --> General
Enable Unbound = True

3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
        Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
       

I believe it now works as if I do a DNS leak test I get as result my IP address and non the ISP DNS serves IP addresses, is that right?

tia.

[cookiemonster]

I prefer PiHole which goes deeper than just IP of unbound and allows you to add Regular expressions from the URL to block these from showing adds. I use this at home so that all the no so "Smart TVs" show no advertisements.

Unless I misunderstand what you do, AGH does the same or similar. I use that too.

[lilsense]

Last I tried it the Regex scripts were not supported by AGH.

[Inxsible]

AdGuard Home needs an additional recursive resolver. It does filtering only.

Ok thanks. Then it would need some other DNS service (local or otherwise) to be able to serve the domain names.

The filter implementation in Unbound is a bit naive^H^H^H^H^Hstraightforward. Filter lists are pulled from their respective sources, translated into configuration statements, and loaded as unbound configuration.

This leads to two undesirable effects:

- the startup/restart time of Unbound can get really long
- if there is just a single syntax error in just one of the lists, Unbound will fail to start

AdGuard Home on the other hand is designed from the start as an ad filter and can easily cope with both issues.

And then: have you ever TRIED AdGuard Home? I mean Just look at the UI - isn't that huge feature by itself?

Ok that helps a lot. I might have to look into installing AGH and tinker around a bit

As for the second question - I don't know. Not needing a separate VM, possibly? Some people might have only one firewall device? What's the disadvantage of running AGH on your OPNsense? I don't see any.

I know that usually people don't have a lot of machines to separate devices, but as I said, I already have a Proxmox server, so firing up a new container is not difficult. Plus I am more comfortable in a linux environment compared to the FreeBSD cli. Also, I wouldn't have to add a 3rd party repo in my firewall.
But on the other hand, I do see the advantage of putting the DNS server on the firewall itself for the least amount of latency possible

[cookiemonster]

Last I tried it the Regex scripts were not supported by AGH.

I was referring to these capabilities https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists but you might have more complex requirements of regex or additional scripting.

[Inxsible]

I installed Adguard Home as a plugin on Opnsense and everything seems to be working.

I also disabled the Blocklists under Unbound DNS and found that my memory consumption dropped from around 60% to 20% without any affect to the CPU usage, so that's a plus.

I do notice a few differences -- like the Ad links Google searches produces used to give me a ERR_REFUSED, but now they work -- but I guess that's fine as my wife kept complaining that she can't get to any links from her searches etc.

I am also trying to set up HAProxy configuration, so that I can access AdGuard Home using a host.domain instead of the IP, but I can't seem to get this to work. My real server is pointing to the OpnSense IP with port = 81 (the one I chose when setting up AdGuard Home). Any pointers on this would be really helpful.

Finally, I have some questions on the whole DOH/DOT. Unbound allows DOT setup and it works when I set it up... but I wanted to understand it a bit better.
When not using DOH/DOT, your ISP can (if they wanted to) see and log the websites that you request DNS for. When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?

So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?

[Patrick M. Hausen]

When not using DOH/DOT, your ISP can (if they wanted to) see and log the websites that you request DNS for.

This depends on how you define "see and log".

If you use your own recursive DNS, e.g. Unbound, and do not use your ISP's recursive DNS as a forwarder, then your ISP does not see your requests. Period.

Unless ... they actively sniff all of your network traffic and look for DNS requests. Which at least here in Europe would violate several laws.

So in a civilized country with e.g. GDPR in place, I argue that running your own recursive DNS is the best protection of your privacy you can get.

When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?

So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?

Exactly. You are freely giving all your DNS requests to a single centralized third party - which in case of 1.1.1.1 or 8.8.8.8 is a US American company probably not bound by GDPR in any way.

So as a EU citizen I do not trust my ISP not to log DNS requests should I use their recursive DNS. But I do trust that the deterrent of local legislation is high enough for them not to actively sniff traffic.

That's why I recommend using a local recursive DNS server.

The Internet's infrastructure is supposed to be decentralized, remember?

As always your mileage may vary. Specifically if you are a US citizen or if you are in a really repressive country. In the latter case using 1.1.1.1 or 8.8.8.8 might be the lesser evil.

Kind regards,
Patrick

[Inxsible]

This depends on how you define "see and log".

If you use your own recursive DNS, e.g. Unbound, and do not use your ISP's recursive DNS as a forwarder, then your ISP does not see your requests. Period.

Ok, that makes sense. I am not using Query forwarding anywhere in Unbound configuration.

Unless ... they actively sniff all of your network traffic and look for DNS requests. Which at least here in Europe would violate several laws.

At this point either the government or Comcast has something on me, and no amount of hiding is gonna save me. So I am not really bothered if they are sniffing all my traffic.

So in a civilized country with e.g. GDPR in place, I argue that running your own recursive DNS is the best protection of your privacy you can get.

When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?

So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?

Exactly. You are freely giving all your DNS requests to a single centralized third party - which in case of 1.1.1.1 or 8.8.8.8 is a US American company probably not bound by GDPR in any way.

So as a EU citizen I do not trust my ISP not to log DNS requests should I use their recursive DNS. But I do trust that the deterrent of local legislation is high enough for them not to actively sniff traffic.

That's why I recommend using a local recursive DNS server.

The Internet's infrastructure is supposed to be decentralized, remember?

As always your mileage may vary. Specifically if you are a US citizen or if you are in a really repressive country. In the latter case using 1.1.1.1 or 8.8.8.8 might be the lesser evil.

Kind regards,
Patrick

Ok thanks for confirming my understanding. I am in the US and so no GDPR type law that I know of, but as I mentioned, I am not trying to hide from the government.

For me -- no point of adding additional latency for DOT under Unbound then, I have it disabled already as I was only testing.

Now the only thing remaining is HAProxy configuration for AdGuard Home !!

[cookiemonster]

For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn.  Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.

[Inxsible]

For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Ok thanks, I will try that. I did have that in my Unbound Blocklist. I was going to enable 1 at a time and see if it was worthwhile to add it to AdGuard Home.

For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn.  Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.

I do NOT want to access AGH from outside the network. I actually have a OpenVPN Road warrior setup and that works great for me to connect to the home network. I might think about setting a WireGuard VPN if there are speed benefits as everyone claims.

What I am currently trying to do is just use https://adguard.mydomain.com to access AGH instead of 192.168.1.1:81 from within my local network. I use such a setup for all my services and I own a domain and issue a wildcard Let's Encrypt certificate for all of them.

[cookiemonster]

Right, clear now. Internally.
You'd want to see where are your clients looking for their internal dns resolution and put an override there. Presumably it's Unbound. So try a host override.

[hushcoden]

1. Services --> Dnsmasq DNS
Enable Dnsmasq = False

2. Services --> Unbound DNS --> General
Enable Unbound = True

3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
        Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
       

I believe it now works as if I do a DNS leak test I get as result my IP address and non the ISP DNS serves IP addresses, is that right?

tia.

Could someone confirm if my assumption is correct?

Ta.

[Inxsible]

If you are getting just your IP then your unbound is working as a resolver, yes.