Unbound DNS - Forward clients IP to ADGuard home

[vamp]

Hello there,

I install ADGuard home a different server and now i forward all DNS request to him. The problem is that now ADGuard only show opnsense IP address and hard to filter the clients.

I read that unbound able to send client IP addresses to upstream DNS server (EDNS settings) but not found any documentation how to handle it in opnsense.

(side note, no not want to install ADGuard home direct to opnsense and also dont want to reverse the direction )

[CJ]

How are you forwarding DNS requests?  Firewall rules?

Why don't you just set your Adguard DNS server in the DNS option of DHCP?

[vamp]

Not firewall rules, i forward it with unbound.

Yes, it easier, but i try to do this way

[CJ]

I'm confused.  Is there a specific purpose that you're trying to accomplish by query forwarding with Unbound instead of just providing the Adguard DNS directly to your clients?

[vamp]

It is a "labor test" i try to do a same result with adguard+unbound like pihole and dnsmasq

If i follow this article, it work like a charm...

https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/#page-content

But if i try to "translate" it with ADguard+Unbound, no success....

[CJ]

I assume because dnsmasq defaults to on while Unbound is off.

According to the docs, you can set custom options with a config file.  https://docs.opnsense.org/manual/unbound.html

Personally, I'd just pass AdGuard via DHCP.  Good luck!

[vamp]

I also disabled dnsmasq and enable Unbound.

I already add custom config to unboud. This one

Code: [Select]

server:
  client-subnet-always-forward: yes
  send-client-subnet: 0.0.0.0/0
  send-client-subnet: ::0/0
But not help at all.

[fbeye]

If I am reading your original post correct, I had the same issue and created a topic and was resolved towards the bottom. Hope it helps.

https://forum.opnsense.org/index.php?topic=34129.msg165379#msg165379

[vamp]

Yeah, your sollution is that revert the direction. it is that others say.

But, my idea is that configure opnsense to a DNS server (unbound or dnsmasq), and  forward DNS query to ADguard Home and also information to client IP. (it is the EDNS setting, you able to do this unbound and dnsmasq)

If i use pihole (and dnsmasq on opnsense side) it works as expected. opnsense accept dns query and forward it to pihole (pi hole is the DNS server that i set it on opnsense general setting)

It need to add this to opnsense dnsmasq setting:

Code: [Select]

add-mac
add-subnet=32,128

If i do same with onbound (it is the code that need to add it)

Code: [Select]

server:
  client-subnet-always-forward: yes
  send-client-subnet: 0.0.0.0/0
  send-client-subnet: ::0/0
not working... also pihole and ADGoard home. (AdGuard also not work with dnsmasq)

It also really important, that if use pihole need to add this settings to pihole dns server (it use dnsmasq)

Code: [Select]

strip-subnet
strip-mac
because if we not to do this, pihole forward this data to setting up DNS Server... (google or any that you set it...)

See this pull req:

https://github.com/pi-hole/FTL/pull/1240

[NeoDragon]

You should remove unbound from this chain, adguard can do it all without having to use unbound.
Any way, have you tried this :

Unbound:
 DHCP Static Mappings    Register DHCP static mappings Ticked
 DHCP Registration    Register DHCP leases  Ticked

AdguardHome:
Under Upstream DNS Server (make sure it is the first entry)
[/168.192.in-addr.arpa/]192.168.1.1

Change the adress accordingly to your own network.

[fbeye]

Not trying to hijack the conversation, but add to it and gain knowledge.
When running OpenVPN clients, would there need to be special Upstream for that as well? Such as the preferred DNS servers by the VPN provider?

[vamp]

hmm seems not possible to do this with unbound...

it need to manually compaile it:

https://discourse.pi-hole.net/t/unbound-with-ecs-and-dnssec/56682

I compiled unbound manually, with the --enable-subnet flag, to enable ECS support. Here is the relevant part of the config (the other 2 files are for DNSSEC, and the one from the pihole docs/guides)

Seems opnsense version not contain ECS support.

edit:

ahhhh... it never working with ADGuard home... this feaure is not implemented yet...

https://github.com/AdguardTeam/AdGuardHome/issues/1727

sad news...