DNS redirect best practice

[shayg]

I have Opnsense and AdGuard Home (AGH) set up as a plugin on the same machine. Currently, I'm redirecting DNS queries from Opnsense Unbound to AGH over TLS. However, this setup doesn't provide full query transparency from the device to the query.

I'm considering some alternatives:

1. Forwarding the query without TLS.
2. Setting up AGH as the main DNS server and Unbound as a downstream server.
3. Leave it as is

Which setup is more correct or idiomatic in terms of capabilities and network architecture?

[9axqe]

Why do you need unbound? You could just use AGH and simplify a lot...

The only reason I see to use unbound is for upstream DNS, unbound is able to do recursive DNS, while AGH is not and must use an (encrypted) upstream DNS provider such as Quad9, Mullvad, nextDNS, etc.