Adguard plugin questions.

Started by manysmallpieces, October 17, 2024, 10:51:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 17, 2024, 10:51:26 AM
I've recently added the Adguard plugin to my DNS 'stack' on OPNsense and have a few musings about configuring it.

First things first, I had to go into AdGuardHome.yaml and add 127.0.0.1 to the listen interfaces under DNS: bind_hosts:.
Is that expected behavior? I was experiencing that the firewall itself had no DNS. Under (System: Settings: General> Networking) I have the list of servers blank and everything unchecked. So the only DNS that OPNsense has is its own services. This was working fine with with Unbound but after switching Unbound's port and letting Adguard take over port 53, nothing. I did some diagnostics tests and discovered that connections on loopback @ 53 were being refused. Clients still had DNS though, and that made sense enough as connections on the lans interface IPs @ 53 were fine.

Explicitly, this makes sense? Even in the Adguard home GUI it was directly stating "AdGuard Home DNS server is listening on the following addresses:" and without adding 127.0.0.1 it only had lan interface IPs. Thing is, I can't recall anyone mentioning having to do this. I guess I could have just set OPNsense to use a lan interface IP as its DNS server. The DNS Lookup diagnostic went just fine doing it as such. Maybe there is a reason to prefer one way over the other.

--

I did originally want OPNsense to keep using Unbound and just leave Adguard alone, but I didn't see a way to have it use a port other than 53. I guess I'm sneaking in an Unbound question here, but is there a way to have it listen on both a nonstandard port and 53 for just one interface? Or force OPNsense to get its system DNS from a IP listening on a nonstandard port? Maybe I could unselect all the lan interfaces in (Services: Unbound DNS: General> Network Interfaces), only have Adguard listening on the lan interfaces, and have them both listening on port 53. Hmm, I think I would have to change my DNS hijacking firewall rules if I did it that way.

Code Select
Interface: lans_group
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: lans_group net
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to local
NAT Reflection: Disable

I would have to change the Redirect target IP from loopback, or that would probably... that would probably make any hijacked DNS requests use Unbound instead of Adguard.

---

My other set of musings are somewhat of a rehash of what I was saying in this post https://forum.opnsense.org/index.php?topic=43401.0 . But in the context of Adguard instead of Unbound. I thought, perhaps, since I run both Unbound and DNSCrypt-Proxy, I could get more performance or at least less overhead by splitting upstream queries from Adguard to both DNSC-P and Unbound for external and local respectively. As opposed to explicitly setting Unbound as Adguard's sole upstream and then forcing DNSC-P as Unbound's sole upstream via a catch all Query Forwarding rule. Probably redundant but here's that:
Code Select

Domain: (blank)
Server IP: 127.0.0.1
Server Port: 30054

Another set of musings in the middle of those. Is this even worth doing? My thinking is:

  • That using DNSC-P in the way that I do puts my uncached query times in the dumpster, though I know that relative to that, playing hot potato with queries over loopback isn't adding that much.
  • That having three DNS services all caching and logging every query is very redundant, but better to have the logs at each junction than not.
  • My firewall is highly overspec hardware wise so maybe I should not care.
  • I should take some time to gain a deeper understanding of the implications of using multiple services and consider turning off caching for one or two of them. Adguard has 'optimistic mode', Unbound has prefetch. Pros and cons.

I read somewhere that I should make sure my TTLs are 'synced' if I am using multiple caches. How does one go about that?
Again, is this a worth while endeavor or am I better off using Unbound as Adguard's sole upstream to make use of prefetch?
No matter what I should probably turn off DNSC-P's cache, yeah?

In any case, trying out the idea I laid out, I set DNSC-P as both the Upstream and the Bootstrap [only because it keep auto-filling the Bootstrap section with quad9 and such if you try to leave it blank], and then Unbound as the Private reverse DNS server with "Use private reverse DNS resolvers" and "Enable reverse resolving of clients' IP addresses" both checked. Problem with is is Adguard doesn't fully filter the things I was talking about in that other post out such as 'things like "device-metrics.amazon.com.home.arpa" which otherwise should be an external address, with the local domain appended to it.' While Unbound with local-zone set to static, as was the concluded solution in that thread, did.

Maybe I could do this with some clever regular expression based rules in Adguard's custom filtering. Hmm, wait. I could set it such that any requests ending with ".home.arpa" get sent to Unbound explicitly with a rule and then Unbound will use local-zone static to properly handle those requests.
Print
Go Up Pages1
User actions