Using Adguard Home and DNSMasq, Any point to Unbound DNS?

Started by JMini, November 25, 2025, 12:34:34 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 25, 2025, 12:34:34 AM
I have Adguard Home set up to receive DNS on 53 from all internal networks and DNSMasq listening on 53053.
For forwarders in Adguard Home I have
[/internal/]127.0.0.1:53053
[//]127.0.0.1:53053
h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query

So internal queries are forwarded the DNSMasq since it assigns DHCP and registers those hosts in its DNS.
And for Private reverse DNS in Adguard I have
127.0.0.1:53053

So config guides I see have Unbound DNS in the mix between Adguard Home and DNSMasq.
Is there any real need for Unbound since Adguard Home does DNS/DOH and can forward internal requests to DNSMasq?

Am I missing something?
November 25, 2025, 09:03:00 AM #1
I'm using this configuration (AdGuard Home on port 53) and dnsmasq also on port 53053, after previously abandoning a combination of ISC DHCP, Unbound, and AdGuard.

DNS resolution works perfectly. However, I'm experiencing significant problems with DHCP. After a complete system reboot (without any old leases), everything works as expected. After some time, presumably after the lease expires, the DHCP devices lose their connection and cannot reconnect. Unfortunately, I haven't been able to determine the cause of this behavior.

I've tried all available options in dnsmasq, but haven't found a stable solution yet. If you find a stable configuration, it would be great if you could share it here, especially the setting under "Services: Dnsmasq DNS & DHCP: General". My current settings are attached.
November 25, 2025, 05:26:16 PM #2
I don't know what could be causing that DHCP non-renew issue. There are a lot of folks here way more experienced with this than I am.
Maybe start a new thread.
November 25, 2025, 11:28:06 PM #3
As I understand it, Unbound provides more privacy than using AdGuard for your DNS service. Unbound is a resolver that directly queries authoritative nameservers, while AdGuard forwards requests to your ISP's (or Google's, etc.) DNS service. DOH will secure your request in transport, but the DNS service you are using will still know your DNS requests.
November 26, 2025, 01:36:59 AM #4
You can configure AdGuard and Unbound to forward to any upstream resolvers you want.
Right now I have AdGuard to use DNS over HTTPS to Cloudflare and Google. I'd like to try using a non-google DOH resolver as a second service though.

h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query

My ISP isn't seeing ANY DNS requests and can't inspect the ones being sent to CloudFlare
November 26, 2025, 03:31:16 AM #5 Last Edit: November 26, 2025, 03:34:01 AM by julsssark
See here and note the links that explain the privacy/reliability advantages: https://nlnetlabs.nl/projects/unbound/about/

While your ISP can't see your DNS requests because they are encrypted, my understanding is that Google/Cloudflare could. Similar to how you can log into your AdGuard console and can see all of the DNS requests coming into AdGuard from your local devices.
November 26, 2025, 06:45:46 PM #6
Oh. Right. Once it hits the DNS provider it's decrypted. But, Cloudflare IS an authoritative DNS provider.
AdGuard forwards requests to whatever DNS server I set.
I've since set google DNS DOH as a fallback server. I like Google less than CloudFlare. Google is a data mining company.
I'm comfortable with Adguard sending my DNS requests to Cloudflare and falling back to Google as necessary.
November 26, 2025, 06:52:53 PM #7
If AGH forwards to your local Unbound and that is run in plain recursive mode without any upstream, then to lookup e.g. forum.opnsense.org:

- a random root server will see a request for the NS records of .org
- a random server from that list will see a request for the NS records of opnsense.org
- a random server from that list will see a request for the A and AAAA records of forum.opnsense.org

No single entity will see all your DNS requests.

That's why I never use public recursive servers.

BTW: Cloudflare is not authoritative for e.g. opnsense.org. Authoritative means "the server with full control of the particular zone".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 26, 2025, 11:41:46 PM #8
Huh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?

CloudFlare might not be authoritative. But they certainly think they are.

What settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers
Today at 02:28:12 AM #9
Does Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.
Today at 03:28:55 AM #10 Last Edit: Today at 03:41:31 AM by OPNenthu
Quote from: JMini on Today at 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.

You can configure Unbound as a DoT forwarder.

If your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode.  However it's not as simple as that.  You have to trust that your DoT provider isn't colluding with other entities to share or sell your data.  Furthermore, the encryption between you and the provider is not infallible- certificates can be spoofed.  If you're not using a VPN then the ISP can anyway infer your DNS queries by just timing your connections to web servers.  If you are using a VPN, then you are again giving all the data to a single entity who may sell/share it on (and as we see playing out now, governments are increasingly pushing to weaken VPNs).

There's no privacy.  It's just a matter of who you wish to share with and what features you need.  For instance, Quad9 offers malware filtering based on threat intelligence which you may decide is a valuable tradeoff for giving them your DNS queries.
Today at 11:16:51 AM #11
Quote from: JMini on November 26, 2025, 11:41:46 PMHuh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?

Yes. That's the point of running a recursive name server for your clients.

Quote from: JMini on November 26, 2025, 11:41:46 PMWhat settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers

Simply do not configure any upstream servers (aka "forwarders"). DNS was from the start designed as a distributed database that does not need any central service.

Quote from: JMini on Today at 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers?

Terminology is important: Unbound in that configuration is a resolver or recursive name server. The servers it queries are the authoritative servers for the particular zone in question.

If you followed my argument and the example I gave for looking up forum.opnsense.org you might wonder how any recursive server gets the list of servers for the root zone. Simple: they "never" change and are compiled in. A major change in the root name servers requires a new release of Unbound.

Actually the first thing Unbound does on start up is fetch an updated list of root name servers, but should the compiled in one diverge too much from reality, that will of course fail. But that way a change of a single one out of the dozen or so can be tolerated. Should that one be picked for the first query, the request will fail and Unbound will try another one.

Quote from: OPNenthu on Today at 03:28:55 AMIf your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode.  However it's not as simple as that.  You have to trust that your DoT provider isn't colluding with other entities to share or sell your data. 

Exactly. My ISP is Deutsche Telekom. They are bound by GDPR and a whole lot of EU customer protection laws. Should anybody ever discover they spy on customers' traffic, all hell will break loose.

So I trust them quite a bit more than any DNS provider, possibly located in the US.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 11:36:54 AM #12
What do you recommend for those of us outside the GDPR protections?

The only thing I've come up with to date (as a thought exercise) is to potentially proxy through a foreign hosted VPS, but it would need to be both under the user's strict control and paid for anonymously.  I don't think it exists.
Today at 11:44:07 AM #13
Quad9 are located in Switzerland and seem to be ok:

https://quad9.net/about/foundation-council/
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 11:53:00 AM #14
I just assume that intelligence sharing takes place with them, but at least I may not be monetized and profiled by domestic companies that I might have relationships or business with.
Print
Go Up Pages1 2
User actions