AdGuardHome AdGuardHome with unbound illegal repeated keyword dnsmasq.conf port 553

[Khadanja]

Trying to run AdGHome with Unbound. I have changed unbound port to 553, there is an entry in AdguardHome.sh which keeps adding port=553 to dnsmasq.conf. I have also tried seeting unbound to different port 53553. I get the same issue. What is this entry for? { printf "%s\n" "port=553"
Jul 25 14:59:47 RT-AC68U-20E0 dnsmasq[14597]: illegal repeated keyword at line 65 of /etc/dnsmasq.conf
Jul 25 14:59:47 RT-AC68U-20E0 dnsmasq[14597]: FAILED to start up
DoT setup in unbound. Upstream DNS Servers - 127.0.0.1:553 tcp://127.0.0.1:553. Private reverse DNS servers 192.168.1.1
Is this set up ok? Any room for improvement apart from the failed dnsmasq startup issue?

 

[chongnt]

By default, dnsmasq is listening on port 53. When we install Unbound, server=127.0.0.1#53535 is added to /etc/dnsmasq.conf. Unbound by default is using port 53535. Now, when we install AdGuardHome, it will takeover port 53 and rewrite port 553 for dnsmasq with port=553. There should be no conflict by default.
The next question is what we put in AGH upstream DNS server. If we use 127.0.0.1:553, DNS queries will go from AGH -> dnsmasq -> Unbound. We can also bypass dnsmasq by using 127.0.0.1:53535, then DNS queries will go from AGH -> Unbound.

 

[Khadanja]

By default, dnsmasq is listening on port 53. When we install Unbound, server=127.0.0.1#53535 is added to /etc/dnsmasq.conf. Unbound by default is using port 53535. Now, when we install AdGuardHome, it will takeover port 53 and rewrite port 553 for dnsmasq with port=553. There should be no conflict by default.
The next question is what we put in AGH upstream DNS server. If we use 127.0.0.1:553, DNS queries will go from AGH -> dnsmasq -> Unbound. We can also bypass dnsmasq by using 127.0.0.1:53535, then DNS queries will go from AGH -> Unbound.

So why am I getting this error? Even if I change the unbound port to 53535 dnsmasq still complains about this port=553 entry put by AdGuard.

 

[chongnt]

So why am I getting this error? Even if I change the unbound port to 53535 dnsmasq still complains about this port=553 entry put by AdGuard.

When did you first see this error? Was it right after you install AGH from amtm or after you make some changes on unbound port?
Perhaps can try by:
1. temporarily stop AGH by service stop_AdGuardHome
2. restart dnsmasq service restart_dnsmasq
See if you have the same error by restarting dnsmasq without AGH. Then check the content of /etc/dnsmasq if there is any port 553 entry. If yes, then need to find out where is the source to avoid duplicate entry when AGH starts. If there is no such entry can try restart AGH again service restart_AdGuardHome and see if the problem still persists.

 

[Khadanja]

When did you first see this error? Was it right after you install AGH from amtm or after you make some changes on unbound port?
Perhaps can try by:
1. temporarily stop AGH by service stop_AdGuardHome
2. restart dnsmasq service restart_dnsmasq
See if you have the same error by restarting dnsmasq without AGH. Then check the content of /etc/dnsmasq if there is any port 553 entry. If yes, then need to find out where is the source to avoid duplicate entry when AGH starts. If there is no such entry can try restart AGH again service restart_AdGuardHome and see if the problem still persists.

Will try. But isn’t that entry coming from this line in Adguardhome.sh file?
printf "%s\n" "port=553" What is the purpose of this line? If I remove this line from Adhuardhome.sh error goes away?
Saw this error straight after installing AGH from amtm & DHCP stopped working, some client couldn’t get IP.

 

[chongnt]

Will try. But isn’t that entry coming from this line in Adguardhome.sh file?
printf "%s\n" "port=553" What is the purpose of this line? If I remove this line from Adhuardhome.sh error goes away?
Saw this error straight after installing AGH from amtm & DHCP stopped working, some client couldn’t get IP.

Originally dnsmasq is listening on port 53. But then AGH is also listening on port 53. To avoid conflict, AGH add in the port=553 entry into /etc/dnsmasq. With this entry, dnsmasq is listening on port 553 instead. If this is the only single entry, there would be no issue for dnsmasq. The error you see is probably there is something else is writing the same to dnsmasq, a duplicate entry that dnsmasq is complaining about. Or a duplicate run of dnsmasq.postconf that causes the duplicate entry.

Found this thread reporting similar issue.

DNSMASQ fails to start after upgraded addon script. 386.4

I have these scripts installed. 2 open Skynet v7.2.8 4 open YazFi v4.4.1 6 open x3mRouting v2.4.5 7 open unbound Manager v3.22 8 open nsrum v30.4.0 j7 open YazDHCP...

www.snbforums.com

Looking at the dnsmasq.conf https://pastebin.com/7rmKa57q, line 38 and line 50 are duplicate entries that causes dnsmasq failed to start.

 

[Khadanja]

When did you first see this error? Was it right after you install AGH from amtm or after you make some changes on unbound port?
Perhaps can try by:
1. temporarily stop AGH by service stop_AdGuardHome
2. restart dnsmasq service restart_dnsmasq
See if you have the same error by restarting dnsmasq without AGH. Then check the content of /etc/dnsmasq if there is any port 553 entry. If yes, then need to find out where is the source to avoid duplicate entry when AGH starts. If there is no such entry can try restart AGH again service restart_AdGuardHome and see if the problem still persists.

I would like to find the root cause as it's bothering me.
Stopped AGH, restarted dnsmasq, entry didn't appear. Started AGH entry appeared and so did the error in syslog.

 

[Khadanja]

Looks like this was causing it. I had dnsmasq disabled in unbound to see the IP's of clients in log instead of 127.0.0.1. When AGH installed it enabled dnsmasq but this entry in unbound.conf was still there. I jhave now commented it. In unbound I have set up a forward-zone to quad9 DoT and in AGH upstream server is set to 127.0.0.1:53535 tcp://127.0.0.1:53535. What are all these other entries in AGH and are the required, I have commnted as I wasn't sure of it's purpose.
#[][::]:553
#[/router.asus.com/][::]:553
#[/www.asusnetwork.net/][::]:553
#[/www.asusrouter.com/][::]:553
#[/use-application-dns.net/][::]:553
#[/dns.resolver.arpa/][::]:553

 

[chongnt]

Looks like this was causing it. I had dnsmasq disabled in unbound to see the IP's of clients in log instead of 127.0.0.1. When AGH installed it enabled dnsmasq but this entry in unbound.conf was still there. I jhave now commented it. In unbound I have set up a forward-zone to quad9 DoT and in AGH upstream server is set to 127.0.0.1:53535 tcp://127.0.0.1:53535. What are all these other entries in AGH and are the required, I have commnted as I wasn't sure of it's purpose.
#[][::]:553
#[/router.asus.com/][::]:553
#[/www.asusnetwork.net/][::]:553
#[/www.asusrouter.com/][::]:553
#[/use-application-dns.net/][::]:553
#[/dns.resolver.arpa/][::]:553
#[/butt/][::]:553
[//][::]:553

Good to hear you found the cause.

Here is some explanation by the developer on the topic:

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

For any one wishing to update... I have made several code improvements at the observations of @Markfree 's logs. Also, I have implemented several other code improvements by adding a way for users to reconfigure, which will put the user back at the initial inputs without any potential snapfu...

www.snbforums.com

 

[SomeWhereOverTheRainBow]

Good to hear you found the cause.

Here is some explanation by the developer on the topic:

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

For any one wishing to update... I have made several code improvements at the observations of @Markfree 's logs. Also, I have implemented several other code improvements by adding a way for users to reconfigure, which will put the user back at the initial inputs without any potential snapfu...

www.snbforums.com

Thank you for your timely response on this. Unfortunately, the only time Adguardhome becomes incompatible with these entries is if a user chooses to completely disable DNSMASQ with unbound-manager. I think I mentioned it in the earlier phases of AdGuardHomes implementation, but it is definitely much deeper into that thread then most will look. The script works great with Unbound-manager in its default configuration (a.k.a dnsmasq on port 53 forwarding request to unbound). In this instance AdGuardHome can hook in and become the serving DNS for clients while dnsmasq still acts as DHCP and DNS Name Resolution for local network which is much easier than telling unbound to act as the local Name space resolver for clients and the upstream DNS at the same time for adguardhome. This whole back and forth between three highly capable DNS resolvers is one of the reasons why I am reluctant to tell people to install unbound along side the other two. While Unbound has its unique recursive qualities, all these servers running in series means that they all share the same entries into the routers memory. Kindof a double load between AdGuardHome and Unbound. Then to turn around and ask dnsmasq about the local clients.

In the future, I may consider adding an option to disable dnsmasq DNS if users do not care about seeing the client hostnames inside AdGuardHome instead of just IP addresses, the only thing that has prevented me from adding this option is I don't want to create conflict with Unbound-Manager default.

 

[SomeWhereOverTheRainBow]

Looks like this was causing it. I had dnsmasq disabled in unbound to see the IP's of clients in log instead of 127.0.0.1. When AGH installed it enabled dnsmasq but this entry in unbound.conf was still there. I jhave now commented it. In unbound I have set up a forward-zone to quad9 DoT and in AGH upstream server is set to 127.0.0.1:53535 tcp://127.0.0.1:53535. What are all these other entries in AGH and are the required, I have commnted as I wasn't sure of it's purpose.
#[][::]:553
#[/router.asus.com/][::]:553
#[/www.asusnetwork.net/][::]:553
#[/www.asusrouter.com/][::]:553
#[/use-application-dns.net/][::]:553
#[/dns.resolver.arpa/][::]:553

You should uncomment those, and re-enable DNSMASQ inside unbound. Now you will be able to see your Queries from AdGuardHomes Awesome Query log. Ditch unbound logging. strictly use it only for recursive. AdGuardHome will provide better blocking and per-client analysis for better granular control.

So the map should look like this when all said and done.

Query logging, Blocking, and Client Name Resolution:
(1)DNSMASQ (port 553)<---->ADGUARDHOME (port 53)

Strictly Basic UNBOUND recursive upstream resolver (i.e NO unbound adblock scripts, and NO unbound statistics needed):
(2)ADGUARDHOME (port 53) <----> UNBOUND (port 53535)

All of those EXTRA unbound features are really there for if you are doing a
DNSMASQ (port=0) <----> UNBOUND (port=53) exchange.

 

[Khadanja]

You should uncomment those, and re-enable DNSMASQ inside unbound. Now you will be able to see your Queries from AdGuardHomes Awesome Query log. Ditch unbound logging. strictly use it only for recursive. AdGuardHome will provide better blocking and per-client analysis for better granular control.

So the map should look like this when all said and done.

Query logging, Blocking, and Client Name Resolution:
(1)DNSMASQ (port 553)<---->ADGUARDHOME (port 53)

Strictly Basic UNBOUND recursive upstream resolver (i.e NO unbound adblock scripts, and NO unbound statistics needed):
(2)ADGUARDHOME (port 53) <----> UNBOUND (port 53535)

All of those EXTRA unbound features are really there for if you are doing a
DNSMASQ (port=0) <----> UNBOUND (port=53) exchange.

I already see queries with hostnames in Adguard home so looks like AdGuard installation using amtm enables dnsmasq in unbound if disabled hence I was having that duplicate entry error when dnsmasq was trying to start as a line has to be commented if dnsmasq enabled which wasn't. Below is my current unbound config with dnsmasq enabled Why that entry in bold shows failure? Why do I still see DNS queries in unbound log like below?
server:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53535 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 play.google.com. AAAA IN
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 play.google.com. AAAA IN NOERROR 0.000000 1 33
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN NOERROR 0.000000 1 122
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 itunes.apple.com. A IN NOERROR 0.014462 0 177
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN NOERROR 0.000000 1 43
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] info: validation failure <www.asuswrt-merlin.net. AAAA IN>: no signatures from 9.9.9.9

 

[SomeWhereOverTheRainBow]

I already see queries with hostnames in Adguard home so looks like AdGuard installation using amtm enables dnsmasq in unbound if disabled hence I was having that duplicate entry error when dnsmasq was trying to start as a line has to be commented if dnsmasq enabled which wasn't. Below is my current unbound config with dnsmasq enabled I hope. Why that entry in bold shows failure? Before I had interface: 127.0.0.1@53535 maybe that's why unbound was showing logs, don't see them anymore.
server:

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 192.168.1.1 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53535 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed

Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 play.google.com. AAAA IN
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 play.google.com. AAAA IN NOERROR 0.000000 1 33
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN NOERROR 0.000000 1 122
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 itunes.apple.com. A IN NOERROR 0.014462 0 177
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN NOERROR 0.000000 1 43
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] info: validation failure <www.asuswrt-merlin.net. AAAA IN>: no signatures from 9.9.9.9

So adguardhome has several ways it can discover host names one of the ways is through arp cache unfortunately asus routers do not store hostname information in the arp cache. Another way is in /etc/ hosts which is where you have already defined a name for the client at unfortunately you would have to be able to do that for every client. Another way is through arp request, which is something I set up in adguardhome. Some variants of adguardhome may already do this built in but it is hard to say and depends on how you already had things configured.

 

[SomeWhereOverTheRainBow]

I already see queries with hostnames in Adguard home so looks like AdGuard installation using amtm enables dnsmasq in unbound if disabled hence I was having that duplicate entry error when dnsmasq was trying to start as a line has to be commented if dnsmasq enabled which wasn't. Below is my current unbound config with dnsmasq enabled Why that entry in bold shows failure? Why do I still see DNS queries in unbound log like below?
server:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53535 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 play.google.com. AAAA IN
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 play.google.com. AAAA IN NOERROR 0.000000 1 33
Jul 27 09:43:41 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 ssoap.japanwest.cloudapp.azure.com. AAAA IN NOERROR 0.000000 1 122
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 itunes.apple.com. A IN NOERROR 0.014462 0 177
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] query: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] reply: 127.0.0.1 e673.dsce9.akamaiedge.net. AAAA IN NOERROR 0.000000 1 43
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] info: validation failure <www.asuswrt-merlin.net. AAAA IN>: no signatures from 9.9.9.9

As mentioned in post mentioned here

Post in thread 'AdGuardHome with unbound illegal repeated keyword dnsmasq.conf port 553' https://www.snbforums.com/threads/a...yword-dnsmasq-conf-port-553.79972/post-779522

That you are disabling dnsmasq with unbound manager in this case unbound manager is acting on port 53 which breaks the possibility for adguardhome to occupy port 53. However you have somehow modified unbound listening port so it is no longer on port 53 and you are now having adguardhome on port 53 forwarding request to unbound. Somehow adguardhome has picked up the hostnames of a couple of clients. Probably the ones listed under /etc/ hosts since dnsmasq is disabled local name resolution is disabled, it cannot handle client arpa lookup.

 

[Khadanja]

Somehow adguardhome has picked up the hostnames of a couple of clients. Probably the ones listed under /etc/ hosts since dnsmasq is disabled local name resolution is disabled, it cannot handle client arpa lookup.

Why do you say that? AdgHome has picked up hostnames of all the clients. I'm only wondering if it's normal for unbound log to still show DNS queries, see log I posted above and is this?
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] info: validation failure <www.asuswrt-merlin.net. AAAA IN>: no signatures from 9.9.9.9

 

[SomeWhereOverTheRainBow]

Why do you say that? AdgHome has picked up hostnames of all the clients. I'm only wondering if it's normal for unbound log to still show DNS queries, see log I posted above and is this?
Jul 27 09:43:42 RT-AC68U-20E0 unbound: [26554:0] info: validation failure <www.asuswrt-merlin.net. AAAA IN>: no signatures from 9.9.9.9

Yes it is normal because adguardhome should be sending request to it. But it sounds like you might want to configure both unbound and adguardhome from scratch just to be sure. Get rid of any custom unbound modifications and just run unbound with out unbound manager advance settings.

 

[johndoe85]

Why can't Adguard Home itself be the DNS server? Why rely on unbound or any other?

 

[SomeWhereOverTheRainBow]

Why can't Adguard Home itself be the DNS server? Why rely on unbound or any other?

Why is the crooked letter word!

 

[SomeWhereOverTheRainBow]

Why can't Adguard Home itself be the DNS server? Why rely on unbound or any other?

Well, adguardhome is the "local dns/adblocking solution". In that sense it is more like a filter that supplies wanted request to upstream resolvers and filters out unwanted. However, it does have local dns server qualities such as modifying time to live and caching responses so it doesn't take long to handle frequent requests. When users use it with unbound they are doing such under the gile of Unbound being the "upstream" request are sent to for the internet. In this case unbound can act recursively where it finds the information from the root servers by following the path of the request. Otherwise, using adguardhome with for example Google as upstream, adguardhome gets the information from Google who has already stored the information on the request, but you are sharing your information with Google servers.

To really put the AdGuardHome<--->Unbound scenario into perspective, it would be best to take a look at the pihole guide and see how "they" do it.

unbound - Pi-hole documentation

docs.pi-hole.net

The method is not exactly identical because the commands and installation on the Entware setup is much different. However, that is not the point. The real point is to see perspective on "how" and "why" such is implemented with Adguardhome because the process is mirror-able.

Some of the reasons why users would consider implementing an AdGuardHome with unbound as the upstream resolver are follows:

• When you use AdGuardHome, you generally configure an upstream DNS provider. The first thing you need to realize is that all traffic is being sent from your external IP address, so depending on who you’re sending the data to, you’re trusting them with your internet traffic. Ultimately, the answer is somewhat simple, and it’s mostly privacy related.
• In some places your regions dns servers might suffer from delays, or periodically go down. In that case, it might appear as if your internet “stopped” working, when the reality is that it simply cannot resolve DNS names. With unbound, you don't have to worry about this aspect if you are using unbound recursively.

In a nutshell, while your queries are not completely private with unbound recursion, they are not being shared with big box DNS servers. So there is some level of privacy in who you share your information with. Since you are acting as your own DNS server, you may not experience some of the area/regional server outages like others in your area.

 

[johndoe85]

Well, adguardhome is the "local dns/adblocking solution". In that sense it is more like a filter that supplies wanted request to upstream resolvers and filters out unwanted. However, it does have local dns server qualities such as modifying time to live and caching responses so it doesn't take long to handle frequent requests. When users use it with unbound they are doing such under the gile of Unbound being the "upstream" request are sent to for the internet. In this case unbound can act recursively where it finds the information from the root servers by following the path of the request. Otherwise, using adguardhome with for example Google as upstream, adguardhome gets the information from Google who has already stored the information on the request, but you are sharing your information with Google servers.

To really put the AdGuardHome<--->Unbound scenario into perspective, it would be best to take a look at the pihole guide and see how "they" do it.

unbound - Pi-hole documentation

docs.pi-hole.net

The method is not exactly identical because the commands and installation on the Entware setup is much different. However, that is not the point. The real point is to see perspective on "how" and "why" such is implemented with Adguardhome because the process is mirror-able.

Some of the reasons why users would consider implementing an AdGuardHome with unbound as the upstream resolver are follows:

• When you use AdGuardHome, you generally configure an upstream DNS provider. The first thing you need to realize is that all traffic is being sent from your external IP address, so depending on who you’re sending the data to, you’re trusting them with your internet traffic. Ultimately, the answer is somewhat simple, and it’s mostly privacy related.
• In some places your regions dns servers might suffer from delays, or periodically go down. In that case, it might appear as if your internet “stopped” working, when the reality is that it simply cannot resolve DNS names. With unbound, you don't have to worry about this aspect if you are using unbound recursively.

In a nutshell, while your queries are not completely private with unbound recursion, they are not being shared with big box DNS servers. So there is some level of privacy in who you share your information with. Since you are acting as your own DNS server, you may not experience some of the area/regional server outages like others in your area.

Yes but that doesn't mean that you can't or shouldn't use adguard home as a DNS recursor as an option.

To have that built in, I don't see why not? Of they were to lift in. Unbound in under adguard home, what difference would it be to list that as 127.0.0.1 or put some outsiders service to use.

For me as an end user that is one problem less that I have to deal with. And I can do everything within adguard home.

If I was dev chief over there I would order this to be done asap.