AdGuardHome Few questions about AdGuard Home Install Script

[Tech9]

I use AGH and Unbound on a RPi and I don’t seem to pass all the DNSSEC requests, only the one:

Disable AGH cache and try again. In my tests it passes with Unbound cache only.

looks like it is working for me

I have 3x devices with AGH now, but can play with them after the end of the month.

- x86 board running Ubuntu server + AGH, with or without Unbound
- RT-AX86U running Asuswrt-Merlin + AGH, with or without Unbound
- GL-MT2500A running OpenWrt with built-in AGH

Seems like there are multiple valid configurations, but I want to add IPv6 in the equation.

 

[SomeWhereOverTheRainBow]

Disable AGH cache and try again. In my tests it passes with Unbound cache only.



I have 3x devices with AGH now, but can play with them after the end of the month.

- x86 board running Ubuntu server + AGH, with or without Unbound
- RT-AX86U running Asuswrt-Merlin + AGH, with or without Unbound
- GL-MT2500A running OpenWrt with built-in AGH

Seems like there are multiple valid configurations, but I want to add IPv6 in the equation.

@Tech9 , the one thing I can tell you that did not change across all mytests (cache or no cache) the results of using Unbound on that site. I could run any other dns server with dnssec and get all passing results. So the issue seems to be exclusive to using Unbound. I get the same results with even Pihole(DNSMASQ) + Unbound.

 

[Tech9]

I'm not concerned too much about test sites. I just don't like features with theoretical improvements. Dual cache, dual ad-blockers... dual stack.

 

[Gary_Dexter]

Disable AGH cache and try again. In my tests it passes with Unbound cache only.

Tried that - makes no difference unfortuantely

 

[Gary_Dexter]

@Tech9 , the one thing I can tell you that did not change across all mytests (cache or no cache) the results of using Unbound on that site. I could run any other dns server with dnssec and get all passing results. So the issue seems to be exclusive to using Unbound. I get the same results with even Pihole(DNSMASQ) + Unbound.

Likewise. Changing my DNS in AGH to Quad9 for example and all tests pass.

Back to Unbound yields the same results as above.

 

[Tech9]

I would suggest AGH without Unbound with fast upstream DNS server, filtering or not. This configuration gives the best user experience. No Unbound cache buildup time needed and perhaps safer. Unbound may reveal the public WAN IP. Default AGH cache works well, but blocklist size has to be reasonable when used on a router. Otherwise it fills the RAM and slows down. I still don't recommend serving expired though.

 

[Gary_Dexter]

I would suggest AGH without Unbound with fast upstream DNS server, filtering or not. This configuration gives the best user experience. No Unbound cache buildup time needed and perhaps safer. Unbound may reveal the public WAN IP. Default AGH cache works well, but blocklist size has to be reasonable when used on a router. Otherwise it fills the RAM and slows down. I still don't recommend serving expired though.

That's fine as a suggestion, but not what I am wanting to do here (otherwise I would have done it already).

Your WAN IP would be revleaed anyway even when using a third-party DNS provider.

I'm running on a RPi so no issues with blocklist sizes - I run Hagezi's blocklists anyway so there's no duplication from having other multiple lists.

 

[SomeWhereOverTheRainBow]

I would suggest AGH without Unbound with fast upstream DNS server, filtering or not. This configuration gives the best user experience. No Unbound cache buildup time needed and perhaps safer. Unbound may reveal the public WAN IP. Default AGH cache works well, but blocklist size has to be reasonable when used on a router. Otherwise it fills the RAM and slows down. I still don't recommend serving expired though.

I got past some of the blocklist limitations by using a significantly smaller cache size.

 

[Tech9]

but not what I am wanting to do here

What is it?

Your WAN IP would be revleaed anyway

I mean something else. It's about making direct requests to root servers vs someone else doing it for you.

 

[Gary_Dexter]

What is it?



I mean something else. It's about making direct requests to root servers vs someone else doing it for you.

What is what?

Yes, I know what it's doing. But I'd rather it do that than give my details to a third-party DNS provider - Unbound is meant for privacy, not security.

 

[Tech9]

What is what?

What's the thing you want to do?

 

[Gary_Dexter]

What's the thing you want to do?

Use Unbound and go direct to the Root servers. Which is what I'm doing currently.

 

[ImGettingTooOldForThis]

If I want to start fresh, do hard reset etc. - and give Unbound a try - does it matter whether I install Unbound before or after AGH?

And regarding the post by member @Gary_Dexter here, one question: how do local static leases get resolved? Where does dnsmasq fits in the routing you have explained?

 

[SomeWhereOverTheRainBow]

If I want to start fresh, do hard reset etc. - and give Unbound a try - does it matter whether I install Unbound before or after AGH?

And regarding the post by member @Gary_Dexter here, one question: how do local static leases get resolved? Where does dnsmasq fits in the routing you have explained?

So when you query adguardhome for a local request (e.g. whois 192.168.1.7) adguardhome sends the request to the appropriate server (192.168.1.1-dnsmasq @port553) tasked with answering that question. Adguardhome usually knows to do this because the adguardhome installer places an entry inside the adguardhome dns settings that is associated with the location of dnsmasq on your router ( this is all assuming you are using the adguardhome amtm addon, and have not some how removed those entries after install). This is typically the best approach since dnsmasq is providing dhcp service for the network and can readily answer the question of whois 192.168.1.7.Dnsmasq also covers static leases (you still will use asus webui to create static entries).

When you add Unbound in the mix, Unbound behaves as the "upstream dns" (e.g. replaces Google,cloudflair, or squad9 entries). When you want to know who www.google.com is, adguardhome sends the request upstream to Unbound. Unbound travels the domains authoritative and asks the root servers information about www.google.com. Unbound saves that response in its cache and the passes the answer downstream back to adguardhome.

 

[ImGettingTooOldForThis]

Thanks for clarifying, @SomeWhereOverTheRainBow

But the order of installing doesn’t matter? If I install Unbound after I installed AGH, it still knows to answer back to AGH, or does that require manual editing of config files to point to the correct listening ports, to prevent they’re all trying to claim port 53? Or is it best to install them the other way around?

 

[SomeWhereOverTheRainBow]

Thanks for clarifying, @SomeWhereOverTheRainBow

But the order of installing doesn’t matter? If I install Unbound after I installed AGH, it still knows to answer back to AGH, or does that require manual editing of config files to point to the correct listening ports, to prevent they’re all trying to claim port 53? Or is it best to install them the other way around?

This should answer all your questions.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

 

[ImGettingTooOldForThis]

Thanks, I guess. Still unclear whether the order of installation matters, but I'll figure that out my self.

 

[SomeWhereOverTheRainBow]

Thanks, I guess. Still unclear whether the order of installation matters, but I'll figure that out my self.

It doesn't, that is why there is a tutorial for those who decide to install it later, but I do hope you figure it out on the quest of 20 million questions.

 

[SomeWhereOverTheRainBow]

I'm not concerned too much about test sites. I just don't like features with theoretical improvements. Dual cache, dual ad-blockers... dual stack.

Everything comes in pairs.

 

[Gary_Dexter]

Yep this is an specifically and Unbound and AdBlocker issue. I use Unbound along side Pihole, and my results are identical to this.
View attachment 49486

So there is no Official "issue" with adguardhomes optimistic caching, this is strictly related to the interaction between forwarding request from between an adblocker resolver (e.g. pihole and adguardhome) and unbound. (maybe even a specific behavior exclusive to unbound)

I am beginning to think this specifically relates to how unbound is compiled:

View attachment 49487

Old thread - but I recently changed to DietPI on my RPI4 and installed Unbound along with AGH, and now DNSSEC works and passes all tests:

Not sure if this is related to the version of Unbound being updated due to now running Debian Bookworm - I know the previous version available in Debian Bullseye was a couple of versions behind.

I don’t think it was anything in my Unbound conf file as I copied that over as well…