AdGuardHome ISP DNS being used with AGH + Unbound on AX88U

[jorgsmash]

I recently set up AGH with Unbound on my AX88u. Previously, I had Diversion + Unbound + DNScrypt.

My issue is that I don't know for certain if I have set up AGH + Unbound correctly. My main two goals are:

1. Use DoT, DoH, or DoQ exclusively, for privacy reasons
2. Block ads

Goal 1 is priority.

The reason I am not sure I set it up correctly is because dnsleaktest.com will sometimes show my ISP as being used, along with the DoT, and DoH servers I have selected.

I have attached some screenshots from my Galaxy S22 Ultra and my wife's iphone. My galaxy at first, only showed Frontier being used, even after I had set up AGH + Unbound. Eventually I started seeing the new DoH and DoT servers, but my Frontier ISP was still showing as well. Wife's iPhone also just showing Frontier as being used for DNS.

Even today, on my Galaxy, I still see Frontier as being used for DNS. This leads me to believe I have set something up incorrectly.

I can provide any additional screenshots or settings, but here's a few I think would help:

WAN DNS - Set to Quad9 (I'm not sure if this does anything since I have AGH with upstream servers defined):

LAN DNS - Router IP is only DNS address assigned via DHCP:


DNSfilter is set to ON, with global filter mode set to ROUTER. No custom rules.


AGH Upstream DNS servers set to the following:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
tls://unfiltered.adguard-dns.com
tls://dns.adguard-dns.com
tls://security-filter-dns.cleanbrowsing.org
tls://1dot1dot1dot1.cloudflare-dns.com
tls://dns.quad9.net
#DoH
https://unfiltered.adguard-dns.com/dns-query
https://dns.adguard-dns.com/dns-query
https://doh.cleanbrowsing.org/doh/security-filter/
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
#DoQ
quic://unfiltered.adguard-dns.com
quic://dns.adguard-dns.com
#Unbound
127.0.0.1:53535
tcp://127.0.0.1:53535

AGH Bootstrap DNS servers set to:

9.9.9.9
1.1.1.1

No Cache settings applied in AGH. Caching is hopefully working through Unbound.

I'm really scratching my head here wondering why my ISP DNS is still coming through on DNSleaktest and wondering if I have something wrong in my config.

 

[SomeWhereOverTheRainBow]

No Cache settings applied in AGH. Caching is hopefully working through Unbound.

I'm really scratching my head here wondering why my ISP DNS is still coming through on DNSleaktest and wondering if I have something wrong in my config.

As previously mentioned. This is ignorable.

When you use unbound, you will see your ISP hostname, (specifically YOUR ISP given hostname). And your IP address. This should not be confused with your ISP's DNS servers since the lookups are specifically being handled by "YOUR" unbound instance, and the Authoritative name services.

This is normal, since you "YOURSELF" are the acting DNS server.


Also, You want to have Cache enabled In Adguardhome as well.

The setup should actually be, Default Cache in AdGuardHome enabled because you want your blocked request to actually get cached, and not to have to be RE-BLOCKED every time you visit a frequently blocked page; since adguardhome is doing the blocking, block request are only cacheable by adguardhome because they never arrive at unbound. Cache should be enabled with unbound as well. Specifically to cache new lookups done by unbound. With unbound, you don't need to have a giant cache size enabled. Only a small size will be necessary.

 

[SomeWhereOverTheRainBow]

I recently set up AGH with Unbound on my AX88u. Previously, I had Diversion + Unbound + DNScrypt.

My issue is that I don't know for certain if I have set up AGH + Unbound correctly. My main two goals are:

1. Use DoT, DoH, or DoQ exclusively, for privacy reasons
2. Block ads

Goal 1 is priority.

The reason I am not sure I set it up correctly is because dnsleaktest.com will sometimes show my ISP as being used, along with the DoT, and DoH servers I have selected.

I have attached some screenshots from my Galaxy S22 Ultra and my wife's iphone. My galaxy at first, only showed Frontier being used, even after I had set up AGH + Unbound. Eventually I started seeing the new DoH and DoT servers, but my Frontier ISP was still showing as well. Wife's iPhone also just showing Frontier as being used for DNS.

Even today, on my Galaxy, I still see Frontier as being used for DNS. This leads me to believe I have set something up incorrectly.

I can provide any additional screenshots or settings, but here's a few I think would help:

WAN DNS - Set to Quad9 (I'm not sure if this does anything since I have AGH with upstream servers defined):

View attachment 44808

LAN DNS - Router IP is only DNS address assigned via DHCP:


DNSfilter is set to ON, with global filter mode set to ROUTER. No custom rules.


AGH Upstream DNS servers set to the following:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
tls://unfiltered.adguard-dns.com
tls://dns.adguard-dns.com
tls://security-filter-dns.cleanbrowsing.org
tls://1dot1dot1dot1.cloudflare-dns.com
tls://dns.quad9.net
#DoH
https://unfiltered.adguard-dns.com/dns-query
https://dns.adguard-dns.com/dns-query
https://doh.cleanbrowsing.org/doh/security-filter/
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
#DoQ
quic://unfiltered.adguard-dns.com
quic://dns.adguard-dns.com
#Unbound
127.0.0.1:53535
tcp://127.0.0.1:53535

AGH Bootstrap DNS servers set to:

9.9.9.9
1.1.1.1

No Cache settings applied in AGH. Caching is hopefully working through Unbound.

I'm really scratching my head here wondering why my ISP DNS is still coming through on DNSleaktest and wondering if I have something wrong in my config.

This is what My unbound instance looks like, with my host name of my WAN IP.

My ISP is comcast, however the hostname is mine, indicating that I am using MY unbound DNS server. (what can be more private than you being your own DNS SERVICE).

If yours is setup correctly, it should look similar. (obviously your ISP may be different.)

 

[SomeWhereOverTheRainBow]

Your list of upstreams looks great; I appreciate you taking my advice because it allows me to be able to give you the dedicated service and advice you need without making the main installer thread overfilled.

Make sure on your upstream page that you select to use your servers in "parallel" (it is an option directly under the upstreams list in adguardhome webui). That will ensure you are using all usable servers to resolve webpages. You will see more of the encrypted servers being used instead of your own "LOCAL" dns server. If you don't select "parallel", the default option is "fastest"- meaning all you will ever see is your unbound instance since technically it should have the fastest response time since it is a "LOCAL" dns server.

 

[SomeWhereOverTheRainBow]

I recently set up AGH with Unbound on my AX88u. Previously, I had Diversion + Unbound + DNScrypt.

My issue is that I don't know for certain if I have set up AGH + Unbound correctly. My main two goals are:

1. Use DoT, DoH, or DoQ exclusively, for privacy reasons
2. Block ads

Goal 1 is priority.

If number 1 is priority, why are you using Unbound? It will not be needed if you "only" want toUse DoT, DoH, or DoQ exclusively. However, it would not be a bad thing to leave your own instance of unbound running as a "failover" (a.k.a. you acting as your own DNS while other servers may have been unreachable).

 

[SomeWhereOverTheRainBow]

I recently set up AGH with Unbound on my AX88u. Previously, I had Diversion + Unbound + DNScrypt.

My issue is that I don't know for certain if I have set up AGH + Unbound correctly. My main two goals are:

1. Use DoT, DoH, or DoQ exclusively, for privacy reasons
2. Block ads

Goal 1 is priority.

The reason I am not sure I set it up correctly is because dnsleaktest.com will sometimes show my ISP as being used, along with the DoT, and DoH servers I have selected.

I have attached some screenshots from my Galaxy S22 Ultra and my wife's iphone. My galaxy at first, only showed Frontier being used, even after I had set up AGH + Unbound. Eventually I started seeing the new DoH and DoT servers, but my Frontier ISP was still showing as well. Wife's iPhone also just showing Frontier as being used for DNS.

Even today, on my Galaxy, I still see Frontier as being used for DNS. This leads me to believe I have set something up incorrectly.

I can provide any additional screenshots or settings, but here's a few I think would help:

WAN DNS - Set to Quad9 (I'm not sure if this does anything since I have AGH with upstream servers defined):

View attachment 44808

LAN DNS - Router IP is only DNS address assigned via DHCP:


DNSfilter is set to ON, with global filter mode set to ROUTER. No custom rules.


AGH Upstream DNS servers set to the following:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
tls://unfiltered.adguard-dns.com
tls://dns.adguard-dns.com
tls://security-filter-dns.cleanbrowsing.org
tls://1dot1dot1dot1.cloudflare-dns.com
tls://dns.quad9.net
#DoH
https://unfiltered.adguard-dns.com/dns-query
https://dns.adguard-dns.com/dns-query
https://doh.cleanbrowsing.org/doh/security-filter/
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
#DoQ
quic://unfiltered.adguard-dns.com
quic://dns.adguard-dns.com
#Unbound
127.0.0.1:53535
tcp://127.0.0.1:53535

AGH Bootstrap DNS servers set to:

9.9.9.9
1.1.1.1

No Cache settings applied in AGH. Caching is hopefully working through Unbound.

I'm really scratching my head here wondering why my ISP DNS is still coming through on DNSleaktest and wondering if I have something wrong in my config.

Here is how pihole plus unbound is explained....

Imagine if you replaced the word Pihole with AdGuardHome, you would have a similar definition for AdGuardhome+ Unbound.

 

[jorgsmash]

As previously mentioned. This is ignorable.
View attachment 44813


When you use unbound, you will see your ISP hostname, (specifically YOUR ISP given hostname). And your IP address. This should not be confused with your ISP's DNS servers since the lookups are specifically being handled by "YOUR" unbound instance, and the Authoritative name services.

This is normal, since you "YOURSELF" are the acting DNS server.


Also, You want to have Cache enabled In Adguardhome as well.

The setup should actually be, Default Cache in AdGuardHome enabled because you want your blocked request to actually get cached, and not to have to be RE-BLOCKED every time you visit a frequently blocked page; since adguardhome is doing the blocking, block request are only cacheable by adguardhome because they never arrive at unbound. Cache should be enabled with unbound as well. Specifically to cache new lookups done by unbound. With unbound, you don't need to have a giant cache size enabled. Only a small size will be necessary.

Thanks for your detailed responses! What is the recommended cache size in AGH? Maybe 20 Mb?

I installed Unbound through amtm which didn't give me an option to change/configure cache size, so it should be default.

If number 1 is priority, why are you using Unbound? It will not be needed if you "only" want toUse DoT, DoH, or DoQ exclusively. However, it would not be a bad thing to leave your own instance of unbound running as a "failover" (a.k.a. you acting as your own DNS while other servers may have been unreachable).

I went with Unbound because that's what seemed to be recommended all over the place. I'm guessing the only added benefit is the cache, which AGH does as well.

 

[SomeWhereOverTheRainBow]

Thanks for your detailed responses! What is the recommended cache size in AGH? Maybe 20 Mb?

I installed Unbound through amtm which didn't give me an option to change/configure cache size, so it should be default.



I went with Unbound because that's what seemed to be recommended all over the place. I'm guessing the only added benefit is the cache, which AGH does as well.

You would have to manually edit unbound. I recommend chatting with the unbound manager crew for best use practices when making unbound cache adjustments- 20mb might be abit big considering how much memory the actual router has available when using unbound along side adguardhome. From what I remember, Unbound-manager already pre-configured a light cache. I may be wrong though.while Unbound is a nice option, it is not a prerequisite, requirement, or recommendation for running adguardhome. I just had several users asking for the best practices when using the two together. At either rate, I highly recommend leaving adguardhome cache enabled so blocked request are cached. Hence it will not require alot of additional loading for adguardhome to realized it already blocked that same request if it is made again.

 

[jorgsmash]

You would have to manually edit unbound. I recommend chatting with the unbound manager crew for best use practices when making unbound cache adjustments- 20mb might be abit big considering how much memory the actual router has available when using unbound along side adguardhome. From what I remember, Unbound-manager already pre-configured a light cache. I may be wrong though.while Unbound is a nice option, it is not a prerequisite, requirement, or recommendation for running adguardhome. I just had several users asking for the best practices when using the two together. At either rate, I highly recommend leaving adguardhome cache enabled so blocked request are cached. Hence it will not require alot of additional loading for adguardhome to realized it already blocked that same request if it is made again.

I set 20000000 bytes (20MB) cache in the AGH gui. Think that's enough?

 

[SomeWhereOverTheRainBow]

I set 20000000 bytes (20MB) cache in the AGH gui. Think that's enough?

Here is my recommendations for adguardhome cache.

cache_size: 524288 
cache_ttl_min: 1200 
cache_ttl_max: 14400 
cache_optimistic: true

Keep in mind I believe the default is only 4194304bytes. That tells me the developers of adguardhome assume it will never get anywhere close to filling 20mb of memory. Memory being reserved but not actually being used is a waste of that memory.

 

[jorgsmash]

Awesome thanks for the recommendations! I'll go with that. I'll pop back in here if I have any more questions in the future!

 

[jorgsmash]

Here is my recommendations for adguardhome cache.

cache_size: 524288
cache_ttl_min: 1200
cache_ttl_max: 14400
cache_optimistic: true

Keep in mind I believe the default is only 4194304bytes. That tells me the developers of adguardhome assume it will never get anywhere close to filling 20mb of memory. Memory being reserved but not actually being used is a waste of that memory.

Hey again. Would you be able to help me diagnose something that happened two nights ago? My wife called me downstairs to fix our TV and it took me about 30 minutes to fix. The streaming apps weren't working and would just time out. The TV said it was connected to the Internet. The DNS IP was the IP of my router. I started by restarting the TV (obviously) a couple times. I rebooted the router, and the modem. That didn't work. So I got on my computer and logged into the router. I didn't see anything obvious that wasn't working. I tried going to speedtest.net on my computer and the browser couldn't resolve the IP. I eventually went to the AGH web UI and disabled it. After that everything started working. I re-enabled AGH and everything is working again. I updated AGH to the latest version also.

Are there any log files I can provide you or commands to run on the router via SSH that might help?

 

[SomeWhereOverTheRainBow]

Hey again. Would you be able to help me diagnose something that happened two nights ago? My wife called me downstairs to fix our TV and it took me about 30 minutes to fix. The streaming apps weren't working and would just time out. The TV said it was connected to the Internet. The DNS IP was the IP of my router. I started by restarting the TV (obviously) a couple times. I rebooted the router, and the modem. That didn't work. So I got on my computer and logged into the router. I didn't see anything obvious that wasn't working. I tried going to speedtest.net on my computer and the browser couldn't resolve the IP. I eventually went to the AGH web UI and disabled it. After that everything started working. I re-enabled AGH and everything is working again. I updated AGH to the latest version also.

Are there any log files I can provide you or commands to run on the router via SSH that might help?

Do you have any access points located between the primary router and the smart devices in questions?

 

[jorgsmash]

Do you have any access points located between the primary router and the smart devices in questions?

Sorry I forgot to include that info. No, the smart TV is plugged directly into the primary router. And my laptop was on wifi when I couldn't resolve speedtest.net

 

[SomeWhereOverTheRainBow]

Sorry I forgot to include that info. No, the smart TV is plugged directly into the primary router. And my laptop was on wifi when I couldn't resolve speedtest.net

It could have just been a one time occurrence type of thing. If it happens again try to gather as much detail as you can from router logs. It really is hard to say what could have happen since there are a number of factors that could have caused the problem. It could have been as simple as your adguardhome cache needed to be refreshed due to stale entries. Unbound could have become unresponsive as well. AdGuardHome has a builtin mechanism to restart itself if it fails. As far as I know unbound might not. If unbound crashed or became unresponsive that could have also caused your problem. Restarting AdGuardHome probably caused dnsmasq to restart which probably also restarted unbound. I would have to see logs of these dynamics happening. Some of what I am say might just be conjecture since I am not there present to witness as this is happening.

 

[jorgsmash]

It could have just been a one time occurrence type of thing. If it happens again try to gather as much detail as you can from router logs. It really is hard to say what could have happen since there are a number of factors that could have caused the problem. It could have been as simple as your adguardhome cache needed to be refreshed due to stale entries. Unbound could have become unresponsive as well. AdGuardHome has a builtin mechanism to restart itself if it fails. As far as I know unbound might not. If unbound crashed or became unresponsive that could have also caused your problem. Restarting AdGuardHome probably caused dnsmasq to restart which probably also restarted unbound. I would have to see logs of these dynamics happening. Some of what I am say might just be conjecture since I am not there present to witness as this is happening.

Well, I rebooted the router at least once, and the problem wasn't resolved. What logs would you recommend I collect if this happens again?

Thanks

 

[SomeWhereOverTheRainBow]

Well, I rebooted the router at least once, and the problem wasn't resolved. What logs would you recommend I collect if this happens again?

Thanks

Entries in syslog on the routers administration page.