What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pros and cons for the two common DNS setups for a local adblocker - adguard home

J

jata

Senior Member
Hi all - I guess there are many ways to setup a local DNS adguard setup for merlin. Searching the forums, I think there are two common but simple approaches.

1 - Use WAN DNS settings to forward all client DNS requests to adguard home
  1. set WAN DNS to point to local adguard IPs
  2. turn on DNS director with global set to router
  3. add adguard IPs to no redirection list (to prevent DNS loop)
  4. add config to adguard to handle local DNS e.g. [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53
  • Limitation with this is that when adguard is/are down, then DNS is screwed for the entire network until fixed
  • Advantage is you can use DNS director to set certain clients to not use adguard or to use other DNS services

2 - Use LAN DNS (DHCP) to set clients to use adguard home
  1. set WAN DNS to ISP default or google or whatever
  2. setup LAN DNS to point to local adguard IPs
  3. do not use DNS director
  4. add config to adguard to handle local DNS e.g. [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53
  • Limitation is that all clients that get LAN DNS (via DHCP) are screwed when adguard is down but you can limit this by using 'Advertise router's IP in addition' option'
  • Advantage is that the router itself and manual LAN clients are able to use the WAN DNS at all times

I have tried both and don't think there is much difference between the two approaches in terms of setup and performance etc.

I am currently using option 2 but would like to get views from the community in relation to fine tuning and having additional flexibility and redundancy
 
You need to use LAN DNS and set DNS Director to Global/Router for redirection.

DO NOT check the box for Advertise router's IP in addition as this will send traffic out over the WAN.

Where is your AGH instance hosted?
 
Thanks Gary.

I have 2 adguard home servers on my LAN. The primary server is a rpi3 dedicated to DNS and it uses unbound on same box as the upstream DNS server. The second adguard server is running in a docker on a different server rpi4. Setup works great overall.

I do have advertise router IP unchecked but I did try with this on for redundancy. I thought that I could get it to work if WAN DNS 1 was set back to one of my local adguard servers with WAN DNS 2 using 8.8.8.8 - but I did get the occasional ad so I stopped doing this.

I don't use DNS director as it is not needed in my setup. Why do you suggest I should use it when everything works without it on?
 
DNS Director will ensure any devices will go towards the LAN IP DNS Servers you specify and not go off elsewhere on their own.

Also setting DNS to WAN means that any devices going to your AGH will come from the Router IP only rather than the devices IP.
 
Thanks. Do you have any thoughts on what to do so that DNS still functions when both my adguard server are down? This has never happened but it would be nice to come up with a solution for this
 
Gary_Dexter said:
DNS Director will ensure any devices will go towards the LAN IP DNS Servers
Click to expand...

Last time I checked DNS Director was redirecting requests to LAN DNS Server 1 only. Anything changed recently?

If the behavior is still the same AGH2 instance in LAN DNS Server 2 won't work. If AGH1 fails the Internet is down.

The above with no router's LAN IP advertisement.
 
Last edited:
There are ways to minimize the chances of this happening.
 
Tech9 said:
Last time I checked DNS Director was redirecting requests to LAN DNS Server 1 only. Anything changed recently?

If the behavior is still the same AGH2 instance in LAN DNS Server 2 won't work. If AGH1 fails the Internet is down.

The above with no router's LAN IP advertisement.
Click to expand...
You are correct
 
jata said:
Hi all - I guess there are many ways to setup a local DNS adguard setup for merlin. Searching the forums, I think there are two common but simple approaches.

1 - Use WAN DNS settings to forward all client DNS requests to adguard home
  1. set WAN DNS to point to local adguard IPs
  2. turn on DNS director with global set to router
  3. add adguard IPs to no redirection list (to prevent DNS loop)
  4. add config to adguard to handle local DNS e.g. [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53
  • Limitation with this is that when adguard is/are down, then DNS is screwed for the entire network until fixed
  • Advantage is you can use DNS director to set certain clients to not use adguard or to use other DNS services

2 - Use LAN DNS (DHCP) to set clients to use adguard home
  1. set WAN DNS to ISP default or google or whatever
  2. setup LAN DNS to point to local adguard IPs
  3. do not use DNS director
  4. add config to adguard to handle local DNS e.g. [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53
  • Limitation is that all clients that get LAN DNS (via DHCP) are screwed when adguard is down but you can limit this by using 'Advertise router's IP in addition' option'
  • Advantage is that the router itself and manual LAN clients are able to use the WAN DNS at all times

I have tried both and don't think there is much difference between the two approaches in terms of setup and performance etc.

I am currently using option 2 but would like to get views from the community in relation to fine tuning and having additional flexibility and redundancy
Click to expand...

Be aware that the DNS list a client uses is not necessarily primary, backup, tirtuary. Some clients will use round robin leveling the load to the DNS servers. Windows has a registry setting that can be used to select which way it behaves. Every once in a while MS changes the default.
 
Thanks @Morris - understood. I see a split of around 85% to AGH / DNS1 and the remaining going to AGH / DNS 2. This is around what I wanted so I am happy with that but i will monitor.

Overall I am happy with how my setup works - objective being adblocking not security/privacy - using dhcp/lan DNS (option 2) above with DNS redirector NOT enabled.

Good to come up with a solution that provides a bit of redundancy if both AGH servers are down but I can't really think of anything.
 
Clients may go around your setup easily. All directly calling external DNS server and/or using DoH or DoT, for example.
 
Tech9 said:
Clients may go around your setup easily. All directly calling external DNS server and/or using DoH or DoT, for example.
Click to expand...
Understood and not too worried about this. I only care about adblocking for clients that access the interweb via a browser and this seems to work well with my current setup.
 
Gary_Dexter said:
You need to use LAN DNS and set DNS Director to Global/Router for redirection.

DO NOT check the box for Advertise router's IP in addition as this will send traffic out over the WAN.

Where is your AGH instance hosted?
Click to expand...
After a lot of experimentation, I found it was not necessary to enable DNS Director if you set the LAN DNS to the AdGuard Home IP Address.
 
pjd50 said:
I found it was not necessary...
Click to expand...

See post #12 above. I don't need to experiment. I may need about 20 seconds to go around your AdGuard filtering. Browsers and apps can do it automatically.
 
Tech9 said:
See post #12 above. I don't need to experiment. I may need about 20 seconds to go around your AdGuard filtering. Browsers and apps can do it automatically.
Click to expand...
I see. Well, the issue is, if I enable DNS Director, then Stats/Log are inaccurate. Instead of showing what was blocked per client, it will says "RT-AC68U" (the router name) as the top client...
 
Tech9 said:
See post #12 above. I don't need to experiment. I may need about 20 seconds to go around your AdGuard filtering. Browsers and apps can do it automatically.
Click to expand...
If I do indeed enable DNS Director... does it matter whether I set it "Global Redirection" to to the Router IP address (and under DHCP tab, I have the DNS set to the IP address of the NAS running Adguard Home) or whether I set it to "User Defined" and specifically put in the NAS IP address?:

Under DHCP Tab:
1704319139675.png

(192.168.75.100 is the AdGuard Home running on NAS)



Under DNS Director Tab:

Option 1:
1704319297231.png


Option 2:
1704319343449.png


And of course no redirection for the NAS:
1704319425155.png



Does it matter to do Option 1 or Option 2? Will one option versus the other give me more accurate logs?
 

Attachments

  • 1704319322210.png
    1704319322210.png
    39.3 KB · Views: 27
Something is not configured properly. I've tested both on-router and on separate device AdGuard Home configurations and they both recognize local network clients. My last test with on-router configuration is here:

https://www.snbforums.com/threads/a...staller-amaghi-cont.79862/page-17#post-878594

When your AdGuard Home runs on a separate device you need to exclude this device in DNS Director. Global - Router, AGH - No redirection.

You guys have to understand the difference between the two configurations. It causes confusion quite often. AGH settings difference as well.
 
Tech9 said:
Something is not configured properly. I've tested both on-router and on separate device AdGuard Home configurations and they both recognize local network clients. My last test with on-router configuration is here:

https://www.snbforums.com/threads/a...staller-amaghi-cont.79862/page-17#post-878594

When your AdGuard Home runs on a separate device you need to exclude this device in DNS Director. Global - Router, AGH - No redirection.

You guys have to understand the difference between the two configurations. It causes confusion quite often. AGH settings difference as well.
Click to expand...

Yes they do recognize network clients, but NOT ALL. It isn't like the WAN setting where ALL traffic seems to be coming from the router, but with DNS Director On (and yes, No redirection on the separate device), it will still show the most active client as the Router itself.
 
Tech9 said:
Something is not configured properly. I've tested both on-router and on separate device AdGuard Home configurations and they both recognize local network clients. My last test with on-router configuration is here:

https://www.snbforums.com/threads/a...staller-amaghi-cont.79862/page-17#post-878594

When your AdGuard Home runs on a separate device you need to exclude this device in DNS Director. Global - Router, AGH - No redirection.

You guys have to understand the difference between the two configurations. It causes confusion quite often. AGH settings difference as well.
Click to expand...
Thanks for that link. Maybe it has to do with the AGH settings on the NAS (specifically, what I need to select as the "Upstream DNS Server").
 
You must log in or register to reply here.

Similar threads

H
AdGuard Home+Unbound in proxmox does not work properly with Asus AX88U Pro
Replies
6
Views
926
Hus1337
H
Z
AdGuard Home on pfSense
Replies
3
Views
1K
Christos
Christos
S
AdguardHome + Unbound on Pi4 Correct DNS settings
Replies
6
Views
4K
sammyano
S
CntrlAltDel
Assistance with AdGuard Home DNS Issue on Ubuntu Server
Replies
5
Views
894
Tech9
Tech9
C
Want to share a global DNS between main network and Guest Pro Vlans
Replies
6
Views
1K
CornfieldWin
C

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 2,032 (members: 18, guests: 2,014)
Back
Top