AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

[SomeWhereOverTheRainBow]

Now that I have unbound listening address set up as an upstream DNS in the AdGuard settings, when I do DNS Leak test it shows my ISP's DNS server. Does this mean that all my DNS queries that are not cached within unbound are going through my ISP's DNS server? If so, is it possible to set up Cloudflare as my default DNS server rather than using my ISP's DNS?

Unbound should appear as your IP address (recursive unbound). (you may see your ISP hostname.) Unless you are tunneling Unbound DNS traffic through a VPN server, this is normal behavior. If you were tunneling Unbound through a VPN server, you would see the IP address of the VPN and hostname of vpn provider. If you were trying to do Unbound through VPN tunnel and you see your ISP IP address and Hostname, then you are bypassing the tunnel.

All your DNS lookups should be responses from Unbound cache, except the ones blocked by AdGuardHome.

here is the MAP

Client <-> AdGuardHome nonblocked <-> Unbound #these use Unbounds Cache.

Client <-> AdGuardHome blocked

 

[mefistos]

Unbound should appear as your IP address (recursive unbound). (you may see your ISP hostname.) Unless you are tunneling Unbound DNS traffic through a VPN server, this is normal behavior. If you were tunneling Unbound through a VPN server, you would see the IP address of the VPN and hostname of vpn provider. If you were trying to do Unbound through VPN tunnel and you see your ISP IP address and Hostname, then you are bypassing the tunnel.

All your DNS lookups should be responses from Unbound cache, except the ones blocked by AdGuardHome.

here is the MAP

Client <-> AdGuardHome unblocked <-> Unbound #these use Unbounds Cache.

Client <-> AdGuardHome blocked

I am using vpnmgr to connect to NordVPN servers, but I didnt like the adblocking capability of NordVPN DNS server so I've set Accept DNS Configuration to "Disabled" and now all my DNS queries are going through AdGuard, so thats probably why my DNS Leak test was showing my ISP's DNS server. My IP is the NordVPN's IP address and DNS is now showing as Cloudflare.

 

[SomeWhereOverTheRainBow]

I am using vpnmgr to connect to NordVPN servers, but I didnt like the adblocking capability of NordVPN DNS server so I've set Accept DNS Configuration to "Disabled" and now all my DNS queries are going through AdGuard, so thats probably why my DNS Leak test was showing my ISP's DNS server. My IP is the NordVPN's IP address and DNS is now showing as Cloudflare.

Okay, Create a policy rule that routes your Router( itself) through the tunnel. Unbound should appear to be using your VPS IP, and no more leak, and you can remove the need to use cloudflare (unless your VPS is using a cloudflare service in which case it would have cloudflare hostame) from unbound or any other source.

 

[mefistos]

Okay, Create a policy rule that routes your Router( itself) through the tunnel. Unbound should appear to be using your VPS IP, and no more leak, and you can remove the need to use cloudflare (unless your VPS is using a cloudflare service in which case it would have cloudflare hostame) from unbound or any other source.

I suppose I could create the rule with VPN Director for 10.0.0.1 right?

My question is, if I comment out the cloudflare DoT section in unbound.conf and have just unbound deal with the DNS lookups, what DNS server is used if unbound cache doesn't match the query? If its using the NordVPN's DNS , which I have disabled in the VPN client settings on my router, then its going to default to my ISP's DNS right?

 

[SomeWhereOverTheRainBow]

I suppose I could create the rule with VPN Director for 10.0.0.1 right?

My question is, if I comment out the cloudflare DoT section in unbound.conf and have just unbound deal with the DNS lookups, what DNS server is used if unbound cache doesn't match the query? If its using the NordVPN's DNS , which I have disabled in the VPN client settings on my router, then its going to default to my ISP's DNS right?

So if you comment out cloudflare and have your router itself routed through the VPN, then Unbound will act as its own dns server, reaching out to root servers VIA the way of VPN tunnel. It will recieve the information from root servers passing it back to adguardhome. From your clients, the DNS server will appear to be the IP address of the VPN tunnel or VPS. This is not imply the VPN is providing the DNS service, but the request are passing to root servers from unbound via way of vpn tunnel, while your unbound on the router will be acting as the authoritative recursing dns server.

 

[SomeWhereOverTheRainBow]

I suppose I could create the rule with VPN Director for 10.0.0.1 right?

My question is, if I comment out the cloudflare DoT section in unbound.conf and have just unbound deal with the DNS lookups, what DNS server is used if unbound cache doesn't match the query? If its using the NordVPN's DNS , which I have disabled in the VPN client settings on my router, then its going to default to my ISP's DNS right?

As for if it doesn't match the query, then Recursive DNS will fall back to travelling via ISP and unbound will have your local IP address as its DNS server listed (this is assuming you vpn tunnel has gone down and you don't have a kill switch). Any DNS request that are blocked never make it past AdGuardHome.

 

[mefistos]

So if you comment out cloudflare and have your router itself routed through the VPN, then Unbound will act as its own dns server, reaching out to root servers VIA the way of VPN tunnel. It will recieve the information from root servers passing it back to adguardhome. From your clients, the DNS server will appear to be the IP address of the VPN tunnel or VPS. This is not imply the VPN is providing the DNS service, but the request are passing to root servers from unbound via way of vpn tunnel, while your unbound on the router will be acting as the authoritative recursing dns server.

When I set up my router in VPN Director to use NordVPN connection and comment out cloudflare DoT from unbound I still see my ISP's DNS server in DNS leak test. I have to set Accept DNS Configuration to "strict" or "exclusive" to have NordPVN IP show up as DNS server in DNS leak test. And if I do that then my laptop's DNS querries are not showing up in Adguard which tells me that it's going through the NordVPN DNS server and its not being filtered by AdGuard.

 

[SomeWhereOverTheRainBow]

When I set up my router in VPN Director to use NordVPN connection and comment out cloudflare DoT from unbound I still see my ISP's DNS server in DNS leak test. I have to set Accept DNS Configuration to "strict" or "exclusive" to have NordPVN IP show up as DNS server in DNS leak test. And if I do that then my laptop's DNS querries are not showing up in Adguard which tells me that it's going through the NordVPN DNS server and its not being filtered by AdGuard.

Do you mind posting screenshot of your VPN rules? for example, if you wish to include the router in traffic, you must define it as the main rule for that route.

For example,

if your routers ip is 192.168.1.1

you would define this as the local IP,

You would leave the remote IP blank.

you would choose the VPN server you want to tunnel for the IFace.

and that is it.

You need to leave

Accept DNS as disabled.

Here is the full example

Notice how it is defined as the first rule.

 

[mefistos]

Do you mind posting screenshot of your VPN rules? for example, if you wish to include the router in traffic, you must define it as the main rule for that route.

For example,

if your routers ip is 192.168.1.1

you would define this as the local IP,

You would leave the remote IP blank.

you would choose the VPN server you want to tunnel for the IFace.

and that is it.

You need to leave

Accept DNS as disabled.

These are my rules. I dont mind using cloudflare as DoT with unbound, as long as its not causing any issues, which I cant see any so far I should be ok. I just dont want any unmatched querries going through my ISP's DNS, I'd rather use cloudflare.


edit: with these rules when my Accept DNS is disabled my ISP's DNS is showing in DNS leak, if Accept DNS is set to "strict" or "exclusive" I see NordVPN IP in DNS leak but as stated my laptop is not being filtered via AdGuard(not showing up in query list).

 

[SomeWhereOverTheRainBow]

These are my rules. I dont mind using cloudflare as DoT with unbound, as long as its not causing any issues, which I cant see any so far I should be ok. I just dont want any unmatched querries going through my ISP's DNS, I'd rather use cloudflare.

If you got a kill switch, it would just go down and prevent any internet until it comes back up. But there are also user scripts floating around the forum that will switch VPN servers if it goes down, but this is kind of an issue if you are relying on the proper routes to be active. You may have to try changing the router IP to 0.0.0.0/32 or 127.0.0.1/32 which will imply any address originating from a router-internet faced interface.

 

[mefistos]

If you got a kill switch, it would just go down and prevent any internet until it comes back up. But there are also user scripts floating around the forum that will switch VPN servers if it goes down, but this is kind of an issue if you are relying on the proper routes to be active. You may have to try changing the router IP to 0.0.0.0/32 which will imply any address originating from a router-internet faced interface.

I have vpnmgr set up to look for a new server every 4 hours, so hopefully I wont have to deal with lost connection too often, but I might look into the VPNMON script just to be safe.

Even with 0.0.0.0/32 or 127.0.0.1/32 as router local IP in the VPN rule, DNS leak test still shows my ISP's DNS... Again not really a problem when I have unbound set up to use cloudlfare DoT.

 

[SomeWhereOverTheRainBow]

I have vpnmgr set up to look for a new server every 4 hours, so hopefully I wont have to deal with lost connection too often, but I might look into the VPNMON script just to be safe.

Even with 0.0.0.0/32 or 127.0.0.1/32 as router local IP in the VPN rule, DNS leak test still shows my ISP's DNS... Again not really a problem when I have unbound set up to use cloudlfare DoT.

To be honest, if you are only using DoT it wouldn't matter if you used it via Unbound or AdGuardHome. If this is the case and your goal is to run AdGuardHome, I would recommend uninstalling unbound because it wouldn't be necessary (just extra load on the router to run two extra DNS servers).

You can use DoT on AdguardHomes upstream by removing the unbound upstream address and placing

tls://coudflare-dns.com:853

and you can turn the cache back on inside adguardhome.

 

[mefistos]

To be honest, if you are only using DoT it wouldn't matter if you used it via Unbound or AdGuardHome. If this is the case and your goal is to run AdGuardHome, I would recommend uninstalling unbound because it wouldn't be necessary (just extra load on the router to run two extra DNS servers).

You can use DoT on AdguardHomes upstream by removing the unbound upstream address and placing

tls://coudflare-dns.com:853

and you can turn the cache back on inside adguardhome.

Isn't unbound still being used to reslove DNS querries from its cache and only whatever cant be matched is resolved with cloudflare DoT?

With the current setup with unbound using cloudflare DoT as upstream, my router RAM usage is down 15% after disabling AdGuard cache. to me that seems like less load on the router?

 

[SomeWhereOverTheRainBow]

Isn't unbound still being used to reslove DNS querries from its cache and only whatever cant be matched is resolved with cloudflare DoT?

With the current setup with unbound using cloudflare DoT as upstream, my router RAM usage is down 15% after disabling AdGuard cache. to me that seems like less load on the router?

depends on how you have it setup. if you are using forward-first: no option on unbound then it will try using unbound to resolve from cahce first before it attempts to forward. other wise, it forwards everytime, if a response exist in the cache, it then knows how to answer quicker, but it always forwards if you are forwarding.

 

[mefistos]

depends on how you have it setup. if you are using forward-first: no option on unbound then it will try using unbound to resolve first before it attempts to forward. other wise, it forwards everytime, if a response exist in the cache, it then knows how to answer quicker, but it always forwards if you are forwarding.

I dont have forward-first: specified in my unbound.conf, and reading through unbound manual default value is "no" so I should be ok right? I installed unbound via amtm, and left everything by default, just un-commented the DoT forwarder vlaues.

 

[SomeWhereOverTheRainBow]

I dont have forward-first: no specified in my unbound.conf, and reading through unbound manual default value is "no" so I should be ok right? I installed unbound via amtm, and left everything by default, just un-commented the DoT forwarder vlaues.

If you are wanting to use strictly cloudflare you would leave forward-first as default. (which is no). meaning it will always forward. If a response exist in cache, it will respond quicker, but unless you are manipulating the validity time of these records, they are usually not very long lived. In most cases you would be forwarding for request.

 

[SomeWhereOverTheRainBow]

With all that being considered, I honestly don't know if there is a significant reason to forward from AdGuardHome to Unbound just to use Unbound for DoT, unless there is some actual manipulations you are doing unbound side to make it more beneficial to use. AdGuardHome + DoT on AdGuardHome upstream may actually save you some time on query responses versus relying on AdguardHome to request from unbound, then unbound most of the time forwarding that request to cloudflare.

 

[mefistos]

With all that being considered, I honestly don't know if there is a significant reason to forward from AdGuardHome to Unbound just to use Unbound for DoT, unless there is some actual manipulations you are doing unbound side to make it more beneficial to use. AdGuardHome + DoT on AdGuardHome upstream may actually save you some time on query responses versus relying on AdguardHome to request from unbound, then unbound most of the time forwarding that request to cloudflare.

I see what you mean. I was thinking that I could lessen the load on the router by letting Adguard block whatever it needs to block (ads, trackers etc), and then use unbound cache to reslove most of my DNS querries so it reponds quicker since its chached and unbound chache doesnt use as much memory as AdGuards cache.. And if there is nothing in the unbound cache then it goes through the cloudflare DoT. But if you are saying that the entries in unbound cache dont live for too long and I am actually using cloudlfares DoT most of the time to resolve queries then it might not be as efficient as I thought it would be.

 

[SomeWhereOverTheRainBow]

I see what you mean. I was thinking that I could lessen the load on the router by letting Adguard block whatever it needs to block (ads, trackers etc), and then use unbound cache to reslove most of my DNS querries so it reponds quicker since its chached and unbound chache doesnt use as much memory as AdGuards cache.. And if there is nothing in the unbound cache then it goes through the cloudflare DoT. But if you are saying that the entries in unbound cache dont live for too long and I am actually using cloudlfares DoT most of the time to resolve queries then it might not be as efficient as I thought it would be.

correct. Keep in mind, your unbound.conf might infact have cache overrides which would make manipulations that might be beneficial, so you are not inaccurate in your thoughts, just might not have all the pieces put together. my advice, look over unbound.conf manpage and adjust accordingly to how you would like your setup to run.

 

[SomeWhereOverTheRainBow]

I see what you mean. I was thinking that I could lessen the load on the router by letting Adguard block whatever it needs to block (ads, trackers etc), and then use unbound cache to reslove most of my DNS querries so it reponds quicker since its chached and unbound chache doesnt use as much memory as AdGuards cache.. And if there is nothing in the unbound cache then it goes through the cloudflare DoT. But if you are saying that the entries in unbound cache dont live for too long and I am actually using cloudlfares DoT most of the time to resolve queries then it might not be as efficient as I thought it would be.

One analysis tool you may find useful is the use of dig. you can understand a lot with observations done through using tools like dig.