AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

[Ellenswamy]

Question: I set some devices to no filtering in Merlin for DNS filter, but checking adguard home it looks like they are still going through it. How do I verify in a config file that I installed it correctly?

 

[Ellenswamy]

My average processing time for DNS queries are usualy around 2ms. I have some reboots on the router the past 24hrs so the time is abit above that at the moment.
Imgur: The magic of the Internet

what are your settings

 

[SomeWhereOverTheRainBow]

For DNS cache settings this is what I started using last night. My DNS queries went from 39-43ms to right now showing 26ms

Yea make sure you don't use alot of AAAA responses. Other wise some pages you load may have issues loading. I know when I did something like that on dnscrypt proxy, I had issues at somepoint down the line loading certain web pages (or parts of webpages) and using certain services. Keep in mind ipv4 is usually able to also load these responses, so there is no true benefit to having it disabled if at somepoint you have issues loading certain web pages or using certain web services. I am not saying this will happen, but I am bring it up incase it does so you are mindful of the changes you made to your setup, and how it may have impacted things for you.

 

[johndoe85]

what are your settings

I am using unbound running on my router with Adguard Home.

Imgur: The magic of the Internet

 

[chongnt]

I am using unbound running on my router with Adguard Home.

Imgur: The magic of the Internet

I read that you don’t need to enable DNSSEC in AGH if you are pointing to local unbound DNS.

 

[SomeWhereOverTheRainBow]

I read that you don’t need to enable DNSSEC in AGH if you are pointing to local unbound DNS.

It doesn't hurt but may impact load times. I haven't fully tested it to be sure.

 

[johndoe85]

I read that you don’t need to enable DNSSEC in AGH if you are pointing to local unbound DNS.

Yeah i have read that too, i just wanted to see if there was any actuall difference. The query log started to show some DNSSEC validated signs atleast. The test pages shows DNSSEC is on though. Regardless if Enable DNSSEC box is ticked or not.

 

[chongnt]

Yeah i have read that too, i just wanted to see if there was any actuall difference. The query log started to show some DNSSEC validated signs atleast. The test pages shows DNSSEC is on though.

I did not enable it and yet DNSSEC test page passed with unbound DNS. Do you mean you can see DSNSEC validated sign in AGH query log? Can you share a snapshot how it looks like? I will try enable and see.

 

[johndoe85]

I did not enable it and yet DNSSEC test page passed with unbound DNS. Do you mean you can see DSNSEC validated sign in AGH query log? Can you share a snapshot how it looks like? I will try enable and see.

Sure, here it is.
Imgur: The magic of the Internet

 

[SomeWhereOverTheRainBow]

Sure, here it is.
Imgur: The magic of the Internet

It has a lock symbol next to the query.

 

[johndoe85]

It doesn't hurt but may impact load times. I haven't fully tested it to be sure.

Since DNSSEC flag is already set, there should be an option in Adguard to just enable the DNSSEC results for the query log.
The DNSSEC option that is now sets both flag and checks the results. And one of them is unnecessary

 

[SomeWhereOverTheRainBow]

Since DNSSEC flag is already set, there should be an option in Adguard to just enable the DNSSEC results for the query log.
The DNSSEC option that is now sets both flag and checks the results. And one of them is unnecessary

Might be worth mentioning to adguardhome devs. I don't know what kind of priority they would put on though since it is mostly cosmetic.

 

[johndoe85]

Might be worth mentioning to adguardhome devs. I don't know what kind of priority they would put on though since it is mostly cosmetic.

A 100% focus. Cosmetic is everything.

 

[SomeWhereOverTheRainBow]

A 100% focus. Cosmetic is everything.

Hah. Tell that to them.

 

[johndoe85]

Hah. Tell that to them.

Suggestion made.
DNSSEC results in query option only · Discussion #4513 · AdguardTeam/AdGuardHome (github.com)

 

[matssa]

Hey all,

When installing the latest version there is a new option to run AGH as a local caching service.

Since I'm going to use Unbound, what is the difference with this new option?

Thanks!

 

[L&LD]

Have you read the last few posts (at least)?

 

[SomeWhereOverTheRainBow]

Hey all,

When installing the latest version there is a new option to run AGH as a local caching service.

Since I'm going to use Unbound, what is the difference with this new option?

Thanks!

You may want local caching, but the downside is that is shows your router's traffic, however it ensures that adguardhome doesn't attempt to leak your private reverse lookups to your isp in an unsecured way. Yes adguardhome assumes entries in resolv.conf are private reverse resolvers since most linux implementations use it to point at the loop back or adguardhome

 

[Ellenswamy]

You may want local caching, but the downside is that is shows your router's traffic, however it ensures that adguardhome doesn't attempt to leak your private reverse lookups to your isp in an unsecured way. Yes adguardhome assumes entries in resolv.conf are private reverse resolvers since most linux implementations use it to point at the loop back or adguardhome

When using this should we turn on "Wan: Use local caching DNS server as system resolver (default: No)" in tools?

 

[matssa]

You may want local caching, but the downside is that is shows your router's traffic, however it ensures that adguardhome doesn't attempt to leak your private reverse lookups to your isp in an unsecured way. Yes adguardhome assumes entries in resolv.conf are private reverse resolvers since most linux implementations use it to point at the loop back or adguardhome

Thanks for your quick answer!

If I understand correctly:
- Unbound replaces the Google or Cloudflared Dns provider in order to avoid DNS leak and maybe improve overall DNS response and stability
- Adguard is a DNS filter and can be linked to the Ubound install instead of Google or Cloudflare so that it uses local resolving stuff

If you send all traffic to Adguard, how can it leak to the ISP since you add upstream DNS resolvers? Unless some traffic is still router to ISP ?