Local DNS: AdGuard with Unbound on OPNsense


Overview

I’m using Unbound DNS to resolve local hosts. I am also using AdGaurd Home to filter all traffic from within my network. DHCP is set to point all devices to an AdGuard Home dns server for internet filtering and recursive lookups. AdGuard runs on a small standalone server. AdGaurd forwards any .local queries to unbound for local host IPs. In the event Unbound is queried for non-local hosts, DNS over TLS is set for anonymity.

Diagram

DNS Diagram

DNS Addresses

AdGaurd has a list of DNS servers you can find here. For the sake of this setup I am using Cloudflare. Once you have it setup, you can use Cloudflare DNS Test to ensure it’s setup correctly. Then use this tool to check to see what is blocked.

Cloudflare IP’s and URL’s

  • DNS:53
    • 1.1.1.1 = unfilterd
    • 1.1.1.2 = security: malware filter
    • 1.1.1.3 = family: malware + adult content filter
  • TLS:853
    • tls://one.one.one.one or 1.1.1.1:853
    • tls://security.cloudflare-dns.com
    • tls://family.cloudflare-dns.com
  • HTTPS:443
    • https://cloudflare-dns.com/dns-query
    • https://security.cloudflare-dns.com/dns-query
    • https://family.cloudflare-dns.com/dns-query

AdGuard Home

Installing

I am running AdGaurd on a Mac with IP 192.168.1.3, and using the auto install script from GitHub.

After install, you need to head over to the DNS host IP at port 3000 to run the setup wizard. Ex. http://192.168.1.3:3000

Once AdGarud is configured you can access it by port 80 on the host. Ex. http://192.168.1.3:80

AdGuard will listen for requests on port 53.

DNS Settings

Head over to Settings > DNS Settings. This is where I specify which DNS servers to use for regular lookups and my local unbound server for resolving all dannyeckes.local requests.

Filtering

Head over to Filters > DNS Blocklists to setup which domains to block. Monitor the blocked queries over time and then manually add overrides for domains you know are legit but might be part of a strict blocklist.

Reinstalling and Updating

Reinstalling

This will wipe out any settings you have set. Only do this if you absolutely need to, since you will have to start from scratch with your configuration. Run the install script as if you were going to install for the first time but add the -r flag.

Updating


Unbound

Need to configure unbound to listen for requests and query a DNS server if it doesn’t have the address in the overrides.

General Settings

Overrides

Local Hostnames to IP’s. This is where I have all my hostnames and their local IP’s.

DNS over TLS


Danny Eckes
Danny Eckes

Welcome to my personal blog! This site is dedicated to my personal interests in IT, Photography, and Cooking. Running an IT homelab and needed a website for proof of concept and constant tinkering. I figured recipes would make good content. Let's face it, finding recipes online can be challenging! Between navigating past countless ads and lengthy superfluous instructions, it takes far too long to find the actual recipe. Posting recipes here for my quick reference. Hope you can find them useful as well. Pictures (taken with mobile) and instructions written for myself.

Articles: 56