DEV Community

Tyler
Tyler

Posted on • Updated on

How to use Unbound with AdGuard Home or Pi-hole

  1. Install unbound with your package manager. I use apt so in my case I sudo apt install unbound and it is installed, it depends on your system which package manager you have.

  2. Create and edit /etc/unbound/unbound.conf
    I use vim but you can use whichever text editor you prefer. In my case I do sudo vim /etc/unbound/unbound.conf

  3. Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set num-threads:to the number of threads for your machine! default is one, in my config I have 4.

server:
  interface: 127.0.0.1
  port: 5335
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  # Set number of threads to use
  num-threads: 4
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  harden-algo-downgrade: yes
  qname-minimisation: yes
  aggressive-nsec: yes
  rrset-roundrobin: yes
  auto-trust-anchor-file: "/var/lib/unbound/root.key"
  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Configure TTL of Cache
  cache-max-ttl: 14400
  # Optimizations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  serve-expired: yes
  serve-expired-ttl: 3600
  edns-buffer-size: 1232
  prefetch: yes
  prefetch-key: yes
  target-fetch-policy: "3 2 1 1 1"
  unwanted-reply-threshold: 10000000
  # Set cache size
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8
  private-address: fd00::/8
  private-address: fe80::/10
Enter fullscreen mode Exit fullscreen mode
  1. Restart unbound with sudo systemctl restart unbound it is now listening on the specified port and doing what the config says.

Telling AdGuard Home to use Unbound

  1. Go into your AdGuard Home admin panel and go to Settings -> DNS settings

  2. In the Upstream DNS servers box you now put 127.0.0.1:5335 and apply.

Telling Pi-hole to use Unbound

  1. Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input 127.0.0.1#5335 and apply

Finalize Configuration

  1. You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.

AdGuard & Pi-hole Discord: https://discord.gg/VzThBmB

CashApp: $CipherOps

Discussion (2)

Collapse
houmie profile image
Houman

Does this mean when a device connects to your local unbound DNS server, it is resolving it further to the AdGuard server underneath?

Collapse
cipherops profile image
Tyler Author

Other way around, this is for AdGuard Home, which is a local DNS filtering software. Your clients connect to your network and send queries to AdGuard Home to be filtered (mainly used for adblocking but can be used for blocking any domain) and AdGuard Home will then forward the allowed domains to be resolved, and they're forwarded to unbound to do so.