DEV Community


How to use Unbound with AdGuard Home or Pi-hole

cipherops profile image Tyler Updated on ・2 min read
  1. Install unbound with your package manager. I use apt so in my case I sudo apt install unbound and it is installed, it depends on your system which package manager you have.

  2. Create and edit /etc/unbound/unbound.conf.d/adguard.conf
    I use vim but you can use whichever text editor you prefer. In my case I do sudo vim /etc/unbound/unbound.conf.d/adguard.conf

  3. Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set num-threads:to the number of threads for your machine! default is one, in my config I have 4.

  port: 5335
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  # Set number of threads to use
  num-threads: 4
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  harden-algo-downgrade: yes
  qname-minimisation: yes
  # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000
  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes
  # Optimisations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  # increase memory size of the cache
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  private-address: fd00::/8
  private-address: fe80::/10
Enter fullscreen mode Exit fullscreen mode
  1. Restart unbound with sudo systemctl restart unbound it is now listening on the specified port and doing what the config says.

Telling AdGuard Home to use Unbound

  1. Go into your AdGuard Home admin panel and go to Settings -> DNS settings

  2. In the Upstream DNS servers box you now put and apply.

Telling Pi-hole to use Unbound

  1. Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input and apply

Finalize Configuration

  1. Disable DNSSEC in AdGuard Home or Pi-hole. Unbound is blocking BOGUS DNSSEC replies, having DNSSEC enabled in AGH or Pi-hole can cause issues for valid returns.

AdGuard & Pi-hole Discord:

Discussion (0)

Forem Open with the Forem app