DEV Community


Posted on • Updated on

How to use Unbound with AdGuard Home or Pi-hole

  1. Install unbound with your package manager. I use apt so in my case I sudo apt install unbound and it is installed, it depends on your system which package manager you have.

  2. Create and edit /etc/unbound/unbound.conf.d/config.conf
    I use vim but you can use whichever text editor you prefer. In my case I do sudo vim /etc/unbound/unbound.conf.d/config.conf

  3. Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set num-threads:to the number of threads for your machine! default is one, in my config I have 4.

  port: 5335
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  # Set number of threads to use
  num-threads: 4
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  harden-algo-downgrade: no
  qname-minimisation: yes
  aggressive-nsec: yes
  rrset-roundrobin: yes

  # If DNSSEC isnt working uncomment the following line
  # auto-trust-anchor-file: "/var/lib/unbound/root.key"

  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Configure TTL of Cache
  cache-max-ttl: 14400
  # Optimizations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  serve-expired: yes
  serve-expired-ttl: 3600
  edns-buffer-size: 1232
  prefetch: yes
  prefetch-key: yes
  target-fetch-policy: "3 2 1 1 1"
  unwanted-reply-threshold: 10000000
  # Set cache size
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  private-address: fd00::/8
  private-address: fe80::/10
Enter fullscreen mode Exit fullscreen mode
  1. Restart unbound with sudo systemctl restart unbound it is now listening on the specified port and doing what the config says.

Telling AdGuard Home to use Unbound

  1. Go into your AdGuard Home admin panel and go to Settings -> DNS settings

  2. In the Upstream DNS servers box you now put and apply.

Telling Pi-hole to use Unbound

  1. Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input and apply

Finalize Configuration

  1. You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.

AdGuard & Pi-hole Discord:

Top comments (5)

fiveknive profile image

Thank you for the guide! I saw that you wrote on Reddit that you should only enable DNSSEC in unbound, otherwise there may be a conflict? Is this no longer the case, or does the option in Adguard do something else?

anonymous7864 profile image

Correct, that is no longer the case, the bug that was causing conflicts was patched out over a year ago.

vansmak profile image

thank you for the instructions. I wonder how to do this if I use 2 different adguard home instances? My router uses the ip addresses for 2 differet pi's that run adguard. in case ones down, i installed unbound on one of those with in the adguard running on the same pi. as for the other pi with adguard, i either need another instance of unbound? or use ipadderssofpiwithunbound:5335???

houmie profile image

Does this mean when a device connects to your local unbound DNS server, it is resolving it further to the AdGuard server underneath?

anonymous7864 profile image

Other way around, this is for AdGuard Home, which is a local DNS filtering software. Your clients connect to your network and send queries to AdGuard Home to be filtered (mainly used for adblocking but can be used for blocking any domain) and AdGuard Home will then forward the allowed domains to be resolved, and they're forwarded to unbound to do so.