Install unbound with your package manager. I use
aptso in my case I
sudo apt install unboundand it is installed, it depends on your system which package manager you have.
Create and edit
vimbut you can use whichever text editor you prefer. In my case I do
sudo vim /etc/unbound/unbound.conf.d/config.conf
Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set
num-threads:to the number of threads for your machine! default is one, in my config I have 4.
server: interface: 127.0.0.1 port: 5335 do-ip6: no do-ip4: yes do-udp: yes do-tcp: yes # Set number of threads to use num-threads: 4 # Hide DNS Server info hide-identity: yes hide-version: yes # Limit DNS Fraud and use DNSSEC harden-glue: yes harden-dnssec-stripped: yes harden-referral-path: yes use-caps-for-id: yes harden-algo-downgrade: no qname-minimisation: yes aggressive-nsec: yes rrset-roundrobin: yes # If DNSSEC isnt working uncomment the following line # auto-trust-anchor-file: "/var/lib/unbound/root.key" # Minimum lifetime of cache entries in seconds cache-min-ttl: 300 # Configure TTL of Cache cache-max-ttl: 14400 # Optimizations msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 serve-expired: yes serve-expired-ttl: 3600 edns-buffer-size: 1232 prefetch: yes prefetch-key: yes target-fetch-policy: "3 2 1 1 1" unwanted-reply-threshold: 10000000 # Set cache size rrset-cache-size: 256m msg-cache-size: 128m # increase buffer size so that no messages are lost in traffic spikes so-rcvbuf: 1m private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
- Restart unbound with
sudo systemctl restart unboundit is now listening on the specified port and doing what the config says.
Telling AdGuard Home to use Unbound
Go into your AdGuard Home admin panel and go to Settings -> DNS settings
In the Upstream DNS servers box you now put
Telling Pi-hole to use Unbound
- Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input
- You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.
AdGuard & Pi-hole Discord: https://discord.gg/DGscCVPRme
Top comments (5)
Thank you for the guide! I saw that you wrote on Reddit that you should only enable DNSSEC in unbound, otherwise there may be a conflict? Is this no longer the case, or does the option in Adguard do something else?
Correct, that is no longer the case, the bug that was causing conflicts was patched out over a year ago.
thank you for the instructions. I wonder how to do this if I use 2 different adguard home instances? My router uses the ip addresses for 2 differet pi's that run adguard. in case ones down, i installed unbound on one of those with 127.0.0.1:5335 in the adguard running on the same pi. as for the other pi with adguard, i either need another instance of unbound? or use ipadderssofpiwithunbound:5335???
Does this mean when a device connects to your local unbound DNS server, it is resolving it further to the AdGuard server underneath?
Other way around, this is for AdGuard Home, which is a local DNS filtering software. Your clients connect to your network and send queries to AdGuard Home to be filtered (mainly used for adblocking but can be used for blocking any domain) and AdGuard Home will then forward the allowed domains to be resolved, and they're forwarded to unbound to do so.