jmcglock

Share this post

jmcglock
jmcglock
AdGuard Home + Unbound
Copy link
Facebook
Email
Notes
More

AdGuard Home + Unbound

The extra mile...

jmcglock
Feb 01, 2022
5

Share this post

jmcglock
jmcglock
AdGuard Home + Unbound
Copy link
Facebook
Email
Notes
More
7
Share

In my previous post about AdGuard Home, I didn’t fully explain something. When using AdGuard Home as your DNS server, it is true that your ISP cannot see your internet traffic. What I failed to mention was that, by default, AdGuard Home uses quad9 as it’s upstream DNS server. Now hold up, what is an upstream DNS server?

In this example, AdGuard Home is using CloudFlare as an upstream DNS provider. This means that instead of resolving the domain itself, the AdGuard Home server forwards that query to CloudFlare.

There is totally nothing wrong with this approach. In fact, it can lead to lower response times since CloudFlare has many servers positioned throughout the country.

However, this does allow CloudFlare to see our queries. So essentially we are removing Xfinity from the loop but we are adding CloudFlare.

Furthermore, from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected. Instead of your bank's actual IP address, you could be sent to a phishing site hosted on some island.

https://docs.pi-hole.net/guides/dns/unbound/

So the possibility for vulnerability is apparent, how do we remedy this situation.

*Unbound enters the chat

Unbound is a recursive DNS resolver. This is how it works.

  1. Your client asks the AdGuard Home server Who is google.com?

  2. Your AdGuard Home server will check its cache and reply if the answer is already known.

  3. Your AdGuard Home server will check the blocking lists and reply if the domain is blocked.

  4. If neither 2. nor 3. is true, the AdGuard Home server delegates the request to the (local) recursive DNS resolver.

  5. Your recursive server will send a query to the DNS root servers: "Who is handling .net?"

  6. The root server answers with a referral to the TLD servers for .net.

  7. Your recursive server will send a query to one of the TLD DNS servers for .net: "Who is handling google.com?"

  8. The TLD server answers with a referral to the authoritative name servers for google.com.

  9. Your recursive server will send a query to the authoritative name servers: "What is the IP of google.com?"

  10. The authoritative server will answer with the IP address of the domain google.com.

  11. Your recursive server will send the reply to your AdGuard Home server which will, in turn, reply to your client and tell it the answer to its request.

  12. Lastly, your AdGuard Home server will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.

This method allows for fast, safe, and not as easily traced browsing. Let’s set up Unbound on AdGuard Home now.

Thanks to Tyler from CipherOps for creating this simple guide. Find his blog post here.

Install unbound with your package manager.

apt install unbound

Create the directory structure:

/etc/unbound/unbound.conf.d

Create the following file:

sudo nano /etc/unbound/unbound.conf.d/config.conf

Paste the following (only enable IPv6 if it is native to your network):

server:
  interface: 127.0.0.1
  port: 5335
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  # Set number of threads to use
  num-threads: 4
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  harden-algo-downgrade: yes
  qname-minimisation: yes
  aggressive-nsec: yes
  rrset-roundrobin: yes
  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Configure TTL of Cache
  cache-max-ttl: 14400
  # Optimizations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  serve-expired: yes
  serve-expired-ttl: 3600
  edns-buffer-size: 1232
  prefetch: yes
  prefetch-key: yes
  unwanted-reply-threshold: 10000000
  # Set cache size
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8
  private-address: fd00::/8
  private-address: fe80::/10

Restart unbound:

sudo systemctl restart unbound

Go into your AdGuard Home admin panel and go to Settings -> DNS settings

In the Upstream DNS servers box you now put 127.0.0.1:5335 and apply.

And that’s it! You now have Unbound running as recursive DNS.

Thanks all,

Joe

5

Share this post

jmcglock
jmcglock
AdGuard Home + Unbound
Copy link
Facebook
Email
Notes
More
7
Share

Discussion about this post

Michael Dziegiel
Sep 28

Questions I have 2 Rasp Pi both running Adgaurd. Primary and secondary. Does it matter where I install unbound? Meaning could I create a VM and run it in there and point both adguard instances to it or does it need to be installed on the Rasp pi that has Adguard.

Expand full comment
Reply
Share
Michael Dziegiel
Sep 28

Questions I have 2 Rasp Pi both running Adgaurd. Primary and secondary. Does it matter where I install unbound? Meaning could I create a VM and run it in there and point both adguard instances to it or does it need to be installed on the Rasp pi that has Adguard.

Expand full comment
Reply
Share
5 more comments...

No posts

Ready for more?

© 2024 jmcglock
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More