Install unbound with your package manager. I use
apt
so in my case Isudo apt install unbound
and it is installed, it depends on your system which package manager you have.Create and edit
/etc/unbound/unbound.conf.d/config.conf
I usevim
but you can use whichever text editor you prefer. In my case I dosudo vim /etc/unbound/unbound.conf.d/config.conf
Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set
num-threads:
to the number of threads for your machine! default is one, in my config I have 4.
server:
interface: 127.0.0.1
port: 5335
do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes
# Set number of threads to use
num-threads: 4
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
harden-algo-downgrade: no
qname-minimisation: yes
aggressive-nsec: yes
rrset-roundrobin: yes
# If DNSSEC isnt working uncomment the following line
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Minimum lifetime of cache entries in seconds
cache-min-ttl: 300
# Configure TTL of Cache
cache-max-ttl: 14400
# Optimizations
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
serve-expired: yes
serve-expired-ttl: 3600
edns-buffer-size: 1232
prefetch: yes
prefetch-key: yes
target-fetch-policy: "3 2 1 1 1"
unwanted-reply-threshold: 10000000
# Set cache size
rrset-cache-size: 256m
msg-cache-size: 128m
# increase buffer size so that no messages are lost in traffic spikes
so-rcvbuf: 1m
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
- Restart unbound with
sudo systemctl restart unbound
it is now listening on the specified port and doing what the config says.
Telling AdGuard Home to use Unbound
Go into your AdGuard Home admin panel and go to Settings -> DNS settings
In the Upstream DNS servers box you now put
127.0.0.1:5335
and apply.
Telling Pi-hole to use Unbound
- Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input
127.0.0.1#5335
and apply
Finalize Configuration
- You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.
AdGuard & Pi-hole Discord: https://discord.gg/DGscCVPRme
Top comments (6)
thank you for the instructions. I wonder how to do this if I use 2 different adguard home instances? My router uses the ip addresses for 2 differet pi's that run adguard. in case ones down, i installed unbound on one of those with 127.0.0.1:5335 in the adguard running on the same pi. as for the other pi with adguard, i either need another instance of unbound? or use ipadderssofpiwithunbound:5335???
you need the same of first,when fail ,change to the secod DNS ,
Thank you for the guide! I saw that you wrote on Reddit that you should only enable DNSSEC in unbound, otherwise there may be a conflict? Is this no longer the case, or does the option in Adguard do something else?
Correct, that is no longer the case, the bug that was causing conflicts was patched out over a year ago.
Does this mean when a device connects to your local unbound DNS server, it is resolving it further to the AdGuard server underneath?
Other way around, this is for AdGuard Home, which is a local DNS filtering software. Your clients connect to your network and send queries to AdGuard Home to be filtered (mainly used for adblocking but can be used for blocking any domain) and AdGuard Home will then forward the allowed domains to be resolved, and they're forwarded to unbound to do so.