What's new

DNS Privacy with Adguard + unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Senior Member
Hi All - I just wanted some advice to see if there is more I could do/consider to increase DNS privacy on my home internet setup.

Setup/situation is:
  • wan dns set to ISP (no privacy) but not really used - see dhcp setup below
  • I have a RPI as a dedicated dns / adguard device running dietpi with adguard and unbound
  • all clients use dhcp with dns1 set to my RPI with adguard and unbound; dns2 set to nextdns
  • 90% of dns are sent via dns1 (local adguard/unbound) and the remaining through nextdns
  • using the dns script by @eibgrad I see everything is red with sender src being IP of my local adguard server
I'm trying to work out what this means... I think that it is showing that most dns queries are going via unbound but are not encrypted.

For DNS1 - can I improve this or is this as good as it gets using unbound?

For DNS2 - if I change the nextdns IP to the DNS-over-TLS/QUIC address in the dhcp settings - will this enable dns privacy on the 5-10% of dns queries that do not go through DNS1?

Thanks for any help on this.
You may find some answers and ideas in this thread:

Thanks @Tech9. I had seen this thread and it got me thinking about this stuff in the first place.

I’m not crazy worried about dns privacy and accept there are trade-offs. All good.

unbound + adguard on a dedicated device is working great for adblocking (the key objective).

But unbound is not encrypted to root servers. Should I care?
unbound + adguard on a dedicated device

I have a little reliability concerns with RPi and OS on SD card. It may work for years with no issues, it may stop tomorrow.

But unbound is not encrypted to root servers. Should I care?

Not really. You may get overall worse reliability and DNS resolution speed compared to no extra device and built-in Dnsmasq forwarder to always available 10-30ms away huge cache Google, Cloudflare, OpenDNS, etc. with available DoT straight on the router. Your browser caches queries as well, remember? OpenDNS offers custom blocking categories with free home account if you are interested. It's a Cisco company - pretty reliable. Public DNS providers will hide your WAN IP as well as potential extra security. With home routers the simpler setup the better unless you like to tinker with it all the time and look at numbers, graphs, queries, blocks, play with blocklists, etc. Basically you sacrifice simplicity and reliability chasing non-existing or not needed privacy. Do you have a cellphone or a laptop? Apple, Google, Microsoft already know a lot about you. Your mobile service provider knows exactly where you are at the moment. Your bank knows when, where and what you use your cards for. Why worry so much about DNS queries? This is your least concern.
Thanks @Tech9 - I agree but I know others will have strong opinions in the other (privacy max) direction.

I'm getting good performance, good control of ad blocking and a bit of tinkering all for free! If/when my rpi is down then queries go via nextdns (for free if under 300k/mth).

I don't think I will worry about having my dns queries 'encrypted' (unless someone can give me a reason that I care about)...

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!