AdGuardHome Few questions about AdGuard Home Install Script

[SomeWhereOverTheRainBow]

Old thread - but I recently changed to DietPI on my RPI4 and installed Unbound along with AGH, and now DNSSEC works and passes all tests:

View attachment 51428

Not sure if this is related to the version of Unbound being updated due to now running Debian Bookworm - I know the previous version available in Debian Bullseye was a couple of versions behind.

I don’t think it was anything in my Unbound conf file as I copied that over as well…

This issue has been resolved already. It was a problem with Adguardhome not properly reading the dnssec data from Unbound once DNSSEC was enabled inside AdGuardHome (to be a bit more specific, the EDE data). DNSMASQ, and Pihole consequently had this same issue as well. Overall, it has been resolved across the board.

Dig through SERVFAILs with EDE

Now we’re happy to announce we will return more error code types and include additional helpful information to further improve your debugging experience.

blog.cloudflare.com

 

[Gary_Dexter]

This issue has been resolved already. It was a problem with Adguardhome not properly reading the dnssec data from Unbound once DNSSEC was enabled inside AdGuardHome (to be a bit more specific, the EDE data). DNSMASQ, and Pihole consequently had this same issue as well. Overall, it has been resolved across the board.

Dig through SERVFAILs with EDE

Now we’re happy to announce we will return more error code types and include additional helpful information to further improve your debugging experience.

blog.cloudflare.com

Ah ok.

Is the DNSSEC checkbox in AGH just something that shows the flag in the logs? Or does it also send a DNSSEC request with your lookups?

Are there any patch/release notes for AGH or Unbound that show this issue and subsequent fix?

 

[SomeWhereOverTheRainBow]

Ah ok.

Is the DNSSEC checkbox in AGH just something that shows the flag in the logs? Or does it also send a DNSSEC request with your lookups?

Are there any patch/release notes for AGH or Unbound that show this issue and subsequent fix?

The release notes are not as detailed as say for example piholes, but here is one recent fix from adguardhome:

DNSSEC missing AD flag · Issue #5479 · AdguardTeam/AdGuardHome

Prerequisites I have checked the Wiki and Discussions and found no answer I have searched other issues and found no duplicates I want to report a bug and not ask a question Operating system type Li...

github.com

And another one specific for using adguardhome and unbound together :

"DNSSEC Validated" icon near DNSSEC incorrect domain · Issue #3017 · AdguardTeam/AdGuardHome

System Details: Version of AdGuard Home server: Adguard Home v0.106.0-b.4 How did you install AdGuard Home: Snap package How did you setup DNS configuration: Ubuntu VPS CPU architecture: x86_64 Ope...

github.com

Here is a list of some stuff:

Issues · AdguardTeam/AdGuardHome

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

Heres piholes :

Essentially, dnssec data was being misidentified or misinterpreted.

 

[garett_09]

Actually, the user was getting the two intertwined, thus he did not understand any of it.

View attachment 49483

For adguardhome, You can modify the cache value here:

View attachment 49484

the default value is "4194304bytes" or "4mb" I chose "524288bytes" which is approximately 1/8th the default size. I noticed alot less strain on my RAM at this size (it is still using alot of ram, but the demand dropped). A good amount of cache typically ranges in sizes from 524288 to 2097152 bytes. The fact that AdGuardHome uses 4194304bytes is a bit overkill incomparison the the amount memory it already demands.

Hey,

Do you also use DNSSEC and EDNS in AdguardHome? Or just leave it alone for Unbound to work on its own?

Thanks

 

[SomeWhereOverTheRainBow]

Hey,

Do you also use DNSSEC and EDNS in AdguardHome? Or just leave it alone for Unbound to work on its own?

Thanks

Yes to dnssec and no to EDNS.

 

[garett_09]

Yes to dnssec and no to EDNS.

Should I even use EDNS? Thanks

 

[SomeWhereOverTheRainBow]

Should I even use EDNS? Thanks

That is up to you. Unbound should use it by default since it adds additional support for larger DNS messages, DNSSEC (DNS Security Extensions), and other important DNS features, improving the overall security, performance, and functionality of your DNS infrastructure. But you shouldn't need to enable it on AdGuardHome since the requests from adguardhome to unbound are done locally. If you were sending the request to a non-local resolver (e.g. google), then yes it could be useful. If you are using more than just Unbound in your AdGuardHome upstream section, I would recommend enabling it in AdGuardHome.

 

[garett_09]

That is up to you. Unbound should use it by default since it adds additional support for larger DNS messages, DNSSEC (DNS Security Extensions), and other important DNS features, improving the overall security, performance, and functionality of your DNS infrastructure. But you shouldn't need to enable it on AdGuardHome since the requests from adguardhome to unbound are done locally. If you were sending the request to a non-local resolver (e.g. google), then yes it could be useful. If you are using more than just Unbound in your AdGuardHome upstream section, I would recommend enabling it in AdGuardHome.

Then for me it is disabled. However, I did turn on my DNSSEC option in Unbound.

Thank you for the insight