Using AdGuard Home with Unbound

[Gary_Dexter]

Any advantages to doing this?

How would it work with regards to filtering - will requests go to AGH first before being pushed to the “outside world” for blocklist checking etc?

And is there any benefit to Unbound over AGH’s DNS caching?

 

[mattleg]

The advantage is mostly privacy. Requests still come to AdGuard, then passed along to Unbound. Unbound then starts at the root servers and works up to find the requested address. Essentially Unbound is a private DNS server, much like that of your ISP or other offerings. You are cutting out the middle, plus keeping the requests private and secure on your own hardware.

 

[Gary_Dexter]

Thanks.
But then I would lose any content filtering provided by a DNS Service such as Quad9, Cloudflare or OpenDNS - right?

 

[mattleg]

Yes, you would lose the content filtering provided by those DNS services. AdGuard would be doing the content filtering. With Unbound and AdGuard your hardware becomes a miniature version of what those services offer.

 

[Gary_Dexter]

I've enabled Unbound now and using it via AGH.

I am noticing high amounts of DNS latency though - even for items served from the Cache in AGH:

And other sites showing ~ 0.2ms response times when serving links from the Cache:

Is there also any harm in leaving the folliwing enabled - I've read conflicting things online; some have said it's merely a reporting option added to the Query Log (denoted by a Green Padlock for successful DNSSEC Validated queries) and also read that it actually tries to force DNSSEC to the destination, thus doing it twice - once in AGH and then again in Unbound:

 

[Gary_Dexter]

Another instance served from cache but with a 1700+ms time.

Should I disable AGH’s cache? Again I’ve heard conflicting responses elsewhere that say to leave it on so the blocked lookups are cached in AGH without having to be resolved every time and another argument saying to disable it as Unbound does the caching and the impact of the blocked lookups is minimal.

 

[chongnt]

Is it one particular or all instances from cache have a long processing time? How about those first time query?
What I noticed is if I put a large blocklist or a lot of complex regex in custom blocklist it will increase the processing time.

 

[Gary_Dexter]

Is it one particular or all instances from cache have a long processing time? How about those first time query?
What I noticed is if I put a large blocklist or a lot of complex regex in custom blocklist it will increase the processing time.

Pretty much all instances. I think it’s a CPU limitation with my router as since removing Unbound everything is back to normal again

 

[Gary_Dexter]

So removing Skynet seems to have fixed the ping spiking issue - for some reason Skynet was tanking the CPU, and it wasn't really doing much for me anyway apart from filling the logs with requests that are blocked by the standard firewall anyway..

However, I am still not seeing any DNS requests marked as DNSSEC verified in AGH using Unbound - is this normal becuase Unbound is doing the DNSSEC handling now and AGH is just getting served from Unbound's cache?