Homelabbing can be addicting. Once your managed to self host one thing - it might really hard to stop finding more and more things to self host.
Self hosting often starts with hosting out own DNS server, which would help us blocking ads.
Prerequisites
- We know what is Adguard Home
- We know what is Unbound
- We have public IP address (if we’ll use our DNS server with devices outside home)
- We know how to use docker
In short - what are we using those tools?
Adguard home
Adguard home is better than pihole in one single thing - native support for DOT, DOH. With DNS over HTTPS (DOH) - You can configure your laptop browser to always use you own DNS server. With DNS over TLS (DOT) - You can configure your Android smartphone to use your own DNS server. Why Android does not let You use DOH - mystery.
Unbound
We are using unbound as recursive sevrer, which is better for privacy in comparison to regular DNS server. Why - can be found on internet, there are many articles on it.
Let’s get started
Here is the sample docker compose file:
services:
adguardhome:
container_name: adguardhome
networks:
- adguardhome
restart: unless-stopped
volumes:
- "/path/to/adguard/work/directory":/opt/adguardhome/work:delegate
- "/path/to/adguard/config":/opt/adguardhome/conf:delegate
ports:
- 53:53/udp
- 53:53/tcp
- 3000:3000/tcp # web interface, adguard is listening on 3000 by default
- 853:853/tcp
- 853:853/udp
- 8443:443/tcp
image: adguard/adguardhome:latest
depends_on:
- unbound
unbound-redis:
image: redis:latest
container_name: unbound-redis
networks:
- adguardhome
hostname: redis
restart: unless-stopped
volumes:
- "/path/to/redis/data":/data
unbound:
image: klutchell/unbound
container_name: unbound
networks:
adguardhome:
ipv4_address: 172.16.81.10
ports:
- 533:53/udp # listening on 553 port
- 533:53/tcp
deploy:
resources:
limits:
memory: 1G
volumes:
- "path/to/unbound/config":/etc/unbound/custom.conf.d:ro
restart: unless-stopped
depends_on:
- unbound-redis
networks:
adguardhome:
driver: bridge
name: adguardhome
ipam:
config:
- subnet: 172.16.81.0/24
Network
We’ve created separate network, assigned static private IP address for unbound server, so we could use it’s container IP as main Adguard Home upstream. It can be any private IP network, that is not take by other networks in the system. In this case - we’d set Adguard main upstream as 172.16.81.10:533
Unbound config
- We’ve chosen here klutchell/unbound-docker instead of MatthewVance/unbound-docker due to reason that it’s easier to setup with Redis (it’s good to use for caching, so we don’t loose DNS cache saved by unbound after restart).
- Latest docker compose example can be found here: docker-compose.yml
- Config example, so it works with Redis can be found here: cachedb.conf. This file can be simply copied to unbound config folder specified in docker-compose file example above. It works like, like
resolved, when you create folderresolved.conf.dand can add multiple config files. - Explanotary article, how to optimize unbound - NLnet Labs Documentation - Unbound - Howto Optimise
Adguard settings
- Set main upstream to unbound and verify.
- Disable DNS cache - unbound is caching, no need to cache in Adguard
Wrap-up
Steps mentioned above - should make it possible to be running Adguard with recursive unbound DNS and have caching enabled, that would even survive reboots.