====== Infos ======
Following Pi-Hole's update to v6 that creates amazing lags and performance issues:
<code bash>
dig google.com @8.8.8.8 | grep time 
;; Query time: 7 msec
dig google.com @192.168.1.1 -p 53 | grep time #SwisscomBox
;; Query time: 10 msec
dig google.com @192.168.1.10 | grep time #Raspberry Pi 2...
;; Query time: 1316 msec
dig google.com @192.168.1.11 | grep time #BeagleBoneBlack
;; Query time: 12 msec
</code>
Now the same after moving both to AdGuard:
<code bash>
dig google.com @8.8.8.8 | grep time
;; Query time: 10 msec
dig google.com @192.168.1.1 | grep time 
;; Query time: 6 msec
dig google.com @192.168.1.10 | grep time
;; Query time: 13 msec
dig google.com @192.168.1.11 | grep time
;; Query time: 10 msec
dig google.com @192.168.1.15 | grep time #Docker container see below
;; Query time: 4 msec
</code>

====== Install ======
~straightforward once you have the correct archive...
  * Raspberry Pi: <code bash>wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz</code>
  * BeagleBoneBlack: <code bash>wget AdGuardHome_linux_armv7.tar.gz</code>

<code bash>
tar xvzf AdGuardHome_linux*.tar.gz
cd AdGuardHome
./AdGuardHome -s install
</code>
And voilà ... :FIXME might be better to put in /opt\\
Once installed, go to http://IP of your device:3000 to start the setup\\
In Settings/DNS Settings, put the IP of unbound + some other failover DNS:\\

<code bash>
 127.0.0.1:5335
 9.9.9.9
 1.1.1.1</code>


Enjoy your new DNS

====== Docker ======
Here is a Docker version:\\
:!: it's a container with a fixedIP ≠ from the docker server :!:
<code bash>docker network create -d macvlan   --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eno1  my_macvlan</code>
<code bash>
git clone https://github.com/hat3ph/docker-adguard-unbound.git
cd docker-adguard-unbound
vi docker-compose.yml
</code>
<code xml>
services:
  adguard-unbound:
    container_name: adguard-unbound
    image: ghcr.io/hat3ph/adguard-unbound:latest
    restart: unless-stopped
    hostname: adguard-unbound
    volumes:
      - "./adguard/opt-adguard-work:/opt/adguardhome/work"
      - "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
      - "./unbound:/opt/unbound"
    networks:
      my_macvlan:
        ipv4_address: 192.168.1.15  # statically assign the desired LAN IP

networks:
  my_macvlan:
    external: true
</code>
<code bash>
mkdir -p ./adguard/opt-adguard-work
mkdir -p ./adguard/opt-adguard-conf
mkdir -p ./unbound

docker compose up -d</code>
then finish the setup in http://192.168.1.15:3000\\
DNS of unbound is in unbound/unbound.conf: 127.0.0.1:5053 -> to be put in Settings/DNS Settings

===== optimisation =====
<code bash> vi ./unbound/unbound.conf</code>
<code perl>
        prefetch: yes
        prefetch-key: yes
        msg-cache-size: 128m
        rrset-cache-size: 256m
        # Minimum caching time for any record (in seconds)
        cache-min-ttl: 300
</code>
<code bash>docker rm -f adguard-unbound
docker compose up -d</code>
Better Host perfs
<code bash>
sysctl -w net.core.rmem_max=26214400
sysctl -w net.core.wmem_max=26214400
sysctl -w net.ipv4.tcp_rmem="4096 87380 26214400"
sysctl -w net.ipv4.tcp_wmem="4096 16384 26214400"
</code>
===== Tweaks =====
Improve cache & speed :FIXME
===== Upstream DNS =====
==== 2 files ====

<code bash>
vi /opt/AdGuardHome/conf/upstream-dns.txt</code>
<code perl>
#UncensoredDNS
#quic://unicast.uncensoreddns.org
#quic://anycast.uncensoreddns.org
#DNS.WATCH
#84.200.69.80
#84.200.70.40
#OpenDNS
#208.67.222.222
#208.67.220.220
# Freenom world
#80.80.80.80
#80.80.81.81
#Quad9
#9.9.9.9
#149.112.112.112
# Quad9 Unfiltered (No blocking, just resolution)
tls://dns10.quad9.net
https://dns10.quad9.net/dns-query
9.9.9.10
149.112.112.10
</code>
<code bash>vi /opt/AdGuardHome/AdGuardHome.yaml</code>
<code perl>
...
dns:
  # Listen on all interfaces, port 53
  bind_hosts:
    - 0.0.0.0
    - ::0
  port: 53
...  
  # Path to upstream DNS file
  upstream_dns_file: /opt/AdGuardHome/conf/upstream-dns.txt
...  
  # Bootstrap DNS (required for hostname-based upstreams like dns.quad9.net)
  bootstrap_dns:
    - 1.1.1.1
    - 8.8.8.8
    - 208.67.222.222
...  
  # Enable DNSSEC validation (Quad9 supports it)
  enable_dnssec: true
</code>
==== One file (AdGuardHome.yaml) ====
Optimized for Rapberry Pi/BeagleBoneBlack
<code perl>
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  
  # UPSTREAMS : 100% chiffrés + diversifiés
  upstream_dns:
    - tls://dns11.quad9.net           # DoT Quad9 ECS (Suisse)
    - tls://dns.quad9.net             # DoT Quad9 standard (Suisse)
    - tls://unicast.uncensoreddns.org # DoT UncensoredDNS (Danemark)
    - tls://dns.digitale-gesellschaft.ch  # DoT Suisse privacy[204]
  
  upstream_dns_file: ""  # Ignore fichier
  upstream_mode: parallel_requests  # Ignore 1 down
  upstream_timeout: 5s
  
  # BOOTSTRAP : IPs uniquement (zéro dépendance hostname)
  bootstrap_dns:
    - 9.9.9.10        # Quad9 unfiltered IPv4
    - 149.112.112.10  # Quad9 unfiltered IPv4
    - 2620:fe::10     # Quad9 unfiltered IPv6
  
  # SÉCURITÉ ABSOLUE
  enable_dnssec: true              # Anti-poisoning
  refuse_any: true                 # Rejette ANY queries (attaques)
  cache_enabled: true
  cache_size: 4194304              # 4MiB OK Pi2/BBB
  
  # ANTI-MITM
  bogus_nxdomain:
    - 'version.bind'
    - 'id.server'
    - 'hostname.bind'
  
  # CLIENTS
  anonymize_client_ip: true        # Privacy locale
  ratelimit: 20
  
  # AVANTAGES SÉCURITÉ
  max_goroutines: 100              # Pi2/BBB friendly
</code>
<code bash>
sudo systemctl daemon-reload
sudo systemctl restart AdGuardHome
sudo systemctl status AdGuardHome
</code>
===== debug/troubleshoot =====
<code bash>
cd /opt/AdGuardHome/
./AdGuardHome -c /opt/AdGuardHome/AdGuardHome.yaml --check-config
</code>