Infos

Following Pi-Hole's update to v6 that creates amazing lags and performance issues:

dig google.com @8.8.8.8 | grep time 
;; Query time: 7 msec
dig google.com @192.168.1.1 -p 53 | grep time #SwisscomBox
;; Query time: 10 msec
dig google.com @192.168.1.10 | grep time #Raspberry Pi 2...
;; Query time: 1316 msec
dig google.com @192.168.1.11 | grep time #BeagleBoneBlack
;; Query time: 12 msec

Now the same after moving both to AdGuard:

dig google.com @8.8.8.8 | grep time
;; Query time: 10 msec
dig google.com @192.168.1.1 | grep time 
;; Query time: 6 msec
dig google.com @192.168.1.10 | grep time
;; Query time: 13 msec
dig google.com @192.168.1.11 | grep time
;; Query time: 10 msec
dig google.com @192.168.1.15 | grep time #Docker container see below
;; Query time: 4 msec

Install

~straightforward once you have the correct archive…

Raspberry Pi:

wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz

BeagleBoneBlack:
```
wget AdGuardHome_linux_armv7.tar.gz
```

tar xvzf AdGuardHome_linux*.tar.gz
cd AdGuardHome
./AdGuardHome -s install

And voilà … : might be better to put in /opt
Once installed, go to http://IP of your device:3000 to start the setup
In Settings/DNS Settings, put the IP of unbound + some other failover DNS:

 127.0.0.1:5335
 9.9.9.9
 1.1.1.1

Enjoy your new DNS

Docker

Here is a Docker version:
it's a container with a fixedIP ≠ from the docker server

docker network create -d macvlan   --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eno1  my_macvlan

git clone https://github.com/hat3ph/docker-adguard-unbound.git
cd docker-adguard-unbound
vi docker-compose.yml

services:
  adguard-unbound:
    container_name: adguard-unbound
    image: ghcr.io/hat3ph/adguard-unbound:latest
    restart: unless-stopped
    hostname: adguard-unbound
    volumes:
      - "./adguard/opt-adguard-work:/opt/adguardhome/work"
      - "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
      - "./unbound:/opt/unbound"
    networks:
      my_macvlan:
        ipv4_address: 192.168.1.15  # statically assign the desired LAN IP
 
networks:
  my_macvlan:
    external: true

mkdir -p ./adguard/opt-adguard-work
mkdir -p ./adguard/opt-adguard-conf
mkdir -p ./unbound
 
docker compose up -d

then finish the setup in http://192.168.1.15:3000
DNS of unbound is in unbound/unbound.conf: 127.0.0.1:5053 → to be put in Settings/DNS Settings

optimisation

 vi ./unbound/unbound.conf

        prefetch: yes
        prefetch-key: yes
        msg-cache-size: 128m
        rrset-cache-size: 256m
        # Minimum caching time for any record (in seconds)
        cache-min-ttl: 300

docker rm -f adguard-unbound
docker compose up -d

Better Host perfs

sysctl -w net.core.rmem_max=26214400
sysctl -w net.core.wmem_max=26214400
sysctl -w net.ipv4.tcp_rmem="4096 87380 26214400"
sysctl -w net.ipv4.tcp_wmem="4096 16384 26214400"

Tweaks

Improve cache & speed :

Upstream DNS

2 files

vi /opt/AdGuardHome/conf/upstream-dns.txt

#UncensoredDNS
#quic://unicast.uncensoreddns.org
#quic://anycast.uncensoreddns.org
#DNS.WATCH
#84.200.69.80
#84.200.70.40
#OpenDNS
#208.67.222.222
#208.67.220.220
# Freenom world
#80.80.80.80
#80.80.81.81
#Quad9
#9.9.9.9
#149.112.112.112
# Quad9 Unfiltered (No blocking, just resolution)
tls://dns10.quad9.net
https://dns10.quad9.net/dns-query
9.9.9.10
149.112.112.10

vi /opt/AdGuardHome/AdGuardHome.yaml

...
dns:
  # Listen on all interfaces, port 53
  bind_hosts:
    - 0.0.0.0
    - ::0
  port: 53
...  
  # Path to upstream DNS file
  upstream_dns_file: /opt/AdGuardHome/conf/upstream-dns.txt
...  
  # Bootstrap DNS (required for hostname-based upstreams like dns.quad9.net)
  bootstrap_dns:
    - 1.1.1.1
    - 8.8.8.8
    - 208.67.222.222
...  
  # Enable DNSSEC validation (Quad9 supports it)
  enable_dnssec: true

One file (AdGuardHome.yaml)

Optimized for Rapberry Pi/BeagleBoneBlack

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
 
  # UPSTREAMS : 100% chiffrés + diversifiés
  upstream_dns:
    - tls://dns11.quad9.net           # DoT Quad9 ECS (Suisse)
    - tls://dns.quad9.net             # DoT Quad9 standard (Suisse)
    - tls://unicast.uncensoreddns.org # DoT UncensoredDNS (Danemark)
    - tls://dns.digitale-gesellschaft.ch  # DoT Suisse privacy[204]
 
  upstream_dns_file: ""  # Ignore fichier
  upstream_mode: parallel_requests  # Ignore 1 down
  upstream_timeout: 5s
 
  # BOOTSTRAP : IPs uniquement (zéro dépendance hostname)
  bootstrap_dns:
    - 9.9.9.10        # Quad9 unfiltered IPv4
    - 149.112.112.10  # Quad9 unfiltered IPv4
    - 2620:fe::10     # Quad9 unfiltered IPv6
 
  # SÉCURITÉ ABSOLUE
  enable_dnssec: true              # Anti-poisoning
  refuse_any: true                 # Rejette ANY queries (attaques)
  cache_enabled: true
  cache_size: 4194304              # 4MiB OK Pi2/BBB
 
  # ANTI-MITM
  bogus_nxdomain:
    - 'version.bind'
    - 'id.server'
    - 'hostname.bind'
 
  # CLIENTS
  anonymize_client_ip: true        # Privacy locale
  ratelimit: 20
 
  # AVANTAGES SÉCURITÉ
  max_goroutines: 100              # Pi2/BBB friendly

sudo systemctl daemon-reload
sudo systemctl restart AdGuardHome
sudo systemctl status AdGuardHome

debug/troubleshoot

cd /opt/AdGuardHome/
./AdGuardHome -c /opt/AdGuardHome/AdGuardHome.yaml --check-config

Table of Contents