Warnaud's Wiki

User Tools

Site Tools

You are here: start » software » service » adguardhome
software:service:adguardhome

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
software:service:adguardhome [2025/03/03 17:43] – [Docker] warnaudsoftware:service:adguardhome [2026/02/19 08:34] (current) – [debug/troubleshoot] warnaud
Line 1: Line 1:
 +====== Infos ======
 +Following Pi-Hole's update to v6 that creates amazing lags and performance issues:
 +<code bash>
 +dig google.com @8.8.8.8 | grep time 
 +;; Query time: 7 msec
 +dig google.com @192.168.1.1 -p 53 | grep time #SwisscomBox
 +;; Query time: 10 msec
 +dig google.com @192.168.1.10 | grep time #Raspberry Pi 2...
 +;; Query time: 1316 msec
 +dig google.com @192.168.1.11 | grep time #BeagleBoneBlack
 +;; Query time: 12 msec
 +</code>
 +Now the same after moving both to AdGuard:
 +<code bash>
 +dig google.com @8.8.8.8 | grep time
 +;; Query time: 10 msec
 +dig google.com @192.168.1.1 | grep time 
 +;; Query time: 6 msec
 +dig google.com @192.168.1.10 | grep time
 +;; Query time: 13 msec
 +dig google.com @192.168.1.11 | grep time
 +;; Query time: 10 msec
 +dig google.com @192.168.1.15 | grep time #Docker container see below
 +;; Query time: 4 msec
 +</code>
  
 +====== Install ======
 +~straightforward once you have the correct archive...
 +  * Raspberry Pi: <code bash>wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv6.tar.gz</code>
 +  * BeagleBoneBlack: <code bash>wget AdGuardHome_linux_armv7.tar.gz</code>
 +
 +<code bash>
 +tar xvzf AdGuardHome_linux*.tar.gz
 +cd AdGuardHome
 +./AdGuardHome -s install
 +</code>
 +And voilà ... :FIXME might be better to put in /opt\\
 +Once installed, go to http://IP of your device:3000 to start the setup\\
 +In Settings/DNS Settings, put the IP of unbound + some other failover DNS:\\
 +
 +<code bash>
 + 127.0.0.1:5335
 + 9.9.9.9
 + 1.1.1.1</code>
 +
 +
 +Enjoy your new DNS
 +
 +====== Docker ======
 +Here is a Docker version:\\
 +:!: it's a container with a fixedIP ≠ from the docker server :!:
 +<code bash>docker network create -d macvlan   --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eno1  my_macvlan</code>
 +<code bash>
 +git clone https://github.com/hat3ph/docker-adguard-unbound.git
 +cd docker-adguard-unbound
 +vi docker-compose.yml
 +</code>
 +<code xml>
 +services:
 +  adguard-unbound:
 +    container_name: adguard-unbound
 +    image: ghcr.io/hat3ph/adguard-unbound:latest
 +    restart: unless-stopped
 +    hostname: adguard-unbound
 +    volumes:
 +      - "./adguard/opt-adguard-work:/opt/adguardhome/work"
 +      - "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
 +      - "./unbound:/opt/unbound"
 +    networks:
 +      my_macvlan:
 +        ipv4_address: 192.168.1.15  # statically assign the desired LAN IP
 +
 +networks:
 +  my_macvlan:
 +    external: true
 +</code>
 +<code bash>
 +mkdir -p ./adguard/opt-adguard-work
 +mkdir -p ./adguard/opt-adguard-conf
 +mkdir -p ./unbound
 +
 +docker compose up -d</code>
 +then finish the setup in http://192.168.1.15:3000\\
 +DNS of unbound is in unbound/unbound.conf: 127.0.0.1:5053 -> to be put in Settings/DNS Settings
 +
 +===== optimisation =====
 +<code bash> vi ./unbound/unbound.conf</code>
 +<code perl>
 +        prefetch: yes
 +        prefetch-key: yes
 +        msg-cache-size: 128m
 +        rrset-cache-size: 256m
 +        # Minimum caching time for any record (in seconds)
 +        cache-min-ttl: 300
 +</code>
 +<code bash>docker rm -f adguard-unbound
 +docker compose up -d</code>
 +Better Host perfs
 +<code bash>
 +sysctl -w net.core.rmem_max=26214400
 +sysctl -w net.core.wmem_max=26214400
 +sysctl -w net.ipv4.tcp_rmem="4096 87380 26214400"
 +sysctl -w net.ipv4.tcp_wmem="4096 16384 26214400"
 +</code>
 +===== Tweaks =====
 +Improve cache & speed :FIXME
 +===== Upstream DNS =====
 +==== 2 files ====
 +
 +<code bash>
 +vi /opt/AdGuardHome/conf/upstream-dns.txt</code>
 +<code perl>
 +#UncensoredDNS
 +#quic://unicast.uncensoreddns.org
 +#quic://anycast.uncensoreddns.org
 +#DNS.WATCH
 +#84.200.69.80
 +#84.200.70.40
 +#OpenDNS
 +#208.67.222.222
 +#208.67.220.220
 +# Freenom world
 +#80.80.80.80
 +#80.80.81.81
 +#Quad9
 +#9.9.9.9
 +#149.112.112.112
 +# Quad9 Unfiltered (No blocking, just resolution)
 +tls://dns10.quad9.net
 +https://dns10.quad9.net/dns-query
 +9.9.9.10
 +149.112.112.10
 +</code>
 +<code bash>vi /opt/AdGuardHome/AdGuardHome.yaml</code>
 +<code perl>
 +...
 +dns:
 +  # Listen on all interfaces, port 53
 +  bind_hosts:
 +    - 0.0.0.0
 +    - ::0
 +  port: 53
 +...  
 +  # Path to upstream DNS file
 +  upstream_dns_file: /opt/AdGuardHome/conf/upstream-dns.txt
 +...  
 +  # Bootstrap DNS (required for hostname-based upstreams like dns.quad9.net)
 +  bootstrap_dns:
 +    - 1.1.1.1
 +    - 8.8.8.8
 +    - 208.67.222.222
 +...  
 +  # Enable DNSSEC validation (Quad9 supports it)
 +  enable_dnssec: true
 +</code>
 +==== One file (AdGuardHome.yaml) ====
 +Optimized for Rapberry Pi/BeagleBoneBlack
 +<code perl>
 +dns:
 +  bind_hosts:
 +    - 0.0.0.0
 +  port: 53
 +  
 +  # UPSTREAMS : 100% chiffrés + diversifiés
 +  upstream_dns:
 +    - tls://dns11.quad9.net           # DoT Quad9 ECS (Suisse)
 +    - tls://dns.quad9.net             # DoT Quad9 standard (Suisse)
 +    - tls://unicast.uncensoreddns.org # DoT UncensoredDNS (Danemark)
 +    - tls://dns.digitale-gesellschaft.ch  # DoT Suisse privacy[204]
 +  
 +  upstream_dns_file: ""  # Ignore fichier
 +  upstream_mode: parallel_requests  # Ignore 1 down
 +  upstream_timeout: 5s
 +  
 +  # BOOTSTRAP : IPs uniquement (zéro dépendance hostname)
 +  bootstrap_dns:
 +    - 9.9.9.10        # Quad9 unfiltered IPv4
 +    - 149.112.112.10  # Quad9 unfiltered IPv4
 +    - 2620:fe::10     # Quad9 unfiltered IPv6
 +  
 +  # SÉCURITÉ ABSOLUE
 +  enable_dnssec: true              # Anti-poisoning
 +  refuse_any: true                 # Rejette ANY queries (attaques)
 +  cache_enabled: true
 +  cache_size: 4194304              # 4MiB OK Pi2/BBB
 +  
 +  # ANTI-MITM
 +  bogus_nxdomain:
 +    - 'version.bind'
 +    - 'id.server'
 +    - 'hostname.bind'
 +  
 +  # CLIENTS
 +  anonymize_client_ip: true        # Privacy locale
 +  ratelimit: 20
 +  
 +  # AVANTAGES SÉCURITÉ
 +  max_goroutines: 100              # Pi2/BBB friendly
 +</code>
 +<code bash>
 +sudo systemctl daemon-reload
 +sudo systemctl restart AdGuardHome
 +sudo systemctl status AdGuardHome
 +</code>
 +===== debug/troubleshoot =====
 +<code bash>
 +cd /opt/AdGuardHome/
 +./AdGuardHome -c /opt/AdGuardHome/AdGuardHome.yaml --check-config
 +</code>