Advice Request Help needed with DNS configuration

[X195]

Hi All,

I currently have an OPNsense router which has the Adguard plugin installed.
I have configured it also to use unbound DNS over TLS to Cloudflare and Quad9 upstream public DNS as per this guide:

How to setup AdGuard Home DNS on OPNsense with Unbound - windgate

"In our setup, we will actually use two internal DNS server services. The Adguard DNS requests will be forwarded to Unbound which would act as a validating, recursive, and caching DNS resolver and will encrypt our traffic with DNSSEC"

I have two questions:

1. When using this configuration, how should I set the DNS over HTTPS setting in my browser? I currently have is set to OFF (use your default DNS resolver). Does that sound correct or should I also enable DNS over HTTPS in the browser for additional security ?

2. Is there any benefit to using NextDNS as my upstream public DNS rather than Quad9 / Cloudflare (as per the guide) that I am currently using? I know that with NextDNS you can login to an interface where there are options to filter specific types of content and various other configuration / security / privacy settings, whereas I don't think an interface with customisable configuration settings are available with Cloudflare / Quad9 ?

Thanks,
X195

 

[Bot]

Hi X195,

1. Yes, using NextDNS as your upstream DNS could provide additional benefits. NextDNS allows you to customize your filtering preferences, block specific domains, and get detailed analytics about your DNS queries. It also supports DNS over HTTPS (DoH) and DNS over TLS (DoT), which can add an extra layer of privacy and security. However, keep in mind that NextDNS is not entirely free after a certain number of queries per month.

2. Cloudflare and Quad9 are still great options if you're looking for speed, reliability, and privacy. They might not offer the same level of customization as NextDNS, but they do provide robust security features.

Remember to consider your needs and preferences when choosing a DNS provider.

Best,
AdGuard Bot

 

[lokamoka820]

I think your questions are more personal preferences than being technical, you can use what fits your needs best, for me:

1. I will go with default protection on DNS over HTTPS setting.
2. I will go with the fastest DNS which is Cloudflare for me, although NextDNS offers more benefits, if you don't need them why to use it?

 

[X195]

Thanks for your reply

I will go with default protection on DNS over HTTPS setting.

I wasn't sure if setting this in the browser would conflict against the setup with adguard / unbound that I've got setup already. Could you elaborate why you would set to this and how that would work with my current configuration?

I'm a bit confused about the correlation between these settings in the browser and the configuration in OPNsense / Adguard Home. If I set to something other than off, does that mean it will use something other than Adguard and Unbound ?

I will go with the fastest DNS

What's the easiest way to find out which is the fastest DNS for me?

Many Thanks
X195

 

[Digmor Crusher]

Thanks for your reply



I wasn't sure if setting this in the browser would conflict against the setup with adguard / unbound that I've got setup already. Could you elaborate why you would set to this and how that would work with my current configuration?

I'm a bit confused about the correlation between these settings in the browser and the configuration in OPNsense / Adguard Home. If I set to something other than off, does that mean it will use something other than Adguard and Unbound ?



What's the easiest way to find out which is the fastest DNS for me?

Many Thanks
X195

Try this:
GRC's | DNS Nameserver Performance Benchmark

 

[Brahman]

When using this configuration, how should I set the DNS over HTTPS setting in my browser? I currently have is set to OFF (use your default DNS resolver). Does that sound correct or should I also enable DNS over HTTPS in the browser for additional security ?

Do not set DOH in your bowser. DNS over Https means all your DNS queries gets encrypted and sends to the preferred dns resolver via port 443. If you set doh in browser, no dns queries go to your router, all your router sees is "the encrypted traffic over port 443" and nothing else. So in such case no filtering takes place, which defeats your intended purpose of using adgurd plugin. Instead create a rule in opnsens to route all TCP and UDP traffic in port 53 ( all unencrypted dns queries comes through this port)to your adguard listening port.
You do not need nextdns with your setup, you can add as many blocklist to your adguard ( but the less is better) server and get the same protection as nextdns provides.

 

[lokamoka820]

Thanks for your reply

You are welcome.

I wasn't sure if setting this in the browser would conflict against the setup with adguard / unbound that I've got setup already. Could you elaborate why you would set to this and how that would work with my current configuration?

I'm a bit confused about the correlation between these settings in the browser and the configuration in OPNsense / Adguard Home. If I set to something other than off, does that mean it will use something other than Adguard and Unbound ?

Actually, it will act with "Default Protection" as "Off" with your setup, it will use AdGuard with both options.

What's the easiest way to find out which is the fastest DNS for me?

There are many tools, but I prefer DNS Jumper, it is simple and give you the ability to test, change and reset your DNS server.

 

[X195]

Do not set DOH in your bowser. DNS over Https means all your DNS queries gets encrypted and sends to the preferred dns resolver via port 443. If you set doh in browser, no dns queries go to your router, all your router sees is "the encrypted traffic over port 443" and nothing else. So in such case no filtering takes place, which defeats your intended purpose of using adgurd plugin. Instead create a rule in opnsens to route all TCP and UDP traffic in port 53 ( all unencrypted dns queries comes through this port)to your adguard listening port.
You do not need nextdns with your setup, you can add as many blocklist to your adguard ( but the less is better) server and get the same protection as nextdns provides.

I thought this was probably the case but just wanted to check that I wasn't somehow less secure / private by not enabling DoT in the browser in conjunction with the adguard > unbound configuration. This solves it thanks, I will leave the setting as OFF.

There are many tools, but I prefer DNS Jumper, it is simple and give you the ability to test, change and reset your DNS server.

Thanks I will check it out as well as the GRC one mentioned.

 

[TairikuOkami]

What's the easiest way to find out which is the fastest DNS for me?

Compromise security in order to open webpages 1/10 of a second faster?! Are you sure you are on the right forum?

 

[Chuck57]

I, to the shock of many, decided a couple of days ago to try Portmaster. I've finally found a firewall I understand.

As for DNS, I've gone with Quad9, based on a YouTube video showing how to set up Portmaster. Quad9 was one of the top 3 in a list shown in the video. Cloudfare was not so great. The guy doing the video made no recommendations as to which. Might be worth watching.

 

[TairikuOkami]

based on a YouTube video showing how to set up Portmaster.

Pretty bold statement from him, that it is the best firewall, since you can not even set ports/IPs while pointing out basic DNS setup, which can be done in any normal firewall based on the port/IP.

 

[Chuck57]

I've been slowly fiddling with the various parts in it over the past couple of days. What I can say is, so far, the changes I've made work. I run Quad9.

As for it being "the best free firewall," everybody is entitled to their opinion. His belief is as good as anybody else's. It's like Muhammed Ali saying,, "I am the greatest." Was he? Others have different views on it.

I find it very good, so far. The best? That might be stretching it. Quite frankly, I wouldn't know how to set ports, etc in a firewall anyway. If checking a box didn't do it then it wouldn't get done.

 

[simmerskool]

I, to the shock of many, decided a couple of days ago to try Portmaster. I've finally found a firewall I understand.

OMG! I quickly skimmed Portmaster webpage the other day, I need to look again. Meanwhile I added Windows Firewall Control (WFC) to this win10_vm and actually started to read its user guide, interface looks simple, but UG is 51 pages. Does add some hardening to WF as I understand it. This vm has Emsisoft Business and their support said WFC not only compatible but also recommended WFC.

 

[Chuck57]

Portmaster also has a User Guide online too. I haven't looked at it, since I doubt I'd understand it. I just watched the video I posted and one or two others and went from there. From what I read prior to downloading it, Portmaster is pretty well set up in default mode and appears to only need a little tweaking depending on personal preference. I've ticked a couple of boxes, blocking a group of sites just to check, and they were blocked, so I guess it works.

 

[TairikuOkami]

Portmaster also has a User Guide online too. I haven't looked at it, since I doubt I'd understand it.

Yep, Portmaster is either too basic or too advanced, but I can not understand any of it, just like Sphinx.

 

[Chuck57]

Yep, Portmaster is either too basic or too advanced, but I can not understand any of it, just like Sphinx.

That describes it, and not having the means or knowledge to play with it in a VM against malware, I'm guessing the comments I've found in various places are valid and that "default mode will be enough for most people.'

I have made some adjustments here and there but have left it mostly default.