{"id":13587313,"url":"https://github.com/hat3ph/docker-adguard-unbound","last_synced_at":"2025-04-07T21:33:35.737Z","repository":{"id":171290913,"uuid":"465582680","full_name":"hat3ph/docker-adguard-unbound","owner":"hat3ph","description":"This solution is a combination of AdGuard and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create and deploy a personally managed ad blocking capabilities , family safe search, parental controls (via AdGuard), and DNS caching with additional privacy options and DNSSEC validation (via Unbound).","archived":false,"fork":false,"pushed_at":"2023-05-31T10:47:46.000Z","size":58,"stargazers_count":17,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-02-13T21:47:19.573Z","etag":null,"topics":["adguardhome","docker","docker-compose","unbound"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hat3ph.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-03-03T05:36:53.000Z","updated_at":"2024-02-13T21:47:20.428Z","dependencies_parsed_at":"2023-06-29T14:16:29.179Z","dependency_job_id":null,"html_url":"https://github.com/hat3ph/docker-adguard-unbound","commit_stats":null,"previous_names":["hat3ph/docker-adguard-unbound"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hat3ph%2Fdocker-adguard-unbound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hat3ph%2Fdocker-adguard-unbound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hat3ph%2Fdocker-adguard-unbound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hat3ph%2Fdocker-adguard-unbound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hat3ph","download_url":"https://codeload.github.com/hat3ph/docker-adguard-unbound/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247732869,"owners_count":20986944,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adguardhome","docker","docker-compose","unbound"],"created_at":"2024-08-01T15:06:09.106Z","updated_at":"2025-04-07T21:33:35.410Z","avatar_url":"https://github.com/hat3ph.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"## Safe Internet with Adguard and Unbound - Solution\nThis solution is a combination of AdGuard and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create and deploy a personally managed ad blocking capabilities , family safe search, parental controls (via AdGuard), and DNS caching with additional privacy options and DNSSEC validation (via Unbound). \n\nDocker Compose file contains:\n- adguard-unbound - https://github.com/hat3ph/adguard-unbound\n\nContains initial unbound.conf as well.\n\n## Prerequisites:\n- Install docker: https://docs.docker.com/engine/install/\n- Install docker-compose: https://docs.docker.com/compose/install/\n- Run docker as non-root: https://docs.docker.com/engine/install/linux-postinstall/\n- Run `disable_dnsstublistener.sh` first to disable systemd-resolved DNS stub listener.\n- ☁ If using a cloud provider, you need to allow ingress for below port:\n\n| Port      | Service                       |\n|-----------|-------------------------------|\n| 53/tcp    | AdGuard Home DNS connection   |\n| 53/udp    | AdGuard Home DNS connection   |\n| 3000/tcp  | AdGuard Home install web panel|\n| 80/tcp    | AdGuard Home web panel HTTP   |\n| 443/tcp   | AdGuard Home web panel HTTPS  |\n| 784/udp   | AdGuard Home DNS-over-QUIC    |\n| 853/tcp   | AdGuard Home DNS-over-TLS     |\n| 67-68/tcp | AdGuard Home DHCP service     |\n| 5053/tcp  | Unbound DNS connection        |\n| 5053/udp  | Unbound DNS connection        |\n\n## Quickstart\nTo get started all you need to do is git clone the repository and spin up the containers.\n```bash\ngit clone https://github.com/hat3ph/docker-adguard-unbound.git\ncd docker-adguard-unbound\ndocker compose up -d\n```\n\n## Local Unbound DNS Server with DNSSEC validation\nTo use Unbound as local DNS server with DNSSEC validation, use below entry as your DNS upstream server under Settings -\u003e DNS Settings.\n```bash\n127.0.0.1:5053\n```\n\n## Modifying the upstream DNS provider for Unbound\nIf you choose to use Cloudflare for any reason you are able to modify the upstream DNS provider in `unbound.conf`.\n\nSearch for `forward-zone` and modify the IP addresses for your chosen DNS [provider](https://docs.pi-hole.net/guides/dns/upstream-dns-providers/).\n\n\u003e**NOTE:** The anything after `#` is a comment on the line. \nWhat this means is it is just there to tell you which DNS provider you put there. It is for you to be able to reference later. I recommend updating this if you change your DNS provider from the default values.\n```yaml\nforward-zone:\n        name: \".\"\n        forward-addr: 1.1.1.1@853#cloudflare-dns.com\n        forward-addr: 1.0.0.1@853#cloudflare-dns.com\n        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com\n        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com\n        forward-tls-upstream: yes\n```\n\n## Access Adguard Interface (IMPORTANT)\nFirst connect to http://xxx.xxx.xxx.xxx:3000 first to setup AdGuard Home before DNS query and adblocking to work.\nThe IP could be your local docker host IP or public IP of your cloud VPS.\n\nOnce finish the installation wizard, comment out `docker-compose.yml` to disable the wizard page.\n```yml\n#- 3000:3000/tcp # AdGuard Home web panel\n```\n\n## DNS-over-HTTPS/TLS/QUIC\nTo use DoH/DoT/DoQ encryption, first register and apply a valid FQDN and SSL certificate first for AdGuard Home.\n\nIf you are using Let's Encrypt free SSL certicate, check out [link](https://ikarus.sg/lets-encrypt-dot-android/) regarding DoT connection denied with some Android device due to expired X3 root certificate.\n\nTo manual or auto renewal Lets's Encrypt certificates, run below command with pre and post hook or copy the 2 script to `/etc/letsencrypt/renewal-hooks/pre` and `/etc/letsencrypt/renewal-hooks/post` respectively and let certbot auto renewal by itself.\n```bash\nsudo certbot renew --pre-hook /path/letsencrypt_renewal_pre_hook.sh --post-hook /path/letsencrypt_renewal_post_hook.sh --dry-run\n```\n\n## Disable open resolve to prevent DNS Amplication Attack\nIf you run this in cloud as your provide DNS, advise to restrict DNS access to prevent [DNS Amplication Attack](https://openresolver.com/).\nSetup cron job to run `iptables_ddns_update.sh` to update the iptables rule.\nDocker will re-create the docker iptables rule if you restart the container hence will mess up with the iptables rule. \nAdvice just restart the VPS to let the script setup the iptables rule again from fresh.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhat3ph%2Fdocker-adguard-unbound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhat3ph%2Fdocker-adguard-unbound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhat3ph%2Fdocker-adguard-unbound/lists"}