title: "Local DNS Architecture: Autonomy and Privacy" sidebar_label: "Local DNS Architecture"

Local DNS Architecture: Autonomy and Privacy

This document summarizes the setup used to centralize DNS traffic, block ads/trackers, and ensure full autonomy from third-party DNS providers.

1. Autonomous Recursive Resolver (Unbound DNS)

Unbound's role is to resolve domain names by querying the Internet root and authoritative servers directly.

Mode of operation: Full recursion (no forwarding to third-party DNS providers).
Security:
- DNSSEC enabled to ensure response integrity.
- QNAME Minimization to limit information sent to authoritative servers.
Cache Optimization:
- Configured generous cache sizes (message & RRset).
- Prefetch enabled to refresh popular domains before they expire.

2. Filtering and Control (AdGuard Home)

AdGuard Home acts as the filtering interface and the entry point for network clients.

Upstream: All filtered queries are forwarded to the local Unbound instance.
Encryption: Supports DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) with a valid SSL certificate to secure communications between clients and the server.
Filtering: Actively blocks advertising and tracker domains using community blocklists.

3. Traffic Interception and Enforcement (Firewall)

To prevent devices from bypassing the local DNS (e.g., hardcoded Google DNS or Android private DNS), two strict measures are applied on the OPNsense router:

A. NAT Redirection (Port 53)

Any outbound attempt to reach an external DNS on port 53 is intercepted and redirected to AdGuard Home.

Rule: If Destination ≠ IP_ADGUARD on port 53, then Redirect to IP_ADGUARD.
NAT Reflection: Enabled to allow interception within the same subnet.

B. Blocking Private DNS (Port 853)

Hardcoded DNS-over-TLS (DoT) is blocked to force devices to fall back to port 53 (which is intercepted).

Action: Reject.
Destination: Any on port 853.

4. Validation Tests

Interception: An nslookup against an external server (e.g., 8.8.8.8) for a blocked domain should return 0.0.0.0, proving the query was handled by AdGuard and not Google.
DoT Blocking: An attempt to connect to port 853 (e.g., nc -zv 8.8.8.8 853) should be immediately refused (Connection refused).
Recursion: AdGuard logs should confirm queries are forwarded to the local Unbound IP.

1. Autonomous Recursive Resolver (Unbound DNS)​

2. Filtering and Control (AdGuard Home)​

3. Traffic Interception and Enforcement (Firewall)​

A. NAT Redirection (Port 53)​

B. Blocking Private DNS (Port 853)​

4. Validation Tests​

References​