TL;DR: I made the switch an hour ago and thought I’d share my motivations and experiences here in case anyone wants to do the same.
A few years ago, when the number of devices in my LAN threatened to get out of hand for reasonable maintainability, I made the switch to network-wide ad blocking. An older Raspberry Pi model connected directly to my router turned out to be a good solution. After checking the available options, I ran AdGuard Home on it for a while, which is (in my opinion) a nicer solution than the top dog Pi-Hole, but essentially does the same thing: every DNS request is forwarded to a customisable DNS server and filtered using equally customisable blocking lists, plus there’s a nice web interface.
Third-party DNS servers have some advantages, but they are not protected against censorship (e.g. the attacks by corporations against Quad9) and surveillance. Because what used to be called ‘paranoia’ can now be called healthy caution again, my own DNS server wouldn’t be such a bad idea, I thought. The most obvious solution, setting up an Unbound in addition to AdGuard Home, did not seem wise to me for two reasons: Firstly, I have had rather mixed experiences with setting up and running Unbound on my mail server, and secondly, the concept of having to run two different services on the same device for the same purpose, which then have to talk to each other, seemed ill-conceived to me: not only is it quite complex and seems partially redundant, it is also more error-prone than a standardised solution.
Shortly afterwards, I accidentally found the answer to my doubts with the Technitium DNS server. Technitium (they have more products, but I’ll cut it short for now) is something similar to AdGuard Home and Pi-Hole: you start a software and this software then acts as a DNS server. Technitium does not (necessarily) use a third-party service, but sends all queries directly to the root nodes. This takes a little longer than usual the first time a domain is called, but is censorship-free and then (naturally, because it is within the local network) lightning-fast.
Technitium works without further configuration, right after starting (and setting the admin password) it is fully operational. Fine-tuning is possible, there are also some plugins, I myself have actually only set up a few ad filters, because Technitium can also use these by default. I like it.
I regret not having started until 2025. I was always put off by Unbound. If I had known that something like Technitium existed (for over five years now), I would probably have skipped AdGuard Home straight away. I am happy to recommend it.
I’ve got multiple adguard/unbound instances running locally. Confused as to why you don’t like unbound. Its robust and fairly straight forward to setup IMO. Only time I’ve ever had issues with it was when I was trying to set up DoT, but that was most likely an issue on my side. Oh there was a brief stint of some DNSSEC issues, so I opted for a less strict config. A lot of this is easily found online or via chatting with a friendly neighborhood LLM
I now just have it setup to recursively resolve, and its been running without any issue for over a year now
I never got it working reliably on OpenBSD, something always resets its root directory’s permissions to
root:rootwhich makes the service break. It’s probably unfair of me to blame Unbound for this, but it always sticks in my mind. In addition, Unbound wants a text file as configuration and the solution I have now found does not. It’s also a question of convenience, at least a little. :-)I’m not ruling out the possibility that I could recreate my local setup with Unbound (there should be a way to automatically download and integrate an AdBlock filter list somehow), but I admit that I’m just not familiar enough with it. It’s a bit of a shame, I know, but unlike a mail or web server, I have really big problems when my DNS server goes down with a cryptic error message. I would like to minimise this risk.