AdGuard Home is a network-wide ad blocker and DNS privacy solution that works at the DNS level. Unlike browser extensions that only block ads in your browser, AdGuard Home protects every device on your network — including smart TVs, IoT devices, and mobile apps. It’s a powerful alternative to Pi-hole with a modern interface, built-in encryption (DNS-over-HTTPS, DNS-over-TLS), and advanced filtering capabilities.
In this guide, I’ll show you how to set up AdGuard Home on Docker, configure DNS settings, add blocklists, and leverage advanced features like parental controls, safe search enforcement, and DNS rewrites. Whether you’re running it on a mini PC homelab, a Raspberry Pi, or a dedicated server, this setup will give you complete control over your network’s DNS traffic.
Why AdGuard Home?
Before diving into the setup, let’s understand what makes AdGuard Home special:
Network-Wide Protection: Block ads and trackers for every device connected to your network without installing software on each device.
DNS Privacy: Built-in support for DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ) to encrypt your DNS queries.
Modern Interface: Clean, responsive web UI with real-time query logs, statistics, and easy configuration.
Parental Controls: Block adult content, enforce safe search on Google/Bing/YouTube, and create custom filtering rules.
No Third-Party Dependencies: Unlike some solutions, AdGuard Home runs as a single binary with everything included.
Lightweight: Runs efficiently on low-power devices like Raspberry Pi or mini PCs.
Open Source: Fully open-source under GPLv3, regularly updated, and actively maintained.
AdGuard Home vs Pi-hole
If you’re familiar with Pi-hole, you might wonder how AdGuard Home compares. Here’s a quick comparison:
| Feature | AdGuard Home | Pi-hole |
|---|---|---|
| Interface | Modern, React-based | Classic PHP/AdminLTE |
| Encryption | Built-in DoH/DoT/DoQ | Requires cloudflared |
| Setup | Single binary | Multiple components |
| Parental Controls | Built-in | Requires extensions |
| DNS Rewrites | Native support | Requires dnsmasq config |
| Query Log Search | Advanced filtering | Basic search |
| Performance | Slightly faster | Very fast |
| Community | Growing | Mature, large |
Both are excellent choices. AdGuard Home tends to be better for users who want a modern interface and built-in encryption, while Pi-hole has a larger community and more third-party integrations.
Prerequisites
Before starting, make sure you have:
- Docker and Docker Compose installed on your server
- Static IP address for your Docker host (important for DNS stability)
- Port 53 available (used for DNS queries)
- Port 80 and 443 available (for initial setup and DoH/DoT)
- Basic understanding of DNS and your network configuration
- Router access to change DNS settings (for network-wide deployment)
Step 1: Create the Docker Compose File
Let’s create a clean directory structure for AdGuard Home:
| |
Create a docker-compose.yml file:
| |
Important notes:
- Port 53 is required for DNS queries
- Port 80/443 are needed for the web interface (you can change these if they conflict)
cap_add: NET_ADMINis required for DHCP functionality (optional)- Volumes persist configuration and query logs
If port 80 or 443 are already in use (e.g., by a reverse proxy), you can modify the ports:
| |
Step 2: Start AdGuard Home
Launch the container:
| |
Check the logs to ensure it started successfully:
| |
You should see output indicating that AdGuard Home is running. The initial setup wizard will be accessible on port 3000.
Step 3: Initial Setup Wizard
Open your browser and navigate to:
http://YOUR_SERVER_IP:3000
The setup wizard will guide you through:
Welcome Screen
Click “Get Started” to begin the configuration.
Admin Web Interface
- Listen Interface: Keep “All interfaces” unless you want to restrict access
- Port: Default is 80 (or use 3000 if 80 is taken)
DNS Server Configuration
- Listen Interface: Keep “All interfaces”
- Port: 53 (standard DNS port)
Create Administrator Account
Set a strong username and password. This will be used to access the web interface.
Configure Devices
The wizard will show you instructions for configuring devices to use AdGuard Home as their DNS server. You can skip this for now and configure it later.
Finish Setup
Click “Finish” to complete the initial configuration.
Step 4: Access the Dashboard
After completing the setup, access the admin panel at:
http://YOUR_SERVER_IP
Or, if you changed the port:
http://YOUR_SERVER_IP:3100
Log in with the credentials you created.
Step 5: Configure DNS Settings
Upstream DNS Servers
Navigate to Settings → DNS settings.
In the “Upstream DNS servers” section, you’ll configure which DNS servers AdGuard Home uses to resolve queries. Here are some privacy-respecting options:
Cloudflare (Fast, privacy-focused):
https://dns.cloudflare.com/dns-query
tls://1.1.1.1
Quad9 (Security-focused, blocks malicious domains):
https://dns.quad9.net/dns-query
tls://9.9.9.9
NextDNS (Highly customizable):
https://dns.nextdns.io/YOUR_CONFIG_ID
Mullvad (Privacy-focused, no logging):
https://doh.mullvad.net/dns-query
tls://dns.mullvad.net
You can add multiple servers — AdGuard Home will use them for redundancy.
Bootstrap DNS Servers
These are used to resolve the IP addresses of your upstream DNS servers. Use simple, reliable servers:
1.1.1.1
8.8.8.8
9.9.9.9
Enable DNS Caching
Check “Enable DNS caching” to improve performance. Set the cache size to at least 4 MB.
Enable EDNS Client Subnet
If you want accurate geolocation for CDN-served content, enable “Use EDNS Client Subnet”.
Enable DNSSEC
Check “Enable DNSSEC” to validate DNS responses and prevent DNS spoofing.
Click “Save” to apply the settings.
Step 6: Add Blocklists
Navigate to Filters → DNS blocklists and click “Add blocklist”.
Recommended Blocklists
AdGuard DNS filter (included by default):
- General-purpose ad blocking
- Already enabled
OISD (Big) — Comprehensive blocklist:
https://big.oisd.nl
1Hosts (Pro) — Aggressive blocking:
https://o0.pages.dev/Pro/hosts.txt
HaGeZi’s Multi PRO — Balanced blocking:
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.txt
Steven Black’s Unified Hosts — Ads + malware:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
EasyList — Ads and trackers:
https://easylist.to/easylist/easylist.txt
EasyPrivacy — Tracking protection:
https://easylist.to/easylist/easyprivacy.txt
Add the lists you prefer, then click “Update filters” to download them.
Custom Rules
You can add custom blocking or unblocking rules in Filters → Custom filtering rules.
Example custom rules:
# Block specific domain
||example-ad-network.com^
# Unblock a falsely blocked domain
@@||legitimate-site.com^
# Block all subdomains
||*.tracking-domain.com^
# Block specific path
||ads.example.com/banner^
Step 7: Configure Network-Wide DNS
To protect all devices on your network, configure your router to use AdGuard Home as the primary DNS server.
Option 1: Configure Your Router
Access your router’s admin panel and look for DNS settings (often under WAN, Internet, or DHCP settings).
Set the Primary DNS to your AdGuard Home server’s IP address:
Primary DNS: 192.168.1.100
Secondary DNS: (leave empty or use a fallback like 1.1.1.1)
Save and reboot the router. All devices will now use AdGuard Home automatically.
Option 2: Configure Individual Devices
If you can’t access router settings or want to test first, configure DNS on individual devices.
Windows:
- Open Network Settings → Change adapter options
- Right-click your network → Properties → Internet Protocol Version 4
- Select “Use the following DNS server addresses”
- Enter your AdGuard Home IP
macOS:
- System Preferences → Network → Advanced → DNS
- Add your AdGuard Home IP
Linux:
Edit /etc/resolv.conf or use Network Manager:
nameserver 192.168.1.100
Android:
- Settings → Wi-Fi → Long-press network → Modify network
- Advanced options → IP settings → Static
- Set DNS 1 to your AdGuard Home IP
iOS:
- Settings → Wi-Fi → Tap (i) next to network
- Configure DNS → Manual
- Add your AdGuard Home IP
Option 3: Enable DHCP in AdGuard Home
AdGuard Home can act as a DHCP server, automatically assigning IP addresses and DNS settings to devices.
Navigate to Settings → DHCP settings and enable the DHCP server.
Important: Disable the DHCP server on your router first to avoid conflicts.
Configure the DHCP range, gateway, and lease time, then save.
Step 8: Enable DNS Encryption
AdGuard Home supports encrypted DNS protocols to protect your queries from eavesdropping.
DNS-over-HTTPS (DoH)
Navigate to Settings → Encryption settings.
Click “Set up encryption”.
You have two options:
Option A: Self-Signed Certificate
Generate a self-signed certificate for testing:
| |
Copy the contents of adguardhome.crt and adguardhome.key into the web interface.
Option B: Let’s Encrypt Certificate
If you have a domain name pointing to your server, use Let’s Encrypt:
- Set up a reverse proxy (Traefik, Caddy, or nginx Proxy Manager)
- Obtain a Let’s Encrypt certificate
- Point AdGuard Home to the certificate files:
| |
Then in the web interface, enter:
- Certificate:
/certs/fullchain.pem - Private key:
/certs/privkey.pem
Enable Protocols
Check the boxes to enable:
- DNS-over-HTTPS (DoH) — Port 443
- DNS-over-TLS (DoT) — Port 853
- DNS-over-QUIC (DoQ) — Port 853 UDP
Save the settings.
Test Encrypted DNS
To test DoH on your device:
Firefox:
- Settings → Privacy & Security → DNS over HTTPS
- Choose “Custom” and enter:
https://YOUR_SERVER_IP/dns-query
Android 9+:
- Settings → Network & Internet → Advanced → Private DNS
- Enter:
adguard.your-domain.com
Step 9: Advanced Features
Parental Controls
Navigate to Settings → General settings.
Enable “Use AdGuard browsing security web service” to block malicious and phishing domains.
Enable “Use AdGuard parental control web service” to block adult content.
Safe Search Enforcement
Under Settings → DNS settings, enable “Enforce safe search” to force safe search on:
- YouTube
- Bing
- DuckDuckGo
- Yandex
This is useful for protecting children or enforcing workplace policies.
DNS Rewrites
Navigate to Filters → DNS rewrites.
DNS rewrites let you override DNS responses for specific domains. Common use cases:
Local Service Mapping:
Domain: nextcloud.local
Answer: 192.168.1.50
Block with Custom IP:
Domain: blocked-site.com
Answer: 0.0.0.0
CNAME Rewrite:
Domain: home.example.com
Answer: router.local
Query Log
Navigate to Query Log to see real-time DNS queries.
You can:
- Filter by client, domain, or query type
- Block or allow domains directly from the log
- See which devices make the most queries
Set the log retention period under Settings → DNS settings → Query logs configuration.
Statistics
The Dashboard shows:
- Total queries processed
- Blocked queries percentage
- Top queried domains
- Top blocked domains
- Top clients
You can export statistics or clear them.
Step 10: Performance Optimization
Increase Cache Size
Navigate to Settings → DNS settings and increase the cache size to reduce upstream queries:
DNS cache size: 16 MB
Enable Parallel Queries
Under Settings → DNS settings, enable “Enable parallel queries” to query multiple upstream servers simultaneously and use the fastest response.
Disable Logging (Optional)
If you prioritize performance over detailed logs, disable query logging:
Settings → DNS settings → Query logs configuration → Disable query log
Use Faster Upstream Servers
Benchmark your upstream DNS servers and choose the fastest:
| |
Or use external tools like namebench or dnsdiag.
Step 11: Monitoring and Maintenance
Update AdGuard Home
To update to the latest version:
| |
AdGuard Home also has a built-in update feature under Settings → General settings → Updates.
Backup Configuration
Backup your configuration regularly:
| |
Store backups on a separate NAS or cloud storage.
Restore from Backup
To restore:
| |
Monitor Performance
Use Settings → General settings → Verbose logging to enable detailed logs for troubleshooting.
Check Docker logs:
| |
Filter List Updates
AdGuard Home automatically updates blocklists. You can manually trigger an update:
Filters → DNS blocklists → Update all
Troubleshooting
Port 53 Already in Use
If port 53 is taken by systemd-resolved:
| |
Edit /etc/resolv.conf:
nameserver 1.1.1.1
Restart AdGuard Home:
| |
Web Interface Not Accessible
Check if the container is running:
| |
Check firewall rules:
| |
DNS Queries Not Working
Test DNS resolution:
| |
If it fails, check upstream DNS servers in Settings → DNS settings.
Some Websites Break
If legitimate sites are blocked, check the query log to identify the blocked domain.
Add a custom rule to allow it:
@@||legitimate-site.com^
Or disable specific blocklists that cause issues.
Security Best Practices
Use Strong Passwords
Set a strong password for the admin interface. Enable two-factor authentication if available (via reverse proxy like Authelia).
Restrict Access
If exposing AdGuard Home to the internet, use a reverse proxy with authentication.
Example Traefik labels:
| |
Rate Limiting
Enable rate limiting to prevent DNS amplification attacks:
Settings → DNS settings → Rate limiting
Set to 20-30 requests per second per client.
Disable Unused Services
If not using DHCP, remove those ports from the Docker Compose file to reduce attack surface.
Regular Updates
Keep AdGuard Home updated to patch security vulnerabilities.
Conclusion
You now have AdGuard Home running on Docker with network-wide ad blocking, DNS privacy, and advanced features. This setup protects every device on your network, speeds up browsing by blocking ads and trackers, and gives you complete control over DNS queries.
Next steps:
- Integrate with a reverse proxy for secure remote access
- Set up Uptime Kuma to monitor AdGuard Home
- Combine with WireGuard or Tailscale for DNS protection on mobile devices
- Explore Home Assistant integration for automation
AdGuard Home is a powerful, privacy-respecting DNS solution that belongs in every self-hosted setup. Whether you’re blocking ads, protecting your family from malicious sites, or simply taking control of your network’s DNS traffic, it’s an essential tool for any homelab.