TL;DR

AdGuard Home turns any homelab server into a network-wide ad and tracker blocker that works across every device on your LAN — no per-device configuration needed. One Docker container, roughly 15W of power, blocks 15-20% of DNS queries before they leave your network. This guide covers the full setup: Docker Compose, blocklists that catch more than the defaults, encrypted DNS configuration, and per-device filtering rules.

Why DNS-Level Blocking

Most ad blockers work per-device. Browser extension on your laptop, app on your phone, maybe a system-level app. Every new device or browser needs its own setup. And none of this touches the smart TV telemetry, IoT device phoning home, or gaming consoles sending data to unknown servers.

AdGuard Home sits at the DNS layer. Every device on your network routes DNS queries through it. Block something once, it is blocked for everything. The privacy benefit is equally important — your DNS queries do not go to your ISP or Google by default. You control what gets resolved and by whom.

Prerequisites

  • A server or NUC running Docker
  • Port 53 available (not used by systemd-resolved or another service)
  • Access to router DHCP settings (to point devices to AdGuard)
  • 15-20 minutes

Docker Compose Setup

services:
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "853:853/tcp"       # DoT (DNS over TLS)
      - "3000:3000/tcp"     # Admin web UI
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf
    restart: unless-stopped
    network_mode: host

The network_mode: host line is critical. DNS interception requires the container to see actual network traffic, not a translated view through Docker internal DNS. Without host networking, queries resolve fine but nothing gets blocked.

If port 53 is already in use, check what is using it:

sudo ss -tlnp | grep :53

Common culprit: systemd-resolved. Stop and disable it, then point /etc/resolv.conf to your server IP:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
echo "nameserver 192.168.1.YOUR_SERVER_IP" | sudo tee /etc/resolv.conf

Initial Configuration

Navigate to http://YOUR_SERVER_IP:3000. The first-run wizard walks you through admin credentials, interface binding (set to 0.0.0.0 for LAN access), and upstream DNS.

For upstream DNS servers, use encrypted options — not plain Google or your ISP:

h h t t t t p p s s : : / / d d n n s s . . c g l o o o u g d l f e l / a d r n e s . - c q o u m e / r d y n s - q u e r y

This matters: if you run AdGuard but send all queries to Google DNS in plaintext, your ISP or anyone watching your network can still see every domain you visit.

Blocklists That Actually Work

Default blocklists catch 30% maybe. You want layered lists.

Tier 1: The Big One

https://big.oisd.nl — One massive consolidated list, ~120,000 domains, updates daily. This alone catches more than all the default lists combined.

Tier 2: Privacy Extras

https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt — AdGuard official filter, actively maintained.

https://badmojr.ethz.ch藏/adblock.txt — Known malware and phishing domains.

Tier 3: Optional Category Lists

Social media widget trackers, cookie notice scripts, mobile app telemetry. Do not add these on day one — run with big.oisd.nl for a day first, check the query log, then add based on what you actually see.

Encrypted DNS Upstream (DoH/DoT)

AdGuard supports DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). Configure upstream servers using encrypted protocols so your ISP cannot see your query log.

When configuring devices to use your AdGuard server remotely, enable DoT/DoH in AdGuard settings, then configure clients:

  • Android: Settings > Network > Private DNS > enter your AdGuard hostname
  • iOS/macOS: Use a DNS privacy profile or third-party app
  • Router: Set DNS-over-TLS provider to your AdGuard instance

Per-Device Filtering

This is the feature most tutorials skip. AdGuard shows every device by hostname or IP in the query log. You can apply different blocklists and filtering rules per device:

  • Work devices: Standard blocking
  • Gaming PCs: Block game telemetry domains
  • Kids devices: Strict mode with adult content domains blocked
  • Guest devices: Minimal blocklists, just malware domains

Go to Settings > DNS Settings > Access settings. Each connecting client shows up here with its own rule assignment.

Custom DNS Rewrite Rules

Internal hostnames you want resolving across all devices:

l l l o o o c c c a a a l l l - - - d d d a a a t t t a a a : : : " " " n h p e o i x m h t e o c a l l s e o s . u i i d s n . t t i a e n n r t t n e . a r i l n n a t A l e r 1 A n 9 a 2 1 l . 9 1 2 A 6 . 8 1 1 . 6 9 1 8 2 . . . 1 1 1 0 . 6 2 1 8 " 0 . 0 1 " . 1 0 1 "

No more managing /etc/hosts on every device.

What Actually Changed After 6 Months

My smart TV was making 800+ DNS queries in 2 hours, mostly to unknown third-party trackers I never heard of. After AdGuard: essential domains only. My phone sent 40+ tracker queries overnight while charging. Now: none.

I track 15-20% of daily queries blocked. The query log is the fastest way to diagnose “why is device X slow” or “what is app Y actually doing.”

Common Problems

Nothing getting blocked: Devices are not using AdGuard as their DNS. Router DHCP settings override everything. Set the router DHCP DNS to your AdGuard IP.

Streaming services do not work: Some use DNS for region detection. Check the query log when a stream fails, whitelist the blocked domain.

Container uses lots of RAM: 150-300MB with 100K+ blocklist entries is normal. Over 500MB means too many lists or a memory leak — restart and reduce.

Verifying It Works

Visit a site like whoamigoingtocallhome.com. If AdGuard is working, it will not load properly or will show blocked elements.

Check your query log in real-time while browsing a site you know runs ads. The blocked queries list will be longer than you expected.

Next Steps

Once AdGuard runs smoothly, the natural follow-up is encrypted DNS for your mobile devices. AdGuard offers a free DNS-over-TLS service, or self-host the encrypted DNS listener for full control. For the privacy-conscious, consider running your own recursive resolver like unbound instead of Cloudflare or Google upstream.

FAQ

Q: Does AdGuard Home slow down my network?

A: Minimal impact. DNS queries are fast (typically 5-20ms added latency). With encrypted upstream DNS (DoH/DoT), you might see 10-30ms additional latency, but the privacy benefits outweigh this for most users. Many users report faster browsing due to blocked ad domains.

Q: Can I run AdGuard Home on the same server as other services?

A: Yes. AdGuard uses about 150-300MB RAM with large blocklists. Just ensure port 53 is free and use host networking mode for proper DNS interception. Don not run it inside a Docker network — DNS interception requires direct host network access.

Q: What is the best blocklist for AdGuard Home?

A: Start with https://big.oisd.nl — it is a single consolidated list with ~120,000 domains that outperforms most multi-list setups. Add AdGuard DNS filter as a secondary. Only add category lists (social media, telemetry) after running for a few days and reviewing your query log.

Q: How do I set up encrypted DNS (DoH/DoT) for mobile devices?

A: In AdGuard settings, enable DNS-over-TLS and note your tunnel hostname. On Android: Settings > Network > Private DNS > enter your AdGuard hostname. On iOS/macOS: Use a DNS privacy configuration profile or a third-party app like DNScrypt.

Q: Can AdGuard Home block YouTube ads?

A: Not directly — YouTube serves ads from the same domains as regular video content. For YouTube ad blocking, use a browser extension like uBlock Origin on each device, or use a YouTube Premium subscription. AdGuard excels at tracker and telemetry blocking instead.

Q: How do I check if AdGuard is actually working?

A: Visit a known ad-serving site like whoamigoingtocallhome.com — it should not load properly. Check your query log in real-time. You should see 15-20% of queries blocked on a typical network. Run nslookup doubleclick.net from a device on your network — if AdGuard is working, it will return a blocked response.

  • question: “Does AdGuard Home slow down my network?” answer: “Minimal impact. DNS queries are fast (typically 5-20ms added latency). With encrypted upstream DNS, you might see 10-30ms additional latency, but the privacy benefits outweigh this for most users.”
  • question: “Can I run AdGuard Home on the same server as other services?” answer: “Yes. AdGuard uses about 150-300MB RAM with large blocklists. Just ensure port 53 is free and use host networking mode for proper DNS interception.”
  • question: “What is the best blocklist for AdGuard Home?” answer: “Start with big.oisd.nl - a single consolidated list with about 120,000 domains that outperforms most multi-list setups. Add AdGuard DNS filter as a secondary.”
  • question: “How do I set up encrypted DNS for mobile devices?” answer: “In AdGuard settings, enable DNS-over-TLS and note your tunnel hostname. On Android: Settings > Network > Private DNS. On iOS/macOS: Use a DNS privacy configuration profile.”
  • question: “Can AdGuard Home block YouTube ads?” answer: “Not directly - YouTube serves ads from the same domains as regular video content. For YouTube ad blocking, use uBlock Origin per device or YouTube Premium.”
  • question: “How do I check if AdGuard is actually working?” answer: “Visit a known ad-serving site or check your query log in real-time. You should see 15-20% of queries blocked on a typical network. Run nslookup doubleclick.net from a device on your network.”