Self-Hosting AdGuard Home: Network-Wide Ad Blocking for Your Entire Home
Browser ad blockers work well — for browsers. But they don't cover ads in mobile apps, smart TVs, IoT devices, or any device where you can't install an extension.
AdGuard Home solves this by blocking ads at the DNS level. It acts as your network's DNS server and refuses to resolve known ad and tracking domains. Every device on your network gets ad blocking automatically, with zero configuration on the device itself.
How DNS-Level Ad Blocking Works
When any device on your network tries to load ads.tracker.com:
- The device asks your DNS server (AdGuard Home) to resolve the domain
- AdGuard Home checks the domain against its blocklists
- If blocked, it returns a "not found" response — the ad never loads
- If allowed, it forwards the query to an upstream DNS resolver and returns the real IP
This happens for every DNS query from every device on your network. No client software needed.
What it blocks (and what it can't)
Blocks effectively:
- Banner ads and pop-ups on most websites
- In-app ads on mobile devices
- Smart TV ads and telemetry
- Tracking pixels and analytics scripts
- Malware domains and phishing sites
Can't block:
- Ads served from the same domain as content (YouTube ads, Facebook ads, some Reddit ads)
- Ads that use IP addresses instead of domains
- Ads in apps that hard-code DNS servers (some smart TVs)
DNS blocking catches roughly 70-80% of ads and trackers. For the rest, you still want a browser extension like uBlock Origin.
AdGuard Home vs. Pi-hole
These are the two most popular self-hosted DNS ad blockers. Both work well, but they have different strengths.
| Feature | AdGuard Home | Pi-hole |
|---|---|---|
| Setup | Single binary or Docker | Docker or bare-metal installer |
| Web interface | Modern, clean | Functional, older design |
| DNS-over-HTTPS | Built-in | Requires additional setup |
| DNS-over-TLS | Built-in | Requires additional setup |
| DHCP server | Built-in | Built-in |
| Per-client settings | Yes, built-in | Limited |
| Safe browsing / parental | Built-in | Not included |
| Blocklist management | Simple UI | Simple UI |
| API | Yes | Yes |
| Community | Large | Very large |
| Resource usage | Low | Low |
Why this guide covers AdGuard Home
Both are excellent. AdGuard Home gets the nod here because:
- Encrypted DNS (DoH/DoT) is built-in with zero extra configuration
- Per-client settings are useful in households (different rules for kids vs adults)
- The web interface is more modern and intuitive
- Single binary deployment is simpler
Pi-hole is a perfectly fine choice too. If you're already running it, there's no reason to switch.
Self-Hosting AdGuard Home: Setup
Server requirements
AdGuard Home is extremely lightweight:
- Minimum: 256 MB RAM, any CPU (runs fine on a Raspberry Pi Zero)
- Recommended: 512 MB RAM, any modern hardware
- Storage: < 1 GB for the application; logs can grow if you enable query logging
Docker Compose setup
services:
adguardhome:
image: adguard/adguardhome:latest
container_name: adguardhome
ports:
- "53:53/tcp" # DNS
- "53:53/udp" # DNS
- "3000:3000/tcp" # Setup UI (first run only)
- "80:80/tcp" # Dashboard (after setup)
- "443:443/tcp" # DNS-over-HTTPS
- "853:853/tcp" # DNS-over-TLS
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
restart: unless-stopped
docker compose up -d
Open http://your-server:3000 for the initial setup wizard.
Initial configuration
- Set your admin password during setup
- Choose upstream DNS servers — Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) are good defaults
- Enable DNS-over-HTTPS for encrypted queries to upstream servers
- Add blocklists — the default list is good; add more from the suggestions below
Pointing your network to AdGuard Home
You have two options:
Option A: Change your router's DNS (recommended)
- Log into your router's admin panel
- Find the DHCP/DNS settings
- Set the DNS server to your AdGuard Home server's IP address
- All devices on your network will automatically use it
Option B: Change individual devices
- On each device, set the DNS server to your AdGuard Home IP
- More work, but useful if you can't modify your router
Recommended Blocklists
AdGuard Home ships with a default list. Add these for better coverage:
| List | Purpose | Domains blocked |
|---|---|---|
| AdGuard DNS filter (default) | General ads and trackers | ~50,000 |
| Steven Black's Unified | Ads, malware, fakenews | ~80,000 |
| OISD Full | Comprehensive, community-curated | ~150,000 |
| Hagezi's Pro | Balanced blocking, few false positives | ~120,000 |
Don't go overboard. More lists means more chance of false positives (legitimate sites being blocked). Start with the default + one additional list and add more only if needed.
Per-Client Configuration
One of AdGuard Home's best features is per-client rules. Use cases:
- Kids' devices: Enable safe search and parental controls
- Work devices: Block social media during work hours using schedule rules
- IoT devices: Apply aggressive blocking (these devices don't need ads ever)
- Specific devices: Whitelist domains that one device needs but others don't
Configure this in the AdGuard Home dashboard under Settings → Client Settings.
Dealing with False Positives
Occasionally, a legitimate service stops working because its domain is on a blocklist. When this happens:
- Check the Query Log in AdGuard Home's dashboard
- Find the blocked domain
- Click it and select Unblock
Common services that sometimes get blocked: Spotify (analytics domains), some banking apps, captcha services, and email tracking pixels (which you might actually want blocked).
The Honest Trade-offs
AdGuard Home is great if:
- You want ad blocking on every device without installing anything
- You have smart TVs, IoT devices, or family members who won't install ad blockers
- You want encrypted DNS (DoH/DoT) with zero additional setup
- You want per-device rules (especially useful with kids)
AdGuard Home is not ideal if:
- You only use one device and a browser ad blocker works fine
- You need to block YouTube/Facebook ads specifically (DNS blocking can't do this reliably)
- Your ISP or network won't let you change DNS settings
Bottom line: Running a DNS ad blocker is one of the highest-impact, lowest-effort self-hosting projects. Setup takes 15 minutes, it runs on hardware as small as a Raspberry Pi, and every device on your network benefits immediately. If you self-host one thing, this is a strong candidate.