AdGuard Home — Self-Hosted Network DNS Filter with DoH/DoT

Introduction

AdGuard Home is an open source network-wide software for blocking ads and tracking that runs as a DNS server on your network. Unlike cloud services, all data stays on your hardware, and unlike Pi-hole, it ships as a single Go binary with first-class support for encrypted DNS (DoH, DoT, DoQ, DNSCrypt) baked in, plus a modern Material UI. It has over 33,000 GitHub stars.

What AdGuard Home Does

• Acts as a recursive or forwarding DNS server for every device on your LAN.
• Blocks queries against configurable blocklists (AdGuard DNS filter, EasyList, StevenBlack, custom).
• Terminates DoH/DoT/DoQ so clients can use encrypted DNS pointed at your box.
• Offers parental controls, safe search enforcement, and per-client policies.
• Runs as a DHCP server so the same box hands out leases and DNS.

Architecture Overview

AdGuard Home is a Go application that embeds a DNS server (based on dnsproxy), an HTTP admin API, and a React UI. Filters are compiled into in-memory tries for fast matching; query stats and logs go into a local BoltDB/SQLite store. Encrypted DNS endpoints are served natively without needing a sidecar like cloudflared or dnscrypt-proxy. Upstream can be plain DNS, DoH, DoT, or DoQ to providers like Cloudflare, Quad9, or NextDNS.

Self-Hosting & Configuration

• Deploy as the single AdGuardHome binary (systemd service) or via the official Docker image — amd64, arm64, armv7, and mips are all first-class.
• Configure blocklists, clients, and policies in AdGuardHome.yaml or through the UI.
• Put a TLS cert (Let's Encrypt) in place and enable DoH/DoT so road-warrior phones can reach your resolver over HTTPS/443.
• Optional DHCP server lets AdGuard hand out its own IP as DNS automatically.
• Pair with Unbound on 127.0.0.1:5335 for fully recursive DNS without relying on a public upstream.

Key Features

• Encrypted DNS (DoH/DoT/DoQ/DNSCrypt) built-in — no second daemon needed.
• Modern reactive web UI with query-level drilldowns and client groups.
• Per-client blocklist + safe-search + schedule controls.
• Native DHCP + DNS in one binary simplifies small-network topologies.
• Blocklist compiler handles 100k+ rule sets without melting a Raspberry Pi.

Comparison with Similar Tools

• Pi-hole — older community favorite; more blocklist tooling, requires separate cloudflared/unbound for encrypted DNS.
• NextDNS — hosted SaaS with similar features; AdGuard Home keeps data on-prem.
• Blocky — Go DNS blocker built for Kubernetes; minimal UI.
• Technitium DNS — full-stack DNS with optional blocking; heavier and Windows-centric.
• dnscrypt-proxy — client-side DoH/DoT forwarder; pair it with Pi-hole or use AdGuard to get it built-in.

FAQ

Q: Does AdGuard Home require an account with AdGuard? A: No. The binary is Apache-2.0 and fully self-contained — accounts are only used by the commercial AdGuard apps.

Q: Can I run AdGuard Home and a forwarder (unbound) together? A: Yes — point AdGuard upstream at 127.0.0.1:5335 where unbound listens.

Q: Will it break YouTube or Twitch? A: Some client-side anti-adblock tricks may require allowlisting specific CNAMEs; per-client policy solves this per device.

Q: How do I back up the config? A: Copy AdGuardHome.yaml and the data/ directory. Everything is plaintext + a single Bolt DB file.

Sources

• https://github.com/AdguardTeam/AdGuardHome
• https://adguard.com/en/adguard-home/overview.html