Top-5 Best AdGuard Home Configuration Tips [2022]

AdGuard Home simplifies ad blocking and is a worthy competitor to Pi-Hole. This post shows you the top 5 AdGuard Home configuration tips.

Installing an ad blocker like Pi-Hole or AdGuard Home is an absolute breeze with their one-line installs. This gets you up and running in minutes!

However, these are very powerful pieces of software, and not all of their features are obvious at the outset. Previously, I compared the two pieces of software and gave a rundown of their capabilities. We have also published AdGuard Home Docker and Ubuntu/Debian guides.

This led to us think: those of you out there who aren't familiar with AdGuard Home software might enjoy a quick look at some AdGuard Home configuration tips for after installation. Here are our top 5 tips to get more out of your AdGuard Home software.

Adguard Home Configuration Tips

Before we can describe the AdGuard Home configuration tweaks, let us ensure that you have the following requirements:

  • A working AdGuard Home installation - this article is based upon version 0.107.6
  • Access to your AdGuard Home via the Web GUI.

Which network-wide/DNS adblocker do you prefer?

View Results

Loading ... Loading ...

1. Define Client Names and Groups

By default, any device pointed at your AdGuard Home server can use it for DNS lookups. It might be useful for us to identify which device is trying to use it, and set rules around those identities.

In the name of organization and cleanliness, I like to begin by labeling things. This helps me to identify devices and group them if necessary. Groups are especially useful if you want to block specific sites for certain users or devices:

  • You vs. Guests
  • Kids vs. Parents
  • Smart TV's vs Laptops
  • Etc.
Identifying Clients For Organization
Friendly Client Names Are Easier To Identify Than Ip Addresses.

The following is a basic example, and for a full in-depth look, head over to AdGuard Home team's wiki on clients.

How to Identify AdGuard Home Clients?

Before we can add friendly names to our devices, we must learn how to identify them. There are a few ways to identify a client:

  1. Static IP's:
    • This works especially well if you are connecting to your AdGuard Home server remotely via VPN like Wireguard.
    • This is also possible by setting static IP's for devices in your home network from your router.
  2. MAC addresses:
    • Also useful, but not always a reliable method due to the potential for spoofing.
    • You must be using AdGuard Home as your DHCP server (dynamically allocating IP addresses) for this to work.
  3. ClientID:
    • Only if you are accessing AdGuard Home via DoT/DoH/DoQ.

Add Client Name and Group to Devices

Once you decide on how to identify your clients, we can add them under Settings --> Client settings.

Configure Adguard Home Client Settings
Client Settings Can Be Found From The Adguard Home Webpage.

From here, we will begin by adding a client via the green Add client button. Clicking on it will give us a new pop-up window.

Adguard Home Configuration - Identify Client
Clients Can Be Identified In Numerous Ways To Assist In Organization.
  • Client Name: Give your device an easy to remember name.
  • Tags: These are what I use to "group" devices. It's perhaps not the best solution as the tags are not directly modifiable - we have to use the ones given.
  • Identifiers: This is how we identify for the device. In my example above, I'm identifying the device via a static IP.
  • Client Settings: The section below is used for setting client-specific options. I cover a few of them later in this article.
Note: We can set multiple Identifiers for a single device - for example your phone via VPN while away from home, and a static IP or MAC address while home. This is done by clicking the faint gray "+" (plus) symbol below the first identifier box.

Clicking Save adds our device to the table.

New Client In Table
Our Newly Added Device In The Persistent Clients Table.

Using Clients and Groups

Client names and group "ctags" can be used in a number of ways. For example:

  • Setting custom blocking rules (using client or ctag).
  • Blocking specific services.
  • Scheduling blocked services via cron jobs! Think of blocking social media during work/study hours.

2. Configure AdGuard Home Blocklists

By default, AdGuard AdBlocker comes with two block lists (one created in-house) with a good variety of advertising and malware blocking.

We can individually add domains to our blocklist, but that can be quite cumbersome. Fortunately, folks across the internet have been gathering and aggregating lists of commonly used domains featuring advertising, malware, phishing, and more.

Once a list is added to your AdGuard Home configuration, it is updated regularly and your AdGuard Home will automatically use the updated lists. Lists can also be manually switched on and off individually.

Where Are the Blocklists in AdGuard Home?

From the homepage, click on Filters --> DNS blocklists.

Getting To Your Blocklists
Blocklists Are Found Under The Filters Heading.
Note: This screen can also be found by simply navigating to http://your.adguardhome.url/#filters

From this screen, we can activate, deactivate, add, remove, and update the blocklists.

Activate/Deactivate a Blocklist:
Default Adguard Home Blocklists
By Default, Only One List Is Enabled And Active.

To the left of a blocklist, you can find a checkbox under the Enabled column. Ticking or un-ticking the box will enable/disable a given list.

Updating Blocklists:

The lists are, by default, updated every 24 hours. To update manually, find the blue Check for updates button at the bottom of the blocklists screen (seen above).

The update interval can be changed in the Settings --> General Settings screen. The first option is whether or not to use the blocklists, while the drop-down below provides some options for update intervals.

Finding Additional Blocklists

For starters, where do we even find more lists? What do they do? Who is keeping them updated? As the advertising, adware, malware, and phishing scenes are constantly evolving, these are difficult questions that don't really have definitive answers.

AdGuard Home gives us two options which we investigate below.

Internal Lists:

AdGuard Home ships with two blocklists, although by default, one of them isn't even enabled! Let's remedy that and see what else AdGuard Home is hiding under the proverbial hood.

Once we are on the DNS blocklists page, we are greeted with the two default lists. In the bottom left-hand corner, we see a green button labeled Add blocklist. Clicking on it gives us two options, which aren't immediately clear. In this section we will focus on the Choose from the list option, while we will cover Add a custom list below.

Two Ways To Add Blocklists
There Are Two Ways To Add Blocklists To Adguard Home.

Click Choose from the list, and we are be greeted with another window. Here we have a curated group of blocklists that can easily be added to your AdGuard Home server. Tick the checkboxes of a few (or all) of the lists, and click Save to add and enable them.

25 Available Lists
Adguard Home Ships With General, Security, And Regional Specific Lists.

You should now see them listed in the table. It might take a few seconds for your AdGuard Home server to download and add all of the lists if you selected multiple.

Curated lists:

A quick search using your favorite search engine will probably turn up a variety of lists, but a great place to start is The Firebog.

CAUTION:

  1. Before adding every list on their website (or from any site for that matter), make sure it is from a trusted source as this would be a very easy way for someone to sneakily add a malicious website in for one you normally trust (think bank websites, social media, email, etc.)
  2. Pay attention to the warnings listed at the top of the Firebog website. It clearly states which lists are likely to cause problems and which will operate silently.
  3. Adding millions and millions of blocked domains will significantly increase the amount of system memory (RAM) used by AdGuard Home, so be sure to look at the number of sites in each list. I haven't come up with a good method for combating overlapping lists, but this would potentially also help to remove duplicates and reduce the memory footprint.

Once you have found a blocklist you would like to add, copy the URL, and head to your DNS blocklists page. In the bottom left-hand corner, we see a green button labeled Add blocklist. Clicking on it gives us two options, which aren't immediately clear. In this section we will focus on the Add a custom list option, while we covered Choose from the list above.

Click the blue Add a custom link button and we have a new window. Give your new blocklist a fancy name, and paste the URL into the second box.

Custom Blocklists Added Via Url
Make Sure The Url Resolves To The Actual List.

Click Save and the list will show up in the table. If it was added successfully, the pop-up window will close and you will see a small green box indicating success in the bottom right-hand corner. If the pop-up doesn't close and you see a red box with an error, there's an issue with the list or the URL you attempted to add.

Multiple Blocklists Added
Successfully Added More Blocklists!

3. Customize AdGuard Home DNS Servers and Settings

Without going into detail about how AdGuard Home works (we have an entire article dedicated to that!), just know that it will use upstream DNS servers to fill its own "cache" for answering our web requests.

Upstream DNS servers are the servers that hold the addresses of all websites around the world. There are a number of settings we can use to easily improve the reliability, security, and performance of AdGuard Home with regard to DNS.

Why Do Upstream DNS Servers Matter?

From a privacy standpoint, DNS servers can know a LOT of information about our browsing history. How the owner of that service treats your data will depend on each of their policies. Both Google (8.8.8.8) and Cloudflare (1.1.1.1) are relatively transparent about their privacy policies. But others may not be as honest.

Other considerations are the speed at which our requests are answered, and what other services a DNS service might provide.

For example, some services provide "family-friendly" DNS services that automatically block malware or adult content.

Besides, there are many ways to query a DNS server, some of which can increase your security (see DNSSEC, DoT, DoH, and DoQ), and privacy (see DNSCrypt, unbound).

AdGuard maintains a good list of DNS providers in their knowledge base with some basic descriptions of each.

Set Upstream DNS Servers:

Setting an upstream DNS server starts by heading to Settings --> DNS settings. From this screen, you can set one or multiple DNS servers, and even select how they are used. Fortunately, AdGuard Home has done an excellent job of providing some explanations and examples right on the page, although it is non-exhaustive.

Add Upstream Dns Servers
Add Your Preferred Upstream Dns Servers Here.

The default installation of AdGuard Home utilizes Quad 9's DoT server which is not a bad start. But feel free to add/modify it to your liking.

General DNS settings

Besides setting your upstream DNS servers, there are a number of settings lower down the page that we can benefit from:

More Adguard Home Dns Settings
More Settings For Our Upstream Dns Queries.
  • Rate Limit: If your AdGuard Home instance is reachable from the internet (which I don't necessarily recommend without putting a few security measures in place), you can limit the chance of it being used for attacks by limiting the number of requests any device can make per second. The default is pretty good. Generally, I don't recommend changing this unless you know what you are doing.
  • Enable EDNS Client subnet: If you are only using AdGuard Home from your house, this setting isn't helpful. However, if you are using it from another location, this setting sends part of your IP address to the upstream DNS server. This is done to return to you the fastest (closest) server to your device.
  • Enable DNSSEC: I would definitely recommend this setting. By enabling DNSSEC, the returned DNS answers are signed to ensure they came from a legitimate source and haven't been tampered with.
  • Disable resolving of IPv6 addresses: It's generally OK to leave this setting on, especially as we head toward an IPv6 internet. In the past, resolving IPv6 addresses would only be useful if you even had an IPv6 address. These days they are becoming more common as the world runs out of IPv4 addresses.
  • Blocking Mode: Default is a good choice for most people, no need to change unless you know why you wouldn't want it to return a null IP.
DNS Cache Settings:

In the next section we have cache settings. The cache is where AdGuard Home stores the addresses of your previous requests. This speeds up your web browsing by answering queries from this cache instead of reaching out to the upstream DNS servers again.

For the most part the default settings should be fine, but feel free to increase the cache size (default is 4Mb) if you have many devices and sites are slow to be found.

Optimistic Caching: This setting can be useful to speed up requests, but generally not necessary as you'd want the most updated answer and not an old one.

DNS Access Control:

This acts as a sort of white list or blacklist for who can use AdGuard Home. This can be useful if your AdGuard Home instance is open to more than just the devices in your home network.

By using the Allowed clients section, you could potentially add IP ranges aligning with your ISP and Cellular provider to severely limit access if open to the internet.

The Disallowed clients is a blacklist and is only used if the above is empty.

Be the 1 in 200,000. Help us sustain what we do.
25 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

4. Configure AdGuard Hoem Local DNS Entries

AdGuard Home can act as a local DNS resolver by using local DNS entries. Local DNS entries are a simple configuration that allows you to create domain names for your personal websites. They can be useful in many ways, especially for those of you self-hosting applications. Some examples:

  1. Self-hosted application(s): By self-hosting an application, you can often connect to a service via the local IP address where it is hosted. For example, you might get to your Nextcloud instance by using http://192.168.1.125. By using a local DNS entry, we only have to remember http://nextcloud.mydomain.tld. The beauty of it is you don't even have to use a real domain name, or one you even own.
  2. Domain via external IP outside home, and local IP at home: If you've registered a domain name to a service you are hosting at home, you might want to access it both locally and away from home. When away from home, you would simply use your https://example.domain.tld to access the service which is mapped to your public IP. However, when you are on your home network, that same address won't work without NAT hairpinning. To remedy that, you can set the same URL to resolve to the local IP address instead.
  3. Hide services behind a VPN: Similar to the above, we can register a domain name, but not point it to our external IP address. Instead, we might simply register it to a loopback address like 127.0.0.1. However, internally we can set AdGuard Home to resolve the domain name via a VPN tunnel like Wireguard.
Note for examples 1 and 3 above:
If you want or need TLS certificates from Let's Encrypt, you will actually need to register the domain name and you will need to get the certificates via the DNS challenge.

Adding DNS Rewrite Entries

From our Dashboard, head to Filters --> DNS rewrites. From this screen we can easily add entries and where we want them redirected to.

Dns Rewrites Found From Dash
Dns Rewrites Is The Name For Local Dns Entries.

In the DNS rewrites screen, click the green Add DNS rewrite button. This will bring up a new window.

Dns Rewrite Window
Here We Can Redirect Any Url To Any Ip Or Even Url.

Examples are given in the window. We can simply redirect a domain, subdomain, or use the wildcard character * to indicate ALL subdomains under a domain.

Successful Dns Rewrites
Wildcard Entries Are A Powerful Way To Forward All Subdomains.

5. Block and unblock individual sites

Sometimes there are sites, services, or individual URL's that we want to block (or unblock) that don't coincide with the blocklists we have enabled. Not to worry, there are 3 ways to handle this. We will look at all three briefly, beginning with the easiest method.

Blocked Services (Easy)

AdGuard Home ships with a number of common services that the admin can easily block at will. From your dashboard, go to Filters --> Blocked services.

Getting To Blocked Services
Blocked Services Is Tucked Away Under "Filters".

From here, we have a large list of services we can block with the flip of a switch.

Quick Block Service
Quickly Blocking A Service Couldn't Be Faster.

In the example above, I've ticked Amazon.

Important:
Clicking the switch does not automatically start blocking the service! You will need to scroll to the bottom and click Save. After which, you should see a green confirmation dialogue pop-up in the bottom right-hand corner.

Keep in mind that this is a global block for ALL users. If you would like to block a service for an individual user, it is possible from the Client dialogue described above.

From the Query Log (Intermediate)

The Query Log is the log in which all requests are shown. By default, the log is enabled, stores the IP of the client, and is saved for 90 days. All of these settings are configurable in your Settings --> General settings window under Log settings.

From the dashboard, simply click on Query Log along the top menu.

Adguard Query Log
The Query Log Shows All Requests Our Devices Make.

From here, we can see all the queries made to AdGuard Home. They can be filtered in the top right-hand corner, or we can type a client name or domain name in the search box at the top.

Once you've found the domain you want to block/unblock, hover your mouse over the line. To the right you will see a button labeled Block or Unblock. Clicking the small down error to the right will give you additional options.

Unblock Directly From Query Log
Unblocking And Blocking Done Directly From The Query Log.

In the example above, I added Facebook as a blocked service. After trying to access it (unsuccessfully), it shows up in our query log.

You can see above that I filtered by blocked services, and have selected to Unblock for this client only. After clicking, a green box pops up in the bottom right-hand corner to show that a custom rule was added, and what that rule is.

The syntax for the rule can be quite confusing at first. Where to find these rules and how they are written are described in the section below.

Custom Rules (Advanced)

Custom rules is where software like AdGuard AdBlocker Home go from being a good software to an extremely powerful one. I put this under advanced because the syntax can be a bit odd at first. You can find the custom filter rules under Filters --> Custom filtering rules.

Get To Custom Filter Rules
Custom Filter Rules Are Unsurprisingly Under The Filters Section.

AdGuard Home gives a few simple examples directly below the entry box. There are no rules added by default.

Following the Learn more link below the examples gives the full explanation of what's possible with custom rules.

Seeing as this is a quick post, I won't dedicate much to this section as most is spelled out in great detail at the above link.

Custom Rules Complexity
Custom Rules Can Be Complex At First Look.

If you came here from the above section, here we can see the custom rule added when we clicked Unblock for this client only from the Query Log.

Query Domains On A Blocklist

If you ever run into the issue where a domain appears to be blocked, but you can't find it in the Query Log, AdGuard AdBlocker Home version comes with a neat little tool to check if a domain is in a blocklist or has been blocked via custom rules.

Like the above section, head to Filters --> Custom filtering rules. Scroll down to the bottom where you will see Check the filtering.

Filter Check
Check Domains From Any Filter Or Blocked Service Here.

Type in the desired query and click Check.

Finding A Blocked Service
We Can Find Blocked Services And Even Directly Unblock.

Here we can see that "amazon.com" is blocked, and we can see that it is blocked because we ticked the switch under Blocked services. If it originated from one of our blocklists, they will be shown in the resulting box.

Note: This search only shows results for domains blocked/unblocked for ALL users. It won't return results on a per-client basis.

For example, let's say we blocked the domain eviltracker.com for one of our clients (seen above). When we search for the domain, we can see that it shows Not found in filter lists.

Check Filter Not Per Client
Even Though Blocked For A Client, It Returns Not Found.

If you have many custom rules created and are having trouble tracking down a specific domain, I recommend the good ol' Ctrl + F search on the same page.

Use Ctrl F To Find Domains
Sometimes Ol' Reliable Tools Work Best!

BONUS: Updating AdGuard Home

Updating AdGuard Home is a (thankfully) simple process. As soon as you log into your AdGuard Home's dashboard, you will see a blue notification bar across the top of the screen letting you know an update is available.

If you'd like to check manually, scroll to the bottom of the screen, and in the bottom right-hand corner you will see the software's version number. Just to the right is a little white/blue button where you can manually trigger the update check.

Update From The Top Or Bottom
The Top Bar Will Update, And Checks Can Be Made From The Bottom Right.

Directly Installed (not containerized)

If you installed AdGuard Home via the one-line installation, or by downloading the binary directly from GitHub, you can simply click the big blue Update now button on the top banner.

Update In Progress
Updates Are Easy And Painless.

The update will take a few seconds to complete and refresh the page when finished. Voilà!

Containerized (Docker, Podman, etc.)

As always, it's never a good idea to update software within a container. Instead, pull the new image, take down the old container, and run the newly pulled image.

The "why" to this method is a bit outside the scope of this article. The short answer is that containers are designed to be used as they were created. Updates often involve new dependencies which don't always play nice in old containers.

Which network-wide/DNS adblocker do you prefer?

View Results

Loading ... Loading ...

Conclusion

AdGuard Home is undoubtedly one of my favorite pieces of software in my self-hosted collection. Pi-Hole makes a nice alternative and can easily be dropped in as a substitute. [Read: Ultimate Pi-Hole Raspberry Pi Setup: Faster Internet in 15 min]

After having used both fairly extensively, I must admit that the power of AdGuard Home is less obvious at first glance. Hopefully, this article has given you a taste of of that with some tips on getting it personalized to your liking. As mentioned throughout the article, I highly recommend digging into AdGuard Home Configuration documentation as they are filled with informative examples.

As always, safe browsing and if you have some other good tips-and-tricks, feel free to share them in the comments section below!

Be the 1 in 200,000. Help us sustain what we do.
25 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

Kristopher

Kristopher is a tech enthusiast interested in teaching and simplifying technology for others. Online privacy and responsibility has become of upmost importance and he aims to help others reduce their reliance on tech giants.