Security 📖 20 min read

AdGuard Home Deployment

I ran Pi-hole for two years before switching to AdGuard Home. The reason was one feature: native DNS-over-HTTPS. Pi-hole can do it with cloudflared or unbound, but it's a separate service, separate config, separate thing to break. AdGuard Home just has a checkbox. That was enough to make me migrate.

Pi-hole vs AdGuard Home — the real differences

These are the three things that actually mattered when I was deciding whether to migrate.

  • DoH/DoT built-in — AdGuard Home handles encrypted DNS natively. Pi-hole needs cloudflared or unbound running alongside it, which means another service to monitor and update.
  • Per-client filtering — AdGuard lets you assign different blocklists and safe search rules to individual devices. Pi-hole added group management but it's clunkier to set up.
  • Slightly higher RAM usage — AdGuard Home uses about 45MB on my Pi 4. Pi-hole ran closer to 30MB. Not a dealbreaker, but worth knowing if you're on a Pi Zero or similar.

Everything else — blocking percentages, update frequency, basic DNS filtering — is roughly the same between them.

Quick Installation

On Linux (Any Recent Distro)

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

Or manually: 

# Download latest release
wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz

# Extract
tar xvf AdGuardHome_linux_amd64.tar.gz

# Move to /opt
sudo mv AdGuardHome /opt/

# Install as service
cd /opt/AdGuardHome
sudo ./AdGuardHome -s install

Docker Method

docker run -d \
 --name adguardhome \
 -p 53:53/tcp -p 53:53/udp \
 -p 3000:3000/tcp \
 -p 80:80/tcp \
 -v ./adguard/work:/opt/adguardhome/work \
 -v ./adguard/conf:/opt/adguardhome/conf \
 --restart unless-stopped \
 adguard/adguardhome

Initial Setup

After installation, open http://YOUR_IP:3000 in a browser.

The setup wizard covers everything in three screens, which is nicer than Pi-hole's bash installer asking a dozen questions. One gotcha: if you're on Ubuntu or any distro running systemd-resolved, port 53 is already taken. Same problem Pi-hole has, same fix: sudo systemctl disable systemd-resolved.

The wizard covers:

  1. Admin credentials - Create username and password
  2. Listen interfaces - Usually leave defaults (all interfaces, port 53)
  3. DNS port - 53 is standard

After setup, the admin interface moves to port 80 (or whatever you configured).

Configure Your Network

Same as Pi-hole - point your devices at AdGuard Home's IP for DNS.

Option 1: Router DHCP

Set your router to hand out AdGuard's IP as DNS. Every device automatically uses it.

Option 2: Per-device

Manually configure DNS on each device. More control but more work.

Option 3: AdGuard as DHCP

AdGuard can be your DHCP server. Gives you per-device tracking with actual hostnames instead of just IP addresses.

Settings → DHCP settings → Enable

Encrypted DNS (Why I Switched)

Regular DNS is plaintext. Your ISP sees every domain you resolve. DoH and DoT encrypt those queries so the only thing visible is that you're talking to your upstream resolver.

Setting Upstream DNS

Settings → DNS settings → Upstream DNS servers

Examples: 

# Cloudflare DoH
https://cloudflare-dns.com/dns-query

# Google DoH 
https://dns.google/dns-query

# Quad9 DoH
https://dns.quad9.net/dns-query

# Cloudflare DoT
tls://1.1.1.1

# Mix of providers (AdGuard uses first available)
https://cloudflare-dns.com/dns-query
https://dns.google/dns-query
1.1.1.1
8.8.8.8

I use a mix: encrypted upstream for privacy, with fallback to plain DNS for reliability.

Blocklists

AdGuard comes with reasonable defaults. Add more under:

Filters → DNS blocklists → Add blocklist

Good additions:

  • OISD Big List - Solid, well-maintained
  • StevenBlack hosts - Classic unified hosts file
  • AdGuard's own lists (already included)

Start with fewer lists. I went overboard early on and broke Netflix, Spotify, and half my smart home devices. Add one list at a time and live with it for a week before adding another.

Per-Client Settings

This is the other feature that Pi-hole doesn't match well.

Settings → Client settings → Add client

You can:

  • Give each device a friendly name
  • Enable stricter filtering for kids' devices
  • Disable blocking entirely for specific devices
  • Use different upstream DNS per client

Useful for families. My kids' tablets get safe search enforced and stricter lists. My workstation gets minimal filtering so nothing breaks during development.

The Dashboard

The main dashboard shows:

  • Total queries today
  • Queries blocked (number and percentage)
  • Top blocked domains
  • Top clients
  • Top queried domains

The UI is better organized than Pi-hole's — things are where you expect them, and the stats page loads faster. You'll be surprised how chatty some devices are. My Samsung TV was making 800+ queries per day to tracking domains.

Query Log

The query log shows every DNS request, who made it, and whether it was blocked. When something breaks after adding a new blocklist, this is where you figure out which domain got caught.

One complaint: the query log gets noticeably slow once you have a few days of data on it. Pi-hole's log was snappier for large datasets. I set AdGuard's log retention to 24 hours to keep the interface responsive.

Common Issues

Port 53 Already In Use

Ubuntu runs systemd-resolved on port 53. Disable it: 

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Slow DNS Resolution

DoH adds a bit of latency compared to plain DNS. Caching helps (it's on by default). You also need bootstrap DNS servers so AdGuard can resolve the DoH hostnames themselves — otherwise you get a chicken-and-egg problem:

Settings → DNS settings → Bootstrap DNS servers → Add 1.1.1.1 or 8.8.8.8

App/Service Breaks

Check the query log, find the blocked domain, whitelist it if it's legitimate. Some apps (looking at you, Samsung SmartThings) actively check for DNS-based blocking and refuse to work. You pick: blocking or that app.

Updates

# Check current version
/opt/AdGuardHome/AdGuardHome --version

# Update
/opt/AdGuardHome/AdGuardHome --update

They push updates fairly often. I check once a month or whenever I see a banner in the web UI telling me there's a new version.

My Setup

This has been running for about eight months since I migrated off Pi-hole:

  • Raspberry Pi 4, running alongside a few other lightweight services
  • Cloudflare DoH as primary upstream, Quad9 DoH as fallback
  • Default blocklists plus OISD — I tried adding more but started breaking streaming apps
  • SafeSearch enforced on the kids' devices
  • My machines: standard blocking only

23 devices on the network. Sits at about 45MB RAM, which is a bit more than Pi-hole used.

What I lost switching from Pi-hole:

  • Community blocklists — Pi-hole's ecosystem is bigger. More people maintain lists for it, more forum posts about which lists to combine. AdGuard has its own format and the selection is smaller.
  • Documentation and guides — If you Google a Pi-hole problem, you'll find ten answers. AdGuard Home problems? Maybe two, and one is in Russian.
  • Regex filtering — Pi-hole's regex support is more mature. I had about fifteen custom regex rules in Pi-hole that I had to rewrite for AdGuard's syntax, and a couple of them don't have direct equivalents.

These are real trade-offs. I stayed with AdGuard because encrypted DNS mattered more to me than any of them.

Should You Switch?

If encrypted DNS matters to you and you don't want to manage cloudflared separately, switch. The migration took me about an hour, most of which was re-entering custom filtering rules. If Pi-hole is working fine and you don't care about DoH, stay. There's no reason to blow up a working setup for a nicer dashboard.

📚 Related Tutorials

Linux Package Management Docker Installation Guide AWS EC2 Deployment

💬 Comments