AdGuard Home: modern Pi-hole alternative with DoH / DoT / DoQ

Install via Docker

docker run -d \
    --name adguard \
    --restart unless-stopped \
    -p 53:53/tcp -p 53:53/udp \
    -p 67:67/udp \
    -p 853:853/tcp \
    -p 784:784/udp \
    -p 8080:80 \
    -p 3000:3000 \
    -v ./conf:/opt/adguardhome/conf \
    -v ./work:/opt/adguardhome/work \
    adguard/adguardhome:latest

Port 53 is DNS, 67 is DHCP, 853 is DoT, 784 is DoQ over UDP. Port 80 / 3000 are the web UI (3000 during setup, 80 after).

Free port 53 first

If systemd-resolved is using port 53 on the host (see that tutorial):

# /etc/systemd/resolved.conf
DNSStubListener=no

sudo systemctl restart systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

First-run setup

Browse to http://<host>:3000 for the setup wizard:

1. Pick the interfaces / ports.
2. Create the admin user.
3. Confirm the setup is complete — web UI moves to port 80.

Configure upstreams (encrypted DNS)

Settings → DNS Settings. Add upstreams; AdGuard Home supports plain DNS, DoH, DoT, DoQ:

# DoH
https://dns.quad9.net/dns-query
https://cloudflare-dns.com/dns-query
https://dns.adguard.com/dns-query

# DoT
tls://1.1.1.1
tls://9.9.9.9

# DoQ (DNS-over-QUIC; lower latency)
quic://dns.adguard.com

# Plain (fallback only)
1.1.1.1
9.9.9.9

Mixed lists are fine; AdGuard load-balances across them. With parallel queries enabled, queries hit multiple upstreams simultaneously; first-response wins.

Blocklists

Filters → DNS blocklists → Add. Curated lists ship with AdGuard:

• AdGuard DNS filter — the default; broad ad + tracker coverage
• AdAway — mobile-app ads
• EasyList / EasyPrivacy — the staples
• OISD — widely-respected curated list
• Steven Black's hosts — many specializations

Plus custom blocklists from URLs (txt files of hostnames, or AdGuard-syntax filter rules). Add a custom list, AdGuard polls it on schedule.

Per-client policies

Settings → Client settings. Add a client by IP / MAC / hostname; assign custom upstreams, blocklists, and rules:

• "kids" client — family-friendly DNS upstream (FamilyShield), aggressive blocking, safe-search-on-Google.
• "office" client — standard policy
• "smart-tv" client — block telemetry domains aggressively

Per-client query log + stats; spot which device is making the most queries (often surprising for IoT devices).

Built-in DHCP

Settings → DHCP. AdGuard Home can be your LAN's DHCP server too:

• Hand out IPs in a chosen range
• DNS option = AdGuard itself (so clients use it for DNS automatically)
• Static reservations by MAC
• Lease list visible in the UI

For homes / small offices where the router's DHCP is barely good enough, AdGuard's is genuinely featureful. Disable the router's DHCP first to avoid conflicts.

Encrypted DNS for clients

AdGuard Home can serve DoH / DoT / DoQ to clients (not just receive from upstreams). Enable in Settings → Encryption:

• HTTPS / DoH — clients query https://adguard.lab.example.com/dns-query
• DoT — tls://adguard.lab.example.com on port 853
• DoQ — quic://adguard.lab.example.com on port 784

Provide a TLS cert (Let's Encrypt or step-ca from that tutorial). Modern phones + browsers can be configured to use these.

Custom rules

Beyond blocklists, write per-rule entries:

# Block a specific hostname
||telemetry.example.com^

# Allow-list (override blocklists)
@@||necessary-tracker.example.com^

# Per-client rule
[$client=10.0.5.50]||social.example.com^

# Redirect a hostname to a specific IP (local DNS override)
192.168.1.50 nas.lab.example.com

# Wildcard
||*.tracker.com^

Rule syntax mirrors AdGuard's browser extension's; familiar if you've used AdGuard or uBlock Origin.

Query log

Every query (allowed + blocked) is logged; filterable by client / domain / time / result. Useful for "why isn't this website working?" debugging — check if AdGuard blocked something needed.

Retention is configurable; for high-traffic LANs, keep 24 hours; for "I want to audit a quarter of activity," weeks. Logs live on local disk.

AdGuard Home vs Pi-hole

• Pi-hole — older codebase; PHP + dnsmasq under the hood; massive community + documentation; needs Unbound for full recursive privacy.
• AdGuard Home — single Go binary; built-in DoH / DoT / DoQ for upstream + listener; built-in DHCP; per-client policies; less established but more polished out-of-box.

Both work fine. Pi-hole has more existing tutorials + integrations; AdGuard Home is the smoother new install.

When AdGuard Home is the right pick

• You're starting fresh and want one tool for DNS + DHCP + blocking + encrypted upstream.
• Per-client policies (kids vs adults; IoT vs work; etc.) matter.
• You want DoQ specifically (it's the fastest encrypted DNS option on lossy connections).

When Pi-hole is

• Existing setup; tons of homelab tutorials reference it.
• You want the dnsmasq feature surface (DHCP options, PXE, more flexibility).
• You'll pair with Unbound for full recursive resolution privacy.