Localtonet Logo Localtonet Logo
Light
Dark
System
12 min read

How to Self-Host AdGuard Home and Block Ads Across Your Entire Network

Self-host AdGuard Home with Docker Compose for network-wide ad blocking on every device. No per-device installs, no port forwarding, remote dashboard access with Localtonet.

🛡️ AdGuard Home · DNS · Ad Blocking · Self-Host

How to Self-Host AdGuard Home and Block Ads Across Your Entire Network

AdGuard Home is a free and open-source DNS server that blocks ads, trackers, and malware domains for every device on your network phones, TVs, laptops, and smart home devices without installing anything on them. This guide covers installing AdGuard Home with Docker Compose, fixing the port 53 conflict on Ubuntu, configuring upstream DNS, pointing your router at the server, and accessing the dashboard remotely with a Localtonet tunnel.

🚫 Network-wide ad blocking 📊 Per-device query statistics 🔒 DNS-over-HTTPS support 🌍 Dashboard accessible from anywhere

📋 What's in this guide

What is AdGuard Home? Fix port 53 on Ubuntu Install with Docker Compose Setup wizard Point your router at AdGuard Add blocklists Remote dashboard with Localtonet Keep it running permanently FAQ

What Is AdGuard Home?

AdGuard Home works by acting as the DNS server for your home network. Every time a device on your network tries to look up a domain name, the request goes through AdGuard Home first. If the domain is on a blocklist an ad network, a tracker, a known malware domain AdGuard returns nothing and the request dies there. The device never loads the ad or sends data to the tracker. Everything else passes through to your upstream DNS provider as normal.

Because it operates at the DNS level, it works on every device automatically. Smart TVs, games consoles, IoT sensors, phones on your Wi-Fi none of them need an app installed. You configure one server and the whole network benefits.

AdGuard Home vs browser extensions
  • Works on every device including smart TVs and phones
  • No extension to install or maintain on each device
  • Blocks at the DNS level before any connection is made
  • Provides per-device statistics and query logs
  • Blocks ads in apps, not just browsers
Browser extensions (uBlock, AdBlock)
  • Only blocks on the browser where it is installed
  • Does not work on mobile apps or smart TVs
  • Must be installed and kept updated on every browser
  • No network-wide visibility or statistics
🚫 Network-wide blocking One server covers every device on your network with no per-device configuration needed.
📊 Query statistics See every DNS query made by every device. Identify which devices are making the most requests and to where.
🔒 Encrypted DNS Forward queries to upstream servers using DNS-over-HTTPS or DNS-over-TLS so your ISP cannot monitor your lookups.
👨‍👩‍👧 Parental controls Block adult content, gambling, and social media by category per device. No third-party subscription required.
DNS caching Caches resolved domains locally so repeated lookups return instantly without going to the upstream server.
🏷️ Custom DNS rewrites Map local hostnames to IP addresses so devices on your network can reach servers by name without a full DNS server.

Fix Port 53 Conflict on Ubuntu and Debian

DNS runs on port 53. On Ubuntu and most modern Debian-based systems, a service called systemd-resolved is already listening on 127.0.0.53:53. When Docker tries to bind AdGuard Home to port 53, it fails with an address-in-use error. You need to disable the stub listener before starting the container.

1

Create the systemd-resolved override directory

sudo mkdir -p /etc/systemd/resolved.conf.d
2

Disable the DNS stub listener

sudo tee /etc/systemd/resolved.conf.d/adguardhome.conf <<'EOF'
[Resolve]
DNS=127.0.0.1
DNSStubListener=no
EOF
3

Update resolv.conf and restart resolved

sudo mv /etc/resolv.conf /etc/resolv.conf.backup
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl reload-or-restart systemd-resolved

Port 53 is now free. You can verify this by running sudo ss -tulpn | grep :53 the output should be empty.

Not on Ubuntu or Debian?

On Fedora, RHEL, and CentOS Stream, systemd-resolved is often not active by default. Run sudo ss -tulpn | grep :53 to check if any process is already using port 53 before starting. On Raspberry Pi OS (Debian-based), follow the same steps as above.

Install AdGuard Home with Docker Compose

1

Create the project directory and data folders

mkdir adguard && cd adguard
mkdir -p work conf
2

Create the Docker Compose file

services:
  adguardhome:
    image: adguard/adguardhome:latest
    container_name: adguardhome
    restart: unless-stopped
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "3000:3000/tcp"
      - "127.0.0.1:8080:80/tcp"

Port 53 handles DNS queries from your devices. Port 3000 serves the initial setup wizard. Port 8080 on the host maps to port 80 inside the container, which is the admin dashboard after setup is complete. Binding the admin dashboard to 127.0.0.1:8080 keeps it off your local network you will access it through a Localtonet tunnel.

3

Start AdGuard Home

docker compose up -d
docker compose ps

Open http://localhost:3000 in your browser to start the setup wizard.

Complete the Setup Wizard

1

Configure listen interfaces

On the first screen, set the Admin Web Interface to listen on all interfaces, port 80. Set the DNS server to listen on all interfaces, port 53. Click Next.

2

Create your admin account

Enter a username and a strong password. Click Next.

3

Note the device configuration instructions

The wizard shows the IP address of your server for use as a DNS address. Note the local network IP of the machine running AdGuard Home you will need it when configuring your router. Click Next and then Open Dashboard.

4

Configure upstream DNS

In the dashboard, go to Settings → DNS settings. Under Upstream DNS servers, replace the default entries with encrypted upstream servers. Recommended options are listed below. 

# Cloudflare DNS-over-HTTPS
https://dns.cloudflare.com/dns-query

# Google DNS-over-HTTPS
https://dns.google/dns-query

# Quad9 DNS-over-HTTPS (malware blocking)
https://dns.quad9.net/dns-query

Using DNS-over-HTTPS upstream means your DNS queries to the internet are encrypted. Your ISP cannot see which domains your devices are looking up.

Point Your Router at AdGuard Home

The most effective way to use AdGuard Home is to set it as the DNS server in your router's DHCP settings. When the router hands out IP addresses to devices, it also tells them to use AdGuard Home for DNS. Every device on your network uses it automatically with no per-device configuration.

1

Find the local IP of your AdGuard Home server

Run this on the machine running AdGuard Home to find its local network IP address. It will look like 192.168.1.x or 10.0.0.x. 

ip route get 1.1.1.1 | awk '{print $7; exit}'
2

Log in to your router admin panel

Open your router's admin panel (usually at 192.168.1.1 or 192.168.0.1). Find the DHCP settings or LAN DNS section. Set the primary DNS server to the local IP of your AdGuard Home machine. Save and apply the changes.

3

Reconnect your devices

Devices will pick up the new DNS server on the next DHCP renewal. To force it immediately, disconnect and reconnect from Wi-Fi on your devices, or run sudo dhclient -r && sudo dhclient on Linux clients.

Cannot change DNS in your router?

Some ISP-provided routers lock down DNS settings. In that case, configure each device individually to use your AdGuard Home IP as its DNS server. On Android 9 and newer, you can use Private DNS under Wi-Fi settings. On Windows and macOS, update the DNS in your network adapter settings.

Add Blocklists

AdGuard Home ships with a default blocklist, but you can add more for broader coverage. Go to Filters → DNS blocklists → Add blocklist → Choose from the list to browse curated lists, or add any URL directly.

Recommended blocklists

  • AdGuard DNS filter — The default list. Good general-purpose ad and tracker blocking.
  • EasyList — The most widely used ad-blocking list, maintained by the uBlock Origin team.
  • EasyPrivacy — Focuses on trackers and analytics domains.
  • Malware Domain List — Blocks known malware distribution domains.
  • OISD — A well-maintained all-in-one list with low false positives.
Too many blocklists can cause false positives

More lists means more blocked domains, but also more chances of blocking something you actually want. Start with two or three lists, check the query log after a few days, and whitelist any domains that were blocked incorrectly under Filters → Custom filtering rules

Access the AdGuard Home Dashboard Remotely with Localtonet

The AdGuard Home admin dashboard is bound to 127.0.0.1:8080 in the Compose file above, so it is only reachable on the machine running the container. To check your query statistics, manage blocklists, or whitelist a domain from your phone or a remote computer, create a Localtonet HTTP tunnel for port 8080.

1

Install and authenticate Localtonet

curl -fsSL https://localtonet.com/install.sh | sh
localtonet --authtoken <YOUR_TOKEN>
2

Create an HTTP tunnel for port 8080

Log in to the Localtonet dashboard, go to Tunnels → New Tunnel, select HTTP, set local IP to 127.0.0.1 and port to 8080. Click Create. You get a public HTTPS URL such as https://abc123.localto.net.

3

Open the dashboard from anywhere

Navigate to your Localtonet HTTPS URL in any browser. Log in with your AdGuard Home credentials. You now have full access to query logs, blocklist management, and settings from any device.

The DNS server itself does not go through the tunnel

The Localtonet tunnel only exposes the admin dashboard on port 8080. DNS traffic on port 53 stays on your local network and is not tunnelled. This is the correct setup DNS should be local network only. Remote access is only for the management interface.

Keep Everything Running After a Reboot

The Compose file has restart: unless-stopped so the AdGuard Home container comes back with Docker after every reboot. Register Localtonet as a systemd service so the dashboard tunnel also returns automatically: 

sudo localtonet --install-service --authtoken <YOUR_TOKEN>
sudo localtonet --start-service --authtoken <YOUR_TOKEN>

Verify both services are active:

docker compose ps
systemctl status localtonet

After this, rebooting the host brings AdGuard Home and the remote dashboard URL back automatically. Your network keeps blocking ads even if you are not home, and you can manage it from anywhere.

Frequently Asked Questions

Can I run AdGuard Home on a Raspberry Pi?

Yes. The official Docker image supports ARM and ARM64. A Raspberry Pi 3 or newer handles AdGuard Home easily it is a very lightweight service. Many people run it on a Pi specifically to keep it always on without impacting their main machine. Raspberry Pi OS is Debian-based, so follow the systemd-resolved port 53 fix steps above.

What is the difference between AdGuard Home and Pi-hole?

Both work as DNS-based ad blockers and are broadly similar in function. AdGuard Home supports encrypted upstream DNS (DNS-over-HTTPS and DNS-over-TLS) out of the box without extra software, has a more modern UI, and supports DoH and DoT as a server as well. Pi-hole has a larger community and more mature third-party integrations. For most new setups, AdGuard Home is the recommended starting point.

A website I use is broken. How do I whitelist it?

Go to Filters → Custom filtering rules and add a line in the format @@||domain.com^. For example, @@||example.com^ allows all requests to example.com regardless of blocklists. You can also check the query log, find the blocked domain, and click the green checkmark icon next to it to whitelist it directly.

Can I use AdGuard Home while away from home on mobile data?

DNS on port 53 is a local network feature and is not tunnelled through Localtonet in this setup. To use your AdGuard Home DNS server from outside your home network, the most practical approach is to run a WireGuard VPN server on the same machine and connect your phone to it when away. Once the VPN is connected, all DNS traffic goes through your home network and AdGuard Home handles it normally. See our WireGuard self-host guide for setup instructions.

How do I keep AdGuard Home updated?

Pull the latest image and recreate the container. The configuration and query logs in the ./work and ./conf directories persist across updates because they are mounted as volumes on the host.

docker compose pull
docker compose up -d

Block Ads on Every Device | One Server, Zero Installs

Install AdGuard Home with Docker Compose, point your router at it, and open a Localtonet tunnel for remote dashboard access. Your entire network blocks ads and trackers in under 30 minutes.

Create Free Localtonet Account →
Tags:
Localtonet Logo
Localtonet

Localtonet is a secure multi-protocol tunneling and proxy platform designed to expose localhost, devices, private services, and AI agents to the public internet supporting HTTP/HTTPS tunnels, TCP/UDP forwarding, mobile proxy infrastructure, file server publishing, latency-optimized game connectivity, and developer-ready AI agent endpoint exposure from a single unified control plane.

Back to Blog
support