Introduction
DNS filtering sounds fancy until you realize it’s just your home network playing bouncer for the internet. If you’re using a Raspberry Pi with AdGuard Home, you’re not just kicking out ads, you’re filtering entire domain groups, encrypting DNS traffic with DoH and DoT, and slapping on some surprisingly effective parental controls. All that, and it’s running off a $35 board that looks like it came from a cereal box.
Now, unencrypted DNS is like sending postcards with your web history written in Sharpie. ISPs can snoop, advertisers can track, and your kids can Google just about anything unless you step in. Enter DNS-over-HTTPS and DNS-over-TLS, they wrap your lookups in encryption, making them harder to sniff than a sealed Tupperware in the back of the fridge.
Most home routers come with settings that are either “on,” “off,” or “deal with it.” But if you’re the type who thinks “router firmware” sounds like a conspiracy theory, then AdGuard Home offers a nice mix of user control, network-level blocking, and monitoring tools that don’t require a CompSci degree.
This isn’t just about ad blocking. It’s about shaping what gets through your internet pipe, and who’s watching what. So let’s set it up, tighten it down, and maybe make the web a little less annoying (or risky) for everyone in the house.
Key Takeaways
Setting Up AdGuard Home on Raspberry Pi
Supported Raspberry Pi models and hardware requirements
Not every Raspberry Pi is built the same. If you’re still holding onto that Raspberry Pi 1, good luck, it’s about as fast as a fax machine in a thunderstorm. You’ll want at least a Raspberry Pi 3, though a Raspberry Pi 4 is ideal. The extra RAM and gigabit Ethernet actually make a difference when you’re handling DNS for a house full of devices that all think their memes are urgent.
What you’ll need:
- Raspberry Pi 3, 3B+, 4, or 400
- 8GB (or larger) microSD card
- Ethernet cable (seriously, use wired, DNS is latency sensitive)
- USB-C or micro-USB power supply (5V, 3A recommended)
- Raspberry Pi OS Lite (based on Debian; minimal and fast)
Choosing and installing a lightweight OS
Skip the desktop version. Use Raspberry Pi OS Lite, it boots faster, uses less RAM, and you won’t be dragging around a GUI just to set a DNS server. Flash it using Raspberry Pi Imager, balenaEtcher, or whatever your OS uses that doesn’t brick cards.
Initial boot and system prep:
- Boot the Pi and log in (default:
pi/raspberry). - Run
sudo raspi-configand:
- Change the password
- Enable SSH
- Set timezone and hostname
- Update the OS:
sudo apt update && sudo apt upgrade -yInstalling AdGuard Home using the official GitHub release
Now for the actual setup. Skip the “install from package manager” route, it’s usually behind. Download it from the source.
cd /opt
sudo wget https://github.com/AdguardTeam/AdGuardHome/releases/latest/download/AdGuardHome_linux_armv7.tar.gz
sudo tar -xvf AdGuardHome_linux_armv7.tar.gz
cd AdGuardHome
sudo ./AdGuardHome -s installThis installs it as a system service. AdGuard Home will be running at http://<your_pi_ip>:3000 the first time. Bookmark it, because you’re going to live there.
What happens next?
You’ll go through a simple setup wizard:
- Pick a listening interface (your Pi’s LAN IP)
- Choose DNS ports (default 53, change if needed)
- Create an admin username/password
Once done, you’ll get access to the full AdGuard Home dashboard, where things get interesting.
Configuring DNS Encryption: DoH and DoT
What DNS-over-HTTPS and DNS-over-TLS actually do
Think of regular DNS as someone shouting your web requests across a crowded bar. Everyone hears it. When you switch to DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS), it’s like slipping your requests through a locked briefcase. Suddenly, your ISP, sketchy hotspot owners, and nosy neighbors can’t eavesdrop on what sites you’re resolving.
DoH runs over port 443 and blends in with normal HTTPS traffic. DoT uses port 853 and looks more like a specialized, encrypted DNS tunnel. Both are designed to keep your DNS queries private.
Why encrypted DNS matters for home privacy
If your kids are using your Wi-Fi to Google, stream, and click random popups, you don’t want every lookup logged by your ISP. Worse, unencrypted DNS can be intercepted or redirected. Encrypting it:
- Prevents DNS hijacking by ISPs or malware
- Stops third parties from snooping on domain lookups
- Makes filtering more secure and tamper-resistant
- Keeps your network traffic consistent and predictable
Configuring AdGuard Home to use upstream DoH/DoT servers
Here’s how to tell AdGuard Home to stop using plaintext DNS and forward all requests through encrypted servers.
- Open the AdGuard Home dashboard.
- Navigate to Settings > DNS Settings
- Scroll to Upstream DNS servers
Replace the defaults with trusted DoH/DoT servers. Example setups:
# Cloudflare DNS-over-HTTPS
https://dns.cloudflare.com/dns-query
# NextDNS DoH
https://dns.nextdns.io/<your-nextdns-id>
# CleanBrowsing Family Filter (DoT)
tls://family-filter-dns.cleanbrowsing.orgAdGuard can handle both DoH and DoT. Just list them on separate lines. You can also mix providers, say, DoH from Google and DoT from Quad9, if you enjoy living on the edge.
Testing encrypted DNS queries
After setup, make sure you’re actually using encrypted DNS.
- Visit https://1.1.1.1/help to check if DoH/DoT is active.
- Or run from a client machine:
dig example.com @192.168.x.xIf responses are clean and no leaks show up, you’re golden.
Optional tuning for geeks
- Set custom ports to avoid ISP throttling
- Enable fallback to plain DNS only if you’re debugging
- Disable IPv6 upstreams if your network chokes on it
AdGuard Home’s status dashboard will show which upstreams are being used, and whether they’re responding fast or tanking your lookups.
Creating Network-wide Parental Controls
How DNS filtering enables content and category blocking
You know those “family protection” features on most routers? They block exactly three websites and then forget what they were doing. Real parental controls rely on DNS filtering, which blocks domains before they even load, no browser extensions, no apps, and no begging kids to “hand over the phone.”
Using AdGuard Home, you can block entire domain categories like adult content, gambling, or social media. It does this by intercepting DNS requests and denying access before the browser even knows what happened.
Setting up parental profiles per device using MAC address or hostname
You can target devices specifically by using their MAC address or hostnames. That way, little Jimmy’s iPad gets the PG experience while your laptop keeps full access to Reddit (for…research).
Steps:
- In the AdGuard dashboard, go to Settings > Clients.
- Add a new client using MAC or static IP.
- Assign a name and apply filters unique to that device.
Now you can mix strict rules for kids and relaxed rules for adults, just like dinner at a friend’s house.
Using time-based rules to schedule access
If bedtime means Fortnite still lights up the hallway, use time-based blocking. You can schedule when certain clients:
- Access the internet
- Access only filtered content
- Get blocked entirely
Example: Block all YouTube traffic on school nights from 9pm to 7am. AdGuard Home’s Scheduled Filters make this easy, no coding, just dropdowns.
Blocking adult, gambling, or malicious sites via filter lists
Instead of making your own blocklists, use public DNS filter lists:
- CleanBrowsing Family
- AdGuard Family Protection
- Steven Black’s Hosts (porn + gambling)
- 1Hosts Lite or Pro
Add them under Filters > DNS blocklists and pick only what you need. Each list blocks thousands of domains and gets updated regularly.
SafeSearch enforcement with DNS rewriting
Even if kids type something sketchy, SafeSearch DNS rewrite rules force results through the filtered version of Google, Bing, or YouTube.
Steps:
- Go to Filters > DNS rewrites
- Add rules like:
forcesafesearch.google.com CNAME www.google.com
restrict.youtube.com CNAME www.youtube.comThis tells your network to redirect searches through the strict filter layer. It works quietly in the background, no browser nags, no app needed.
Device-Specific DNS and Access Management
Assigning static IPs for consistency
Your router loves playing musical chairs with IP addresses. But for AdGuard Home to consistently apply filtering, you need devices to stay put. That means assigning static IPs based on MAC addresses in your router’s DHCP reservation settings. Or, if you’re running your Pi as the DHCP server, assign the leases directly through AdGuard’s network configuration.
Why this matters: If your kid’s tablet gets a new IP every few days, the parental filters won’t follow. Static IPs keep the rules stuck to the device like bad tattoos.
Creating user-specific rules using AdGuard’s client settings
Once static IPs or MACs are locked in, it’s time to treat devices like roommates, each gets their own rule set. AdGuard lets you:
- Assign specific blocklists to each client
- Apply parental filters to some devices
- Disable filtering entirely for others (hello, gaming console)
Steps:
- Head to Settings > Clients
- Click “Add Client” and enter device details
- Choose filters, rewrites, and logging options per device
Now you can block Discord on one laptop and allow it on another without affecting the rest of the network.
Controlling guest vs admin access
Let’s say you’ve got visitors and you don’t want them poking around your AdGuard logs or opening unrestricted internet portals. You can create:
- Guest clients with ultra-limited access
- Admin clients with logging disabled or full DNS passthrough
- Separate filter levels for work vs play
Combine this with a segmented Wi-Fi setup (like Guest Wi-Fi vs Main Wi-Fi), and you’ve got tight control without yelling passwords across the room.
Bypassing DNS filters for certain devices
Some devices don’t play nice with DNS filtering. Smart TVs, certain VPN clients, or game consoles may break or complain. You’ve got a few options:
- Whitelist the domain they’re choking on
- Set DNS passthrough for that device
- Assign public DNS upstreams to bypass filtering
Or, worst-case, set the device to use its own DNS via static IP config, but that’s a last resort, because it bypasses logs and filters.
AdGuard makes DNS management feel like herding cats, except now you’ve got a leash, a plan, and fewer scratched walls.
Managing Logs, Stats, and Real-time Monitoring
Using AdGuard’s web UI to track DNS queries
Let’s be honest, part of the fun in running your own DNS server is spying on your own network traffic like a discount cybersecurity analyst. AdGuard Home logs every DNS query, and its dashboard UI lets you:
- See who’s visiting what
- Spot unusual spikes in traffic
- Catch apps phoning home to data farms you didn’t approve
Just go to the Query Log tab. You’ll see timestamps, domains, status (blocked/allowed), and which client requested it.
Identifying blocked domains and reasons
Every time a domain gets blocked, AdGuard will show why:
- Match from a filter list
- Explicit block rule
- DNS rewrite redirect
You can filter the logs by client, domain, status, or time range. That means you can figure out fast why your smart fridge suddenly can’t call Korea.
Spotting suspicious behavior or excessive usage
Sometimes a device will start acting like it’s part of a botnet, hundreds of requests to weird domains. With AdGuard’s top domains and top clients charts, you’ll know who the culprit is:
- Spiking activity late at night?
- Random domain lookups from a device that should be asleep?
- 10,000 pings to TikTok from one phone?
Welcome to parenting in the age of Wi-Fi.
Setting up external log forwarding for deeper analysis
If the built-in graphs aren’t cutting it, forward logs to external tools:
- Syslog servers
- Grafana via Prometheus
- Logstash or the ELK stack
- Netdata for pretty graphs
Advanced users can enable the query log API and build dashboards from raw data. But fair warning: this rabbit hole never ends.
Enabling or disabling logging per device
Worried about privacy for guests or specific users? You can toggle logging per client in AdGuard:
- Go to Settings > Clients
- Edit the client
- Turn off log and statistics retention
This keeps the peace while still keeping the power.
AdGuard’s logging isn’t just about snooping, it’s how you debug, audit, and improve your network’s behavior over time.
Maintenance and Performance Optimization
Enabling automatic updates of blocklists
DNS blocklists are living documents. Domains get added, removed, or shift tactics daily. Let them update themselves so you don’t have to babysit them like a leaky sink.
Steps:
- Head to Filters > DNS blocklists
- Set each list to auto-update
- Pick an interval, daily is usually fine
Now, even if new scammy domains pop up overnight, your Pi won’t be caught napping.
Reducing system load with caching and TTL settings
Raspberry Pis aren’t supercomputers. But with smart caching, you can dramatically cut query time and CPU spikes. Here’s how:
- Enable DNS cache in AdGuard Home
- Adjust cache TTL (Time To Live) to keep common queries stored
- Use prefetching to refresh expired entries before they’re needed
That way, your Pi isn’t wasting time asking Google where google.com is, again.
Backup strategies and exporting configuration
You’ve spent time tuning filters, client rules, and rewrites. Don’t lose it all because your SD card decided to go full drama queen.
Options:
- Use the AdGuard UI backup feature under Settings > General Settings
- Export configs via JSON for manual safekeeping
- Automate with tools like
rsyncorrcloneto offload backups to cloud storage
A good rule of thumb: backup anytime you make major changes. Or just schedule it weekly and pretend you’re disciplined.
Dealing with false positives and whitelisting
No filter is perfect. Sooner or later, AdGuard will block something useful, banking sites, a login service, maybe a streaming API. Don’t panic.
- Go to Query Log
- Click the blocked domain
- Hit Whitelist
Done. Crisis averted. Now your spouse can log into the bank without giving you that “what did you do this time” look.
Monitoring system performance
Use simple built-in tools:
htopto see real-time CPU/RAM use- AdGuard’s own performance tab to check DNS query rates
df -hto make sure your SD card isn’t out of space
And if you’re feeling extra nerdy, plug it into Netdata or Grafana to watch your Pi’s vitals like it’s on life support (because sometimes it is).
Integrating With Other Tools and Services
Combining with a VPN for remote protection
If you want to filter DNS even when devices are off your home network, say, your kid’s tablet on hotel Wi-Fi, use a VPN tunnel back home. This routes traffic through your Raspberry Pi and still applies AdGuard filters.
Recommended combos:
- WireGuard for simplicity and speed
- Tailscale for zero-config remote access
- OpenVPN if you like punishment
Set the VPN’s DNS option to your Pi’s LAN IP and boom, global filtering.
Connecting to Home Assistant for smart home integration
If you’re already running Home Assistant, you can hook in AdGuard Home via its integration system. This lets you:
- View DNS stats directly in your HA dashboard
- Toggle filtering modes based on time or presence
- Trigger automations when specific domains are requested
Example: Automatically disable YouTube access when the kids get home from school. Or log suspicious domain activity from your smart TV (you know it’s spying).
Setting up DoH/DoT support across other routers and systems
Want other devices to benefit from DoH/DoT, not just the Pi? You can:
- Install dnscrypt-proxy on edge routers
- Flash OpenWRT and point upstream DNS to AdGuard
- Use NextDNS CLI with backup upstreams
Just make sure AdGuard Home is your final stop, so all filtering and logging happens in one place.
Adding dashboard visualization with Grafana or Netdata
If you need prettier graphs or historical insights:
- Export logs to Prometheus using community scripts
- Feed Prometheus into Grafana for time series dashboards
- Use Netdata for quick performance metrics
It’s like Fitbit for your Pi, if your Pi could block ads and spy on your fridge.
Using webhooks or alerts
Need a heads-up when something weird happens?
- Use Telegram bots for domain alerts
- Push notifications when blocklists update
- Webhooks to automate backup scripts or shutdowns
It’s a stretch goal, but it turns AdGuard into a mini-SOC (security operations center) for your living room.
Security, Privacy, and Legal Considerations
Keeping children safe while respecting privacy
Running your own DNS server is powerful, but it comes with responsibility. While content filtering helps shield kids from explicit material, it also collects detailed browsing logs. So unless you want to become the NSA of your household, be mindful of how long you store logs and who can access them.
AdGuard lets you:
- Limit log retention by days or entries
- Disable logs per client
- Protect the dashboard with a strong admin password
Balance protection with privacy. If your goal is safety, not surveillance, act like it.
Understanding encrypted DNS limitations
Even with DoH and DoT, DNS encryption doesn’t make you anonymous or invincible. It only encrypts the lookup part of browsing, the actual content still travels unencrypted unless you’re on HTTPS.
Also:
- Malware can still bypass AdGuard if it uses hardcoded DNS
- Phones can switch to cellular and dodge your filters
- VPN apps can override everything
Encrypted DNS is a tool, not a fortress.
Logging retention and GDPR/CCPA implications
If you’re in a region covered by GDPR, CCPA, or similar data protection laws, keeping per-device DNS logs may have legal implications, especially for visitors or shared networks.
Best practices:
- Notify users if logging is active
- Avoid storing full DNS logs indefinitely
- Mask or anonymize IPs where possible
Also: Don’t pretend your DNS logs are “anonymous.” Domain requests + timestamps = trackable behavior.
Ethical use of content filtering
Filtering adult content is one thing. Blocking political sites, news outlets, or competitors crosses a line. Use parental controls and DNS filtering ethically, they’re meant to protect, not censor.
AdGuard is a tool for empowerment, not control. Keep that in mind if you’re tempted to over-filter your housemate’s phone because they “watch weird stuff.”
Stay updated and secure
Like all internet-connected devices, your Raspberry Pi isn’t immune to attacks. Always:
- Update AdGuard Home regularly
- Keep your Raspberry Pi OS patched
- Use strong passwords
- Don’t expose the dashboard to the internet without a VPN
DNS is your home’s first line of defense. Don’t leave the front door wide open.
Troubleshooting Common Problems
DNS not resolving? How to diagnose
If your devices suddenly can’t reach websites, it’s probably a DNS issue. Here’s how to narrow it down:
- Try pinging a public IP (like
8.8.8.8), if that works, your internet’s fine. - Access AdGuard’s dashboard locally, if it’s up, the Pi is alive.
- Use
digornslookupto test domain resolution manually:
dig google.com @192.168.x.x- Check AdGuard’s logs for blocked domains or upstream failures.
- Reboot the Pi. Yes, really, half the time, that fixes it.
Conflicts with ISP or router DNS settings
Your ISP or router might override your DNS settings, even if you’ve configured AdGuard correctly. Common culprits:
- ISP-enforced DNS redirection (Comcast and others love this)
- Routers that ignore manual DNS settings
- Clients with hardcoded DNS (Google DNS on Android)
Solutions:
- Set AdGuard as both the DHCP server and DNS resolver
- Block outbound port 53 (plain DNS) to force clients to use AdGuard
- Use firewall rules or VLANs for stricter control
Mobile devices bypassing DNS over cellular
Kids are smart. They’ll disable Wi-Fi and use cellular to get around filters. Unfortunately, there’s no DNS you can control on LTE unless you install a VPN or use parental control apps like Google Family Link or Apple Screen Time.
Alternative: Use a VPN back to your home network, that forces all traffic through AdGuard, wherever they go.
When DoH or DoT fails silently
Encrypted DNS is great… until it stops working and nobody notices because fallback to unencrypted DNS is still active.
Checklist:
- Test upstreams using AdGuard’s built-in diagnostics
- Disable fallback to plain DNS in the DNS settings
- Use tools like 1.1.1.1/help to confirm encryption status
- Try different DoH/DoT providers, not all are equally reliable
Blocklists too aggressive or not aggressive enough
Sometimes you block too much (e.g. Gmail breaks), or not enough (TikTok still loads). Here’s what to do:
- Use a balanced mix of blocklists (avoid stacking 20+ lists)
- Check AdGuard’s log to identify what’s being blocked or missed
- Whitelist or blacklist specific domains as needed
- Create client-specific rules for more control
This isn’t set-it-and-forget-it, expect to tweak things over time.
Advanced Use Cases and Scenarios
Setting up dynamic DNS for remote access
If you’re away from home and still want access to your AdGuard dashboard, a static IP isn’t always an option. Enter Dynamic DNS (DDNS). It updates your public IP automatically with a domain name like yournetwork.duckdns.org.
Steps:
- Sign up for a DDNS service: DuckDNS, No-IP, or Dynu
- Install a DDNS client on your Raspberry Pi
- Forward port 3000 (or your chosen admin port) through your router
- Use VPN for secure access, never expose AdGuard directly to the public web
Applying category-based filtering with external sources
Default blocklists only go so far. For more granularity, use external filters that organize domains by category, like gambling, social media, adult, or violence.
Sources:
- CleanBrowsing Security & Family lists
- 1Hosts Pro
- NextDNS categories (if you sync settings manually)
AdGuard lets you apply these globally or per-device. Combine with scheduled rules to limit categories by time of day.
Using regular expressions for domain pattern matching
Sometimes, you need to block more than just badsite.com, you want to block everything with “badsite” in the domain. That’s where regex blocking comes in.
Examples:
(^|\.)adultsite\.
(^|\.)track.*\.comEnable regex filters under Filters > Custom filtering rules, and write smart expressions. Careful, though, one bad pattern can tank your DNS performance.
Blocking telemetry and ads from smart TVs and IoT devices
Smart TVs are sneaky. Even when they’re “off,” they’re busy phoning home. Use AdGuard to block:
- Tracking domains from Samsung, LG, Roku
- Ad servers embedded in firmware
- Cloud APIs from your robot vacuum or thermostat
Tools like IoT blocklists or logs from GRC ShieldsUP! help identify these. Don’t be surprised if your toaster’s trying to connect to Facebook.
Running AdGuard alongside other DNS tools
Advanced users sometimes run AdGuard with:
- Unbound (as a recursive DNS resolver)
- dnscrypt-proxy (for flexible DoH/DoT switching)
- Pi-hole (though redundant, some like to chain filters)
Stacking DNS services gives you redundancy and flexibility. Just don’t get too fancy, debugging a DNS chain five services deep is no fun on a Friday night.
FAQs
Is AdGuard Home better than Pi-hole?
Both do DNS filtering, but AdGuard Home offers built-in support for DoH, DoT, and client-level filtering, no plugins required. Pi-hole is great too, but often needs extra components like Unbound or dnscrypt-proxy for full encryption and more granular control.
If you’re setting this up for your family and want parental controls, AdGuard Home is usually the easier choice out of the box.
Can I run both DoH and DoT together?
Yes. You can list multiple upstream servers using different protocols. AdGuard will use whatever is fastest or available. Just make sure the formatting is correct:
https://dns.nextdns.io/<ID>
tls://dns.quad9.netKeep in mind that combining too many can slow lookups or introduce random failures if one goes offline.
Will this break Netflix or YouTube?
Sometimes, yes, particularly if you’re using aggressive blocklists. Services like YouTube Ads, Netflix tracking, or smart TV APIs may break or behave oddly.
Fixes:
- Check the Query Log and whitelist broken domains
- Use per-client rules to bypass filtering on streaming devices
- Turn off filtering temporarily for troubleshooting
How much data does encrypted DNS use?
Very little. Even with DoH or DoT, DNS traffic is tiny, maybe a few MB per day for a busy household. If you’re concerned about bandwidth, it’s better spent worrying about video streaming and background updates.
Is this setup enough to protect kids online?
It’s a great start, but not foolproof. DNS filtering blocks known bad domains, it doesn’t control YouTube content, social media DMs, or in-app chats.
Pair this with:
- Parental control apps
- Screen time limits
- Actual conversations (yes, those still work)
AdGuard is the fence. Parenting is still the gate.
References
- AdGuard Home GitHub Repository
Official source for AdGuard Home releases, documentation, and issue tracking. - Google Public DNS – DoH Setup Guide
Google’s official documentation for setting up DNS-over-HTTPS with their public DNS service. - Cloudflare 1.1.1.1 – DNS-over-HTTPS Documentation
Details on Cloudflare’s encrypted DNS offerings, including configuration for DoH and DoT. - CleanBrowsing DNS Filters
Family-safe, adult-content, and security-focused DNS filters available via DoH, DoT, and standard DNS. - Pi-hole FTLDNS Blocking Modes
Explains how Pi-hole handles blocked queries and the different response modes supported.
