Posted inUbuntu

Install and Configure AdGuard Home on Ubuntu to Block Ads and Secure DNS for Your Entire Local Network

Ubuntu tutorial - IT technology blog
Ubuntu tutorial - IT technology blog

The Problem: Ads and DNS Tracking Infiltrating Your Entire Home Network

I used to install uBlock Origin on every browser, every device — laptops, phones, TV boxes — and still saw ads blasting away in Android apps and Smart TVs. The reason is simple: extensions only hook into the browser, while DNS queries from native apps go straight out to the internet with nothing filtering them.

And that’s not even counting IP cameras, WiFi smart bulbs, robot vacuums — all of which silently send telemetry to manufacturer servers all day long. I once captured traffic from a cheap Xiaomi camera: it queried around 15 different domains within the first 10 minutes of booting. You can’t install extensions on any of that.

The only way to handle all of it is to run a self-managed DNS server right inside your home network, filtering queries before they leave. AdGuard Home does exactly that.

What Is AdGuard Home and Why Choose It Over Pi-hole?

AdGuard Home is a DNS sinkhole — it sits between your devices and the real DNS server (like 8.8.8.8), inspecting every queried domain. If the domain is on a blocklist, it returns 0.0.0.0 instead of the real address. Ads never load because the domain never resolves.

Compared to Pi-hole (also very popular), there are a few things I find more convenient about AdGuard:

  • Built-in DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) — no need to install cloudflared separately
  • A more modern web UI with a setup wizard instead of manual config file editing
  • Optional integrated DHCP server
  • Single binary with no PHP or lighttpd dependency

When I first switched from CentOS to Ubuntu, it took me a whole week to get used to how apt handles version locking differently from yum. Since AdGuard Home installs as a binary, it sidesteps dependency issues entirely — it runs on Ubuntu 20.04, 22.04, and 24.04 without any concern.

Hands-On: Installing AdGuard Home on Ubuntu

Prerequisites

  • Ubuntu Server 20.04/22.04/24.04 (Desktop works too, but Server has less noise)
  • A static IP on your LAN — required, since your router and devices will point their DNS to this IP
  • Port 53 not already occupied by systemd-resolved

Step 1: Free Up Port 53

Ubuntu runs systemd-resolved by default, listening on 127.0.0.53:53. AdGuard Home needs that port. You must disable the stub resolver first:

# Check whether port 53 is already in use
sudo ss -tlnp | grep ':53'

# Disable the systemd-resolved stub listener
sudo sed -i 's/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf

# Remove the /etc/resolv.conf symlink and recreate it
sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

# Restart the service
sudo systemctl restart systemd-resolved

# Confirm port 53 is now free
sudo ss -tlnp | grep ':53'

Step 2: Download and Install AdGuard Home

# Quickest method — the script auto-detects your architecture and downloads the right binary
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

# Or install manually if you'd rather not pipe curl into sh (safer):
wget https://github.com/AdguardTeam/AdGuardHome/releases/latest/download/AdGuardHome_linux_amd64.tar.gz
tar -xzf AdGuardHome_linux_amd64.tar.gz
cd AdGuardHome
sudo ./AdGuardHome -s install

The script automatically downloads the binary, registers a systemd service, and starts it immediately. Once complete, the web UI runs on port 3000 and DNS on port 53.

Step 3: Configure via the Web UI

Open your browser and navigate to http://<SERVER_IP>:3000. The wizard is straightforward:

  1. Network interfaces: Choose which interface to listen on for DNS — usually all interfaces or just the LAN interface. The web UI stays on port 3000 or you can switch it to port 80.
  2. Create an admin account: Set a username and password — don’t use admin/admin.
  3. After the wizard, log in and go to Settings → DNS settings.

Step 4: Configure Upstream DNS with DoH

Replace plaintext DNS with DNS-over-HTTPS so upstream queries are encrypted — your ISP won’t be able to see what you’re querying:

# In the web UI → Settings → DNS settings → Upstream DNS servers
# Clear the defaults and add:
https://dns.cloudflare.com/dns-query
https://dns.google/dns-query

# Or if you prefer to prioritize Cloudflare:
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query

Check “Load-balancing” so AdGuard automatically picks the server with the lowest latency.

Step 5: Add Blocklists

Go to Filters → DNS blocklists → Add blocklist → Choose from list. The four lists I regularly use:

  • AdGuard DNS filter — the official list, fewest false positives
  • EasyList — common web ads
  • EasyPrivacy — tracking scripts
  • Malware Domain List — blocks malware-distributing domains

Click Update to download them. These four lists combined cover roughly 500k–800k blocked domains — more than enough, while keeping false positives at an acceptable level.

Step 6: Point Your Router’s DNS to AdGuard Home

This is the key step. Instead of configuring each device individually, set the DNS server in your router’s DHCP settings — every device that receives a new IP lease will automatically use AdGuard:

# Example router configuration (varies by firmware):
# Primary DNS: 192.168.1.x  (IP of the Ubuntu machine running AdGuard)
# Secondary DNS: 1.1.1.1    (fallback if AdGuard goes down)

# Test on the Ubuntu machine itself before changing the router:
sudo resolvectl dns eth0 127.0.0.1
sudo resolvectl domain eth0 ~.

# Verify that queries are going through AdGuard:
dig @127.0.0.1 doubleclick.net
# Returns 0.0.0.0 — blocking is working correctly

Step 7: Configure the Firewall

# Open ports for DNS and the web UI
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 3000/tcp   # Web UI (or 80 if you changed it)

# If using DoT (DNS-over-TLS):
sudo ufw allow 853/tcp

sudo ufw reload

Verifying It Works

Once your router hands out DHCP leases with the new DNS, open the Dashboard tab and you’ll see the query log updating in real time. Visit an ad-heavy page and watch — ad network domains will appear with a Blocked status.

# Quick test from the terminal:
nslookup ads.google.com 192.168.1.x
# → Server: 192.168.1.x
# → Address: 0.0.0.0  ← blocked

nslookup github.com 192.168.1.x
# → Server: 192.168.1.x
# → Address: 20.207.73.82  ← resolves normally

Handling False Positives — Whitelisting Incorrectly Blocked Domains

Some CDNs or API endpoints occasionally get blocked by mistake. Go to Filters → Custom filtering rules and add exceptions using AdBlock syntax:

# Whitelist format in Custom rules:
@@||domain.com^          # Allow the entire domain
@@||sub.domain.com^      # Allow only a specific subdomain

# Real-world examples of commonly misblocked domains:
@@||cdn.jsdelivr.net^
@@||fonts.googleapis.com^

Conclusion

What makes AdGuard Home powerful is that it blocks at a much lower level than browser extensions — right at DNS, before your device has sent a single byte to an ad server. Install it once, and your entire home network — Smart TV, IP cameras, Android phones — gets filtered without touching any individual device.

One thing to plan for: AdGuard Home needs a machine running 24/7. A Raspberry Pi 4 drawing around 3–5W is ideal, or a small VM on a NAS works fine too. The important thing is to always set a secondary DNS of 1.1.1.1 or 8.8.8.8 in your router — if the server goes down without a fallback, the whole household loses internet access. And once your server is up, don’t forget to configure Fail2ban to protect the web UI from brute-force attacks — an exposed port 3000 will attract bots sooner or later.

Share:
Tags: