How DNS-Based Blocking Works
Every time a device on your network tries to load a webpage, app, or service, it first sends a DNS query asking "what is the IP address of ads.example.com?" AdGuard Home sits in the path of that query. When the queried domain matches an entry in a blocklist of known ad, tracking, or malware domains, AdGuard Home returns either NXDOMAIN (domain does not exist) or 0.0.0.0 (a null IP address) instead of the real IP. The device never receives a valid address, so it never makes a connection to the ad or tracking server. The block happens before any network packet leaves your home — no content is downloaded and then hidden; the connection is simply never made.
For domains not on any blocklist, AdGuard Home forwards the query upstream to a DNS resolver of your choice (Cloudflare, Google, Quad9, or your ISP's resolver) and returns the real IP address to the device.
How AdGuard Home Differs from Pi-hole
AdGuard Home and Pi-hole use the same core mechanism — DNS-level blocking — and block the same categories of domains when given the same blocklists. The differences are in implementation and built-in features:
AdGuard Home ships as a single compiled Go binary with no external dependencies. There is no PHP, no lighttpd, no SQLite database to maintain. It runs on Raspberry Pi (all models), x86 Linux servers, ARM-based NAS devices, and Docker on any platform. Pi-hole requires a more complex installation stack and is natively Linux-only, though it also runs in Docker.
The most significant technical difference is that AdGuard Home has a built-in DoH and DoT server — not just a client. It can serve encrypted DNS directly to devices on your network (and externally if exposed), whereas Pi-hole requires additional software such as nginx or stunnel to offer the same capability. For users who want every device on the network to use encrypted DNS without per-device configuration, AdGuard Home is significantly easier to set up.
Installation Options
- Raspberry Pi binary: Download the ARM binary from the AdGuard Home GitHub releases page, run the installer script, and it sets up as a system service. Works on Pi Zero through Pi 5.
- Docker container:
docker run adguard/adguardhomewith appropriate port mappings. The most portable option — runs on any machine with Docker. - Synology NAS: Available as a package through the Synology Package Center or manually installed as a Docker container on DSM.
- Router with custom firmware: OpenWrt and some Entware-compatible routers can run AdGuard Home directly on the router hardware, eliminating the need for a separate device.
Configuring as Network-Wide DNS
Once AdGuard Home is running, point your router's DHCP server to hand out AdGuard Home's local IP address as the DNS server for all clients. In your router admin panel, find the DHCP settings and set the Primary DNS field to the IP of the machine running AdGuard Home (e.g. 192.168.1.5). Every device that gets a DHCP lease will automatically use AdGuard Home for DNS — no per-device configuration needed. Existing devices pick up the change at their next DHCP lease renewal or after reconnecting.
Blocklist Management
AdGuard Home includes several curated blocklists by default — covering ads, tracking, and malware domains. You can add additional lists from the Filters menu: EasyList (the same list used by browser ad blockers), Steven Black's hosts file (a community-maintained combined list), and domain-specific lists for social media trackers, telemetry, and coin miners. Custom individual domains can be blocked or whitelisted at any time without restarting the service.
Per-Device Rules and Client Settings
In the Client Settings section, AdGuard Home lets you assign different filtering profiles to individual devices identified by IP address or MAC address. A child's tablet can have stricter filtering with safe search enforced on Google, Bing, and YouTube. A work laptop can be assigned relaxed rules that do not block business-critical domains. IoT devices like smart TVs can be given aggressive blocking to prevent telemetry. This per-client flexibility is more granular than Pi-hole's group-based approach.
Encrypted DNS Upstream
AdGuard Home can forward upstream DNS queries over DoH or DoT rather than plain UDP port 53. Configuring upstream as https://1.1.1.1/dns-query (Cloudflare) or tls://9.9.9.9 (Quad9) means that even though your devices send plain DNS to AdGuard Home locally, AdGuard Home's outbound queries to the internet are encrypted. Your ISP cannot see which domains your network is resolving — they see only encrypted HTTPS or TLS traffic to the upstream resolver's IP address.
Local DNS Rewrites
AdGuard Home's DNS rewrites feature lets you create local hostname mappings without a separate DNS server. Map homelab.local to 192.168.1.100, or nas.home to 192.168.1.50, and every device on the network resolves those names to local IPs automatically. This is useful for accessing self-hosted services by name instead of IP address — particularly when those services use HTTPS with a certificate tied to a domain name.
AdGuard Home vs Pi-hole Comparison
| Feature | AdGuard Home | Pi-hole |
|---|---|---|
| Native DoH/DoT server | Yes (built-in) | No (requires nginx/stunnel) |
| Per-client blocklists | Yes | Limited (group-based) |
| Parental controls | Built-in per client | Via separate blocklists |
| Installation complexity | Single binary | Multi-package, Linux-only native |
| Community size | Large | Larger, more established |
| Third-party integrations | Good | Excellent (Grafana, Home Assistant) |
| Local DNS rewrites | Built-in UI | Requires dnsmasq config edits |
What AdGuard Home Cannot Block
DNS-level blocking has inherent limitations regardless of which tool you use:
- First-party ads served from the same domain as content — YouTube ads, Spotify ads, and Hulu ads come from youtube.com, spotify.com, and hulu.com respectively, so blocking those domains blocks the service itself.
- Apps using hardcoded DNS servers or DoH that bypass your local resolver entirely — some Android apps and smart TVs hardcode 8.8.8.8 and ignore your DHCP-assigned DNS.
- Content within a domain — AdGuard Home can block or allow entire domains, not specific pages or paths.
Frequently Asked Questions
Should I choose AdGuard Home or Pi-hole?
Both block the same domains and work the same way. AdGuard Home has native DoH/DoT, per-client rules, parental controls, and simpler setup. Pi-hole has a larger community and more established ecosystem. For most new users, AdGuard Home requires less configuration to get encrypted DNS running. For those who want the most community support and scripts, Pi-hole is the choice.
Does AdGuard Home protect devices when away from home?
Only if you configure devices to query your home AdGuard Home DoH/DoT endpoint when away — which requires port forwarding and a dynamic DNS hostname. Alternatively, run it on a cloud VPS or combine with a home WireGuard VPN for always-on protection regardless of location.