May 2, 2022 4 min read

Switching to AdGuard Home

Switching to AdGuard Home

Recently I had to rebuild my home network (I had issues with my router which meant I had to do a full reset on it), and as part of this effort I wanted to rebuild my local DNS server. I was using Pi-hole for this. It’s a great piece of software that works really well. But I was facing an issue with my instance where the web interface to it seemed to die every evening. I spent some time trying to troubleshoot why this was happening, but reached the conclusion it would be quicker and easier to just do a fresh install. And it was at this point it got me thinking if there was any other possible solutions out there. I absolutely love trying out new things, so I was excited to see if there was. And it turned out that there were in fact several alternatives out there. One such alternative that caught my eye was AdGuard Home.

My Requirements

There are a few reasons why I run my own local DNS server:

  1. To be able to resolve local systems on my home network (I don’t want these to live outside of my network)
  2. Enable encrypted DNS to DNS queries outside of my home network
  3. Effective ad-blocking and malware blocking at a network level

Pi-hole certainly covers all of them, but for encrypted DNS you have to install additional software. The other issue that I had with Pi-hole is that Lighttpd (the web server for Pi-hole’s web interface), doesn’t play too well with ACME. I have a local instance of Step CA to be able to leverage ACME for certificates on my home network. Another important thing to me is the way something looks (which is rather ironic since my own design and UI skills are pretty poor). To me Pi-hole’s interface just looks a bit dated and tired.

The Setup

So off I went and installed an instance of AdGuard Home. Installation was pretty straightforward and easy. I just followed their instructions on how to have it installed. I then put it behind a reverse proxy (Nginx), to make the certificate management easier using the certbot-nginx plugin. Once I had that in place, I had my own running instance!

Configuration

The next step was to get the encrypted DNS magic configured. What a breeze! I use NextDNS as well. I absolutely love this service and it provides services such as DNS-over-TLS and DNS-over-HTTPS. It also helps to provide a middle point for all my DNS requests, further helping with my own privacy. It’s a very powerful tool at a ridiculously low cost so I would highly recommend having a look at it.

Configuring my AdGuard Home instance to use my NextDNS account couldn’t be simpler. Given that NextDNS provides you with both DNS-over-TLS and DNS-over-HTTPS, I opted for DNS-over-TLS. I got the appropriate address from my NextDNS interface, and then plugged the value into the appropriate configuration of AdGaurd Home.

As you can probably tell from the above screenshot, AdGuard Home allows for you to have multiple configured DNS servers, and then to have difference options as to how those servers as used. The other great thing is that you can mix and match different DNS protocols (for example have a DNS-over-TLS and DNS-over-HTTPS).

The only one thing that I initially struggled to work out was how to resolve local DNS queries so that I could assign DNS entries to local devices on my home network. On Pi-hole this was easy to spot and do. After a short search online I found my answer. I had to create DNS rewrites under the Filter configuration, and also ensure that the Private reverse DNS servers configuration was appropriately configured:

And that was pretty much it!

The Results

I’ve been running this server for about a month now, and so far I’ve not encountered any issues at all! It has been extremely stable, and I’m more than happy with the results. I was going to try do a comparison between it and Pi-hole but running each for a few weeks. But after further poking around and more thoughts I’ve decided against it. The reason being is that the results are likely going to be down to the blocklists that you use. Both come with an initial set, but there are many more that you can add. Doing so for both is a trivial thing to do. So the results, in terms of traffic being blocked, is most affected by the lists you use and rather than the service (Pi-hole or AdGuard Home). The other defining factor for me was just the sheer amount of functionality that AdGuard Home has over Pi-hole. This ultimately swayed me to stick with it. There’s a lot of really great stuff in there!

Conclusion: Pi-hole or AdGuard Home

When I started with this, I wanted to approach this as objectively as possible. While I wanted to try something new, I also wanted to make sure that I chose the right solution. Ultimately for me the winner is AdGuard Home due to several factors:

  • Cleaner and more modern interface (as I said above visuals are important to me)
  • Out of the box support for encrypted DNS protocols such as DNS-over-TLS and DNS-over-HTTPS
  • More flexibility and easier configuration (support for multiple DNS resolvers and mixture between them without the need of additional software and configuration)
  • Ability to support local encrypted DNS (turn your local instance to a DNS-over-TLS or DNS-over-HTTPs DNS server)

To me it just appears to have more features and flexibility, while making configuration easier. Now don’t get me wrong, I still think that Pi-hole is a brilliant piece of software, but for me personally at least, AdGuard Home just appears to be better rounded. I plan to do another blog where I can try do a better feature comparison between the two, to help others hopefully make their own decision.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.