FAQ

AdGuard Home - FAQ

Why AdGuard Home doesn't block ads?
How to configure AdGuard Home to write verbose-level logs
How to show a custom block page
After installing AdGuard Home, how to change dashboard interface's address?
How to set up AdGuard Home as default DNS server?
Are there any known limitations?
Why am I getting bind: address already in use error when trying to install on Ubuntu?
How to configure a reverse proxy server for AdGuard Home?
How to fix permission denied errors on Fedora?
How to uninstall AdGuard Home?

Why AdGuard Home doesn't block ads?

Suppose that AdGuard Home must block somebadsite.com but for some reason it doesn't. Let's try to resolve this issue.

Most likely you didn't configure your device to use AdGuard Home as its default DNS server. To check if you're using AdGuard Home as the default DNS server:

On Windows, open a Terminal window (Start → Run → cmd.exe). On other systems, open your Terminal application.

Execute nslookup example.org. It will print something like this:

Server:         192.168.0.1
Address:        192.168.0.1#53

Non-authoritative answer:
Name:   example.org
Address: <IPv4>
Name:   example.org
Address: <IPv6>

Check if the Server IP address is the one on which AdGuard Home is running. If no, then you need to configure your device, see below.
Ensure that your request to example.org appears in the AdGuard Home UI on the Query Log page. If not, then you need to configure AdGuard Home to listen on the specified network interface. The most straightforward way to do so is to reinstall AdGuard Home with default settings.

Now that you are sure that your device uses AdGuard Home as its default DNS server, the problem might be in AdGuard Home misconfiguration. Please check and ensure that:

You have the “Block domains using filters and hosts files” setting enabled on the “Settings → General settings” page.
You have the appropriate safety mechanisms, such as parental control, enabled on the “Settings → General settings”.
You have the appropriate filters enabled on the “Filters → DNS blocklists” page.
You don't have any filters that may interfere enabled on the “Filters → DNS allowlists” page.
You don't have any DNS rewrites that may interfere on the “Filters → DNS rewrites” page.
You don't have any custom filtering rules that may interfere on the “Filters → Custom filtering rules” page.

How to configure AdGuard Home to write verbose-level logs?

To troubleshoot a complicated issue, the verbose-level logging is sometimes required. Here's how to enable it:

Stop AdGuard Home:
```
./AdGuardHome -s stop
```
Configure AdGuard Home to write verbose-level logs:
1. Open AdGuardHome.yaml in your editor.
2. Set log_file to the desired path of the log file, for example /tmp/aghlog.txt. Note that the directory must exist.
3. Set verbose to true.
Restart AdGuard Home and reproduce the issue:
```
./AdGuardHome -s start
```

How to show a custom block page?

A note about HTTPS

Before doing any of this, please note that modern browsers are set up to use HTTPS, and so they validate the certificate of the web server they're trying to reach for authenticity. That means that using any of these will result in warning screens.

There are a couple of proposed extensions that, when they become reasonably well supported by clients, would allow for a better user experience, including the RFC 8914 Extended DNS Error codes and the DNS Access Denied Error Page RFC draft. We'll implement them when browsers actually start to support them.

Prerequisites

To use any of these ways to show a custom block page, you'll need an HTTP server running on some IP address and serving the page in question on all routes. Something like pixelserv-tls.

Custom block page for parental control and safe browsing filters

There is currently no way to set these parameters from the UI, so you'll need to edit the configuration file manually:

Stop AdGuard Home:
```
./AdGuardHome -s stop
```
Open AdGuardHome.yaml in your editor.

Set the dns.parental_block_host or dns.safebrowsing_block_host settings to the IP address of the server (in this example, 192.168.123.45):

# …
dns:
  # …

  # NOTE: Change to the actual IP address of your server.
  parental_block_host: 192.168.123.45
  safebrowsing_block_host: 192.168.123.45

Restart AdGuard Home:
```
./AdGuardHome -s start
```

Custom block page for other filters

Open the web UI.
Open the “Settings → DNS settings” page.
In the “DNS server configuration” section, select the “Custom IP” radio button in the “Blocking mode” selector and enter the IPv4 and IPv6 addresses of the server.
Click “Save”.

After installing AdGuard Home, how to change dashboard interface's address?

Stop AdGuard Home:
```
./AdGuardHome -s stop
```
Open AdGuardHome.yaml in your editor.
Set the bind_host setting to a new network interface. For example:
- 0.0.0.0 to listen on all network interfaces.
- 127.0.0.1 to listen on the local loopback interface only.
Optionally, set the bind_port setting to set a new port.
Restart AdGuard Home:
```
./AdGuardHome -s start
```

How to set up AdGuard Home as default DNS server?

See the “Configuring Devices” section on the “Getting Started” page.

Are there any known limitations?

Here are some examples of what cannot be blocked by a DNS-level blocker:

YouTube, Twitch ads.
Facebook, Twitter, Instagram sponsored posts.

Essentially, any advertising that shares a domain with content cannot be blocked by a DNS-level blocker.

Is there a chance to handle this in the future?

DNS will never be enough to do this. Your only option is to use a content blocking proxy like what we do in the standalone AdGuard applications. We're going to bring this feature support to AdGuard Home in the future. Unfortunately, even in this case, there still will be cases when this won't be enough or would require quite complicated configuration.

Why am I getting `bind: address already in use` error when trying to install on Ubuntu?

Because 127.0.0.1:53, which is used for DNS, is already occupied by another program.

The easiest solution would be simply to choose a different network interface and bind it to your external IP (for instance, your Wi-Fi IP).

If for some reason you really want to bind to 127.0.0.1, read the explanation below.

Ubuntu comes with a local DNS server by default called systemd-resolved, which uses port 53 and thus prevents AdGuard Home from binding to it. To fix this, disable the systemd-resolved daemon. Luckily, AdGuard Home can detect such configurations and disable systemd-resolved for you if you press "Fix" button which is shown near the address already in use message.

Note that if you're using AdGuard Home with docker or snap, you'll have to do it yourself by following these steps:

Deactivate DNSStubListener and update DNS server address. Create a new file: /etc/systemd/resolved.conf.d/adguardhome.conf (create a /etc/systemd/resolved.conf.d directory if necessary) with the following content:
```
[Resolve]
DNS=127.0.0.1
DNSStubListener=no
```
Specifying 127.0.0.1 as DNS server address is necessary because otherwise the nameserver will be 127.0.0.53 which doesn't work without DNSStubListener.

Activate another resolv.conf file:

sudo mv /etc/resolv.conf /etc/resolv.conf.backup
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Restart DNSStubListener:

systemctl reload-or-restart systemd-resolved

How to configure a reverse proxy server for AdGuard Home?

If you're running a web server already and you want to access AdGuard Home dashboard UI from an URL like http://YOUR_SERVER/aghome/ you can use this configuration for your web server:

nginx

location /aghome/ {
    proxy_pass http://AGH_IP:AGH_PORT/;
    proxy_redirect / /aghome/;
    proxy_cookie_path / /aghome/;
}

caddy

:80/aghome/* {
    route {
        uri strip_prefix /aghome
        reverse_proxy AGH_IP:AGH_PORT
    }
}

Or, if you just want to serve AdGuard Home with automatic TLS, something similar to:

DOMAIN {
    encode gzip zstd
    tls YOUR_EMAIL@DOMAIN
    reverse_proxy AGH_IP:AGH_PORT
}

Disable DoH encryption on AdGuard Home

When you use TLS on your reverse proxy server, there's no need to use TLS on AdGuard Home. Set allow_unencrypted_doh: false in AdGuardHome.yaml to allow AdGuard Home respond to DoH requests without TLS encryption.

How to fix `permission denied` errors on Fedora?

Move the AdGuardHome binary to /usr/local/bin.
As root, execute the following command to change the security context of the file:
```
chcon -t bin_t /usr/local/bin/AdGuardHome
```

Add the required firewall rules in order to make it reachable through the network. For example:

firewall-cmd --new-zone=adguard --permanent
firewall-cmd --zone=adguard --add-source=192.168.0.14/24 --permanent
firewall-cmd --zone=adguard --add-port=3000/tcp --permanent
firewall-cmd --zone=adguard --add-port=53/udp --permanent
firewall-cmd --zone=adguard --add-port=80/tcp --permanent
firewall-cmd --reload

If you are still getting code=exited status=203/EXEC or similar errors from systemctl, try uninstalling AdGuard Home and installing directly into /usr/local/bin by using the -o option of the install script:

curl -s -S -L 'https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh' | sh -s -- -o '/usr/local/bin' -v

See issue 765 and issue 3281.

How to uninstall AdGuard Home?

The way to uninstall AdGuard Home depends on how you installed it.

IMPORTANT: After uninstalling AdGuard Home, don't forget to change your devices configuration and point them to a different DNS server.

Regular installation

In this case you need to do the following:

Unregister AdGuard Home service: ./AdGuardHome -s uninstall.
Remove the AdGuard Home directory.

Docker

Simply stop and remove the image.

Snap Store

snap remove adguard-home

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FAQ