-
Notifications
You must be signed in to change notification settings - Fork 1.9k
FAQ
- Why AdGuard Home doesn't block ads?
- How to configure AdGuard Home to write verbose-level logs
- How to show a custom block page
- After installing AdGuard Home, how to change dashboard interface's address?
- How to set up AdGuard Home as default DNS server?
- Are there any known limitations?
- Why am I getting
bind: address already in useerror when trying to install on Ubuntu? - How to configure a reverse proxy server for AdGuard Home?
- How to fix
permission deniederrors on Fedora? - How to fix
incompatible file systemerrors? - How to uninstall AdGuard Home?
Suppose that AdGuard Home must block somebadsite.com but for some reason it
doesn't. Let's try to resolve this issue.
Most likely you didn't configure your device to use AdGuard Home as its default DNS server. To check if you're using AdGuard Home as the default DNS server:
-
On Windows, open a Terminal window (Start → Run →
cmd.exe). On other systems, open your Terminal application. -
Execute
nslookup example.org. It will print something like this:Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: Name: example.org Address: <IPv4> Name: example.org Address: <IPv6> -
Check if the
ServerIP address is the one on which AdGuard Home is running. If no, then you need to configure your device, see below. -
Ensure that your request to
example.orgappears in the AdGuard Home UI on the Query Log page. If not, then you need to configure AdGuard Home to listen on the specified network interface. The most straightforward way to do so is to reinstall AdGuard Home with default settings.
Now that you are sure that your device uses AdGuard Home as its default DNS server, the problem might be in AdGuard Home misconfiguration. Please check and ensure that:
-
You have the “Block domains using filters and hosts files” setting enabled on the “Settings → General settings” page.
-
You have the appropriate safety mechanisms, such as parental control, enabled on the “Settings → General settings”.
-
You have the appropriate filters enabled on the “Filters → DNS blocklists” page.
-
You don't have any filters that may interfere enabled on the “Filters → DNS allowlists” page.
-
You don't have any DNS rewrites that may interfere on the “Filters → DNS rewrites” page.
-
You don't have any custom filtering rules that may interfere on the “Filters → Custom filtering rules” page.
To troubleshoot a complicated issue, the verbose-level logging is sometimes required. Here's how to enable it:
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Configure AdGuard Home to write verbose-level logs:
-
Open
AdGuardHome.yamlin your editor. -
Set
log_fileto the desired path of the log file, for example/tmp/aghlog.txt. Note that the directory must exist. -
Set
verbosetotrue.
-
-
Restart AdGuard Home and reproduce the issue:
./AdGuardHome -s start
Before doing any of this, please note that modern browsers are set up to use HTTPS, and so they validate the certificate of the web server they're trying to reach for authenticity. That means that using any of these will result in warning screens.
There are a couple of proposed extensions that, when they become reasonably well supported by clients, would allow for a better user experience, including the RFC 8914 Extended DNS Error codes and the DNS Access Denied Error Page RFC draft. We'll implement them when browsers actually start to support them.
To use any of these ways to show a custom block page, you'll need an HTTP server
running on some IP address and serving the page in question on all routes.
Something like pixelserv-tls.
There is currently no way to set these parameters from the UI, so you'll need to edit the configuration file manually:
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Open
AdGuardHome.yamlin your editor. -
Set the
dns.parental_block_hostordns.safebrowsing_block_hostsettings to the IP address of the server (in this example,192.168.123.45):# … dns: # … # NOTE: Change to the actual IP address of your server. parental_block_host: 192.168.123.45 safebrowsing_block_host: 192.168.123.45
-
Restart AdGuard Home:
./AdGuardHome -s start
-
Open the web UI.
-
Open the “Settings → DNS settings” page.
-
In the “DNS server configuration” section, select the “Custom IP” radio button in the “Blocking mode” selector and enter the IPv4 and IPv6 addresses of the server.
-
Click “Save”.
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Open
AdGuardHome.yamlin your editor. -
Set the
bind_hostsetting to a new network interface. For example:-
0.0.0.0to listen on all network interfaces. -
127.0.0.1to listen on the local loopback interface only.
-
-
Optionally, set the
bind_portsetting to set a new port. -
Restart AdGuard Home:
./AdGuardHome -s start
See the “Configuring Devices” section on the “Getting Started” page.
Here are some examples of what cannot be blocked by a DNS-level blocker:
-
YouTube, Twitch ads.
-
Facebook, Twitter, Instagram sponsored posts.
Essentially, any advertising that shares a domain with content cannot be blocked by a DNS-level blocker.
DNS will never be enough to do this. Your only option is to use a content blocking proxy like what we do in the standalone AdGuard applications. We're going to bring this feature support to AdGuard Home in the future. Unfortunately, even in this case, there still will be cases when this won't be enough or would require quite complicated configuration.
Because 127.0.0.1:53, which is used for DNS, is already occupied by another
program.
The easiest solution would be simply to choose a different network interface and bind it to your external IP (for instance, your Wi-Fi IP).
If for some reason you really want to bind to 127.0.0.1, read the explanation
below.
Ubuntu comes with a local DNS server by default called systemd-resolved, which
uses port 53 and thus prevents AdGuard Home from binding to it. To fix this,
disable the systemd-resolved daemon. Luckily, AdGuard Home can detect such
configurations and disable systemd-resolved for you if you press "Fix" button
which is shown near the address already in use message.
Note that if you're using AdGuard Home with docker or snap, you'll have to do it yourself by following these steps:
-
Deactivate
DNSStubListenerand update DNS server address. Create a new file:/etc/systemd/resolved.conf.d/adguardhome.conf(create a/etc/systemd/resolved.conf.ddirectory if necessary) with the following content:[Resolve] DNS=127.0.0.1 DNSStubListener=no -
Specifying
127.0.0.1as DNS server address is necessary because otherwise the nameserver will be127.0.0.53which doesn't work withoutDNSStubListener. -
Activate another
resolv.conffile:sudo mv /etc/resolv.conf /etc/resolv.conf.backup sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
-
Restart
DNSStubListener:systemctl reload-or-restart systemd-resolved
If you're running a web server already and you want to access AdGuard Home
dashboard UI from an URL like http://YOUR_SERVER/aghome/ you can use this
configuration for your web server:
location /aghome/ {
proxy_pass http://AGH_IP:AGH_PORT/;
proxy_redirect / /aghome/;
proxy_cookie_path / /aghome/;
}
:80/aghome/* {
route {
uri strip_prefix /aghome
reverse_proxy AGH_IP:AGH_PORT
}
}
Or, if you just want to serve AdGuard Home with automatic TLS, something similar to:
DOMAIN {
encode gzip zstd
tls YOUR_EMAIL@DOMAIN
reverse_proxy AGH_IP:AGH_PORT
}
When you use TLS on your reverse proxy server, there's no need to use TLS on
AdGuard Home. Set allow_unencrypted_doh: true in AdGuardHome.yaml to allow
AdGuard Home respond to DoH requests without TLS encryption.
Since v0.107.0, you can set the parameter trusted_proxies to the IP
address(es) of your HTTP proxy to make AdGuard Home take the headers containing
the real client IP address into account. See the configuration page for
more information.
-
Move the
AdGuardHomebinary to/usr/local/bin. -
As
root, execute the following command to change the security context of the file:chcon -t bin_t /usr/local/bin/AdGuardHome
-
Add the required firewall rules in order to make it reachable through the network. For example:
firewall-cmd --new-zone=adguard --permanent firewall-cmd --zone=adguard --add-source=192.168.0.14/24 --permanent firewall-cmd --zone=adguard --add-port=3000/tcp --permanent firewall-cmd --zone=adguard --add-port=53/udp --permanent firewall-cmd --zone=adguard --add-port=80/tcp --permanent firewall-cmd --reload
If you are still getting code=exited status=203/EXEC or similar errors from
systemctl, try uninstalling AdGuard Home and installing directly into
/usr/local/bin by using the -o option of the install script:
curl -s -S -L 'https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh' | sh -s -- -o '/usr/local/bin' -vSee issue 765 and issue 3281.
You should move your AdGuard Home installation or working directory to another location. See the limitations section section on the “Getting Started” page.
The way to uninstall AdGuard Home depends on how you installed it.
IMPORTANT: After uninstalling AdGuard Home, don't forget to change your devices configuration and point them to a different DNS server.
In this case you need to do the following:
-
Unregister AdGuard Home service:
./AdGuardHome -s uninstall. -
Remove the AdGuard Home directory.
Simply stop and remove the image.
snap remove adguard-home