常見問答集
Why doesn’t AdGuard Home block ads or threats?
Suppose that you want AdGuard Home to block somebadsite.com but for some reason it doesn’t. Let’s try to solve this problem.
Most likely, you haven’t configured your device to use AdGuard Home as the default DNS server. To check if you’re using AdGuard Home as your default DNS server:
On Windows, open Command Prompt (Start → Run →
cmd.exe). On other systems, open your Terminal application.Execute
nslookup example.org. It will print something like this:Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: example.org
Address: <IPv4>
Name: example.org
Address: <IPv6>Check if the
ServerIP address is the one where AdGuard Home is running. If not, you need to configure your device accordingly. See below how to do this.Ensure that your request to
example.orgappears in the AdGuard Home UI on the Query Log page. If not, you need to configure AdGuard Home to listen on the specified network interface. The easiest way to do this is to reinstall AdGuard Home with default settings.
If you are sure that your device is using AdGuard Home as its default DNS server, but the problem persists, it may be due to a misconfiguration of AdGuard Home. Please check and make sure that:
You have enabled the Block domains using filters and hosts files setting on the Settings → General settings page.
You have enabled the appropriate security mechanisms, such as Parental Control, on the same page.
You have enabled the appropriate filters on the Filters → DNS blocklists page.
You don’t have any exception rule lists that may allow the requests enabled on the Filters → DNS allowlists page.
You don’t have any DNS rewrites that may interfere on the Filters → DNS rewrites page.
You don’t have any custom filtering rules that may interfere on the Filters → Custom filtering rules page.
What does “Blocked by CNAME or IP” in the query log mean?
AdGuard Home checks both DNS requests and DNS responses to prevent an adblock evasion technique known as CNAME cloaking. That is, if your filtering rules contain a domain, say tracker.example, and a DNS response for some other domain name, for example blogs.example, contains this domain name among its CNAME records, that response is blocked, because it actually leads to the blocked tracking service.
Where can I view the logs?
The default location of the plain-text logs (not to be confused with the query logs) depends on the operating system and installation mode:
OpenWrt Linux: use the
logread -e AdGuardHomecommand.Linux systems with systemd and other Unix systems with SysV-style init:
/var/log/AdGuardHome.err.macOS:
/var/log/AdGuardHome.stderr.log.Linux systems with Snapcraft use the
snap logs adguard-homecommand.FreeBSD:
/var/log/daemon.log.OpenBSD:
/var/log/daemon.Windows: the Windows Event Log is used.
How do I configure AdGuard Home to write verbose-level logs?
To troubleshoot a complicated issue, the verbose-level logging is sometimes required. Here’s how to enable it:
Stop AdGuard Home:
./AdGuardHome -s stopConfigure AdGuard Home to write verbose-level logs:
Open
AdGuardHome.yamlin your editor.Set
log.fileto the desired path of the log file, for example/tmp/aghlog.txt. Note that the directory must exist.Set
log.verbosetotrue.
Restart AdGuard Home and reproduce the issue:
./AdGuardHome -s startOnce you’re done with the debugging, set
log.verboseback tofalse.
How do I show a custom block page?
Before doing any of this, please note that modern browsers are set up to use HTTPS, so they validate the authenticity of the web server certificate. This means that using any of these will result in warning screens.
There is a number of proposed extensions that, if reasonably well supported by clients, would provide a better user experience, including the RFC 8914 Extended DNS Error codes and the DNS Access Denied Error Page RFC draft. We’ll implement them when browsers actually start to support them.
Prerequisites
To use any of these methods to display a custom block page, you’ll need an HTTP server running on some IP address and serving the page in question on all routes. Something like pixelserv-tls.
Custom block page for Parental Control and Safe Browsing filters
There is currently no way to set these parameters from the UI, so you’ll need to edit the configuration file manually:
Stop AdGuard Home:
./AdGuardHome -s stopOpen
AdGuardHome.yamlin your editor.Set the
dns.parental_block_hostordns.safebrowsing_block_hostsettings to the IP address of the server (in this example,192.168.123.45):# …
dns:
# …
# NOTE: Change to the actual IP address of your server.
parental_block_host: 192.168.123.45
safebrowsing_block_host: 192.168.123.45Restart AdGuard Home:
./AdGuardHome -s start
Custom block page for other filters
Open the web UI.
Navigate to Settings → DNS settings.
In the DNS server configuration section, select the Custom IP radio button in the Blocking mode selector and enter the IPv4 and IPv6 addresses of the server.
Click Save.
How do I change dashboard interface’s address?
Stop AdGuard Home:
./AdGuardHome -s stopOpen
AdGuardHome.yamlin your editor.Set the
http.addresssetting to a new network interface. For example:0.0.0.0:0to listen on all network interfaces;0.0.0.0:8080to listen on all network interfaces with port8080;127.0.0.1:0to listen on the local loopback interface only.
Restart AdGuard Home:
./AdGuardHome -s start
How do I set up AdGuard Home as default DNS server?
See the Configuring Devices section on the Getting Started page.
Are there any known limitations?
Here are some examples of what cannot be blocked by a DNS-level blocker:
YouTube, Twitch ads.
Facebook, X (formerly Twitter), Instagram sponsored posts.
Basically, any ad that shares a domain with content cannot be blocked by a DNS-level blocker, unless you are ready to block the content as well.
Any possibility of dealing with this in the future?
DNS will never be enough to do this. Your only option is to use a content blocking proxy like what we do in the standalone AdGuard applications. We’ll be adding support for this feature to AdGuard Home in the future. Unfortunately, even then there will still be cases where it won’t be enough or it will require quite complicated configuration.
Why do I get bind: address already in use error when trying to install on Ubuntu?
This happens because the port 53 on localhost, which is used for DNS, is already taken by another program. Ubuntu comes with a local DNS called systemd-resolved, which uses the address 127.0.0.53:53, thus preventing AdGuard Home from binding to 127.0.0.1:53. You can see this by running:
sudo lsof -i :53
The output should be similar to:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 14542 systemd-resolve 13u IPv4 86178 0t0 UDP 127.0.0.53:domain
systemd-r 14542 systemd-resolve 14u IPv4 86179 0t0 TCP 127.0.0.53:domain
To fix this, you must either disable the systemd-resolved daemon or choose a different network interface and bind your AdGuard Home to an accessible IP address on it, such as the IP address of your router inside your network. But if you do need to listen on localhost, there are several solutions.
Firstly, AdGuard Home can detect such configurations and disable systemd-resolved for you if you press the Fix button located next to the address already in use message on the installation screen.
Secondly, if that doesn’t work, follow the instructions below. Note that if you’re using AdGuard Home with docker or snap, you’ll have to do this yourself.
Create the
/etc/systemd/resolved.conf.ddirectory, if necessary:sudo mkdir -p /etc/systemd/resolved.conf.dDeactivate
DNSStubListenerand update DNS server address. To do that, create a new file,/etc/systemd/resolved.conf.d/adguardhome.conf, with the following content:[Resolve]
DNS=127.0.0.1
DNSStubListener=no
Specifying 127.0.0.1 as the DNS server address is necessary. Otherwise the nameserver will be 127.0.0.53 which won’t work without DNSStubListener.
Activate another
resolv.conffile:sudo mv /etc/resolv.conf /etc/resolv.conf.backup
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.confRestart
DNSStubListener:sudo systemctl reload-or-restart systemd-resolved
After that, systemd-resolved shouldn’t be shown in the output of lsof, and AdGuard Home should be able to bind to 127.0.0.1:53.
How do I configure a reverse proxy server for AdGuard Home?
If you’re already running a web server and want to access the AdGuard Home dashboard UI from a URL like http://YOUR_SERVER/aghome/, you can use this configuration for your web server:
nginx
location /aghome/ {
proxy_cookie_path / /aghome/;
proxy_pass http://AGH_IP:AGH_PORT/;
proxy_redirect / /aghome/;
proxy_set_header Host $host;
}
caddy
:80/aghome/* {
route {
uri strip_prefix /aghome
reverse_proxy AGH_IP:AGH_PORT
}
}
Or, if you only want to serve AdGuard Home with automatic TLS, use a configuration similar to the example shown below:
DOMAIN {
encode gzip zstd
tls YOUR_EMAIL@DOMAIN
reverse_proxy AGH_IP:AGH_PORT
}
Apache
<VirtualHost *:80>
ProxyPass "/" "http://AGH_IP:AGH_PORT/"
ProxyPassReverse "/" "http://AGH_IP:AGH_PORT/"
PreserveHost On
</VirtualHost>
Do not use subdirectories with the Apache reverse HTTP proxy. It's a known issue (#6604) that Apache handles relative redirects differently than other web servers. This causes problems with the AdGuard Home web interface.
Disable DoH encryption on AdGuard Home
If you’re using TLS on your reverse proxy server, you don’t need to use TLS on AdGuard Home. Set allow_unencrypted_doh: true in AdGuardHome.yaml to allow AdGuard Home to respond to DoH requests without TLS encryption.
Real IP addresses of clients
You can set the parameter trusted_proxies to the IP address(es) of your HTTP proxy to make AdGuard Home consider the headers containing the real client IP address. See the configuration and encryption pages for more information.
How do I fix permission denied errors on Fedora?
Move the
AdGuardHomebinary to/usr/local/bin.As
root, execute the following command to change the security context of the file:chcon -t bin_t /usr/local/bin/AdGuardHomeAdd the required firewall rules in order to make it reachable through the network. For example:
firewall-cmd --new-zone=adguard --permanent
firewall-cmd --zone=adguard --add-source=192.168.0.14/24 --permanent
firewall-cmd --zone=adguard --add-port=3000/tcp --permanent
firewall-cmd --zone=adguard --add-port=53/udp --permanent
firewall-cmd --zone=adguard --add-port=80/tcp --permanent
firewall-cmd --reload
If you are still getting code=exited status=203/EXEC or similar errors from systemctl, try uninstalling AdGuard Home and installing it directly into /usr/local/bin by using the -o option of the install script:
curl -s -S -L 'https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh' | sh -s -- -o '/usr/local/bin' -v
See issue 765 and issue 3281.
How do I fix incompatible file system errors?
You should move your AdGuard Home installation or working directory to another location. See the limitations section on the Getting Started page.
What does Error: control/version.json mean?
This error message means that AdGuard Home was unable to reach AdGuard servers to check for updates and/or download them. This could mean that the servers are blocked by your ISP or are temporarily down. If the error does not resolve itself after some time, you can try performing a manual update or disabling the automatic update check by running the AdGuardHome executable with the --no-check-update command-line option.
How do I update AdGuard Home manually?
If the button isn’t displayed or an automatic update has failed, you can update manually. In the examples below, we’ll use AdGuard Home versions for Linux and Windows for AMD64 CPUs.
Unix (Linux, macOS, BSD)
Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line, type:
curl -L -S -o '/tmp/AdGuardHome_linux_amd64.tar.gz' -s\
'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'Or, with
wget:wget -O '/tmp/AdGuardHome_linux_amd64.tar.gz'\
'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'Navigate to the directory where AdGuard Home is installed. On most Unix systems the default directory is
/opt/AdGuardHome, but on macOS it’s/Applications/AdGuardHome.Stop AdGuard Home:
sudo ./AdGuardHome -s stopOpenBSDOn OpenBSD, you will probably want to use
doasinstead ofsudo.Backup your data. That is, your configuration file and the data directory (
AdGuardHome.yamlanddata/by default). For example, to backup your data to a new directory called~/my-agh-backup:mkdir -p ~/my-agh-backup
cp -r ./AdGuardHome.yaml ./data ~/my-agh-backup/Extract the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your
~/Downloadsdirectory and want to extract it to/tmp/:tar -C /tmp/ -f ~/Downloads/AdGuardHome_linux_amd64.tar.gz -x -v -zOn macOS, type something like:
unzip -d /tmp/ ~/Downloads/AdGuardHome_darwin_amd64.zipReplace the old AdGuard Home executable file with the new one. On most Unix systems the command would look something like this:
sudo cp /tmp/AdGuardHome/AdGuardHome /opt/AdGuardHome/AdGuardHomeOn macOS, something like:
sudo cp /tmp/AdGuardHome/AdGuardHome /Applications/AdGuardHome/AdGuardHomeYou may also want to copy the documentation parts of the package, such as the change log (
CHANGELOG.md), the README file (README.md), and the license (LICENSE.txt).You can now remove the temporary directory.
Restart AdGuard Home:
sudo ./AdGuardHome -s start
Windows (Using PowerShell)
In all examples below, the PowerShell must be run as Administrator.
Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line:
$outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip'
$aghUri = 'https://static.adguard.com/adguardhome/release/AdGuardHome_windows_amd64.zip'
Invoke-WebRequest -OutFile "$outFile" -Uri "$aghUri"Navigate to the directory where AdGuard Home was installed. In the examples below, we’ll use
C:\Program Files\AdGuardHome.Stop AdGuard Home:
.\AdGuardHome.exe -s stopBackup your data. That is, your configuration file and the data directory (
AdGuardHome.yamlanddata/by default). For example, to backup your data to a new directory calledmy-agh-backup:$newDir = Join-Path -Path $Env:USERPROFILE -ChildPath 'my-agh-backup'
New-Item -Path $newDir -ItemType Directory
Copy-Item -Path .\AdGuardHome.yaml, .\data -Destination $newDir -RecurseExtract the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your
Downloadsdirectory and want to extract it to a temporary directory:$outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip'
Expand-Archive -Path "$outFile" -DestinationPath $Env:TEMPReplace the old AdGuard Home executable file with the new one. For example:
$aghExe = Join-Path -Path $Env:TEMP -ChildPath 'AdGuardHome\AdGuardHome.exe'
Copy-Item -Path "$aghExe" -Destination .\AdGuardHome.exeYou may also want to copy the documentation parts of the package, such as the change log (
CHANGELOG.md), the README file (README.md), and the license (LICENSE.txt).You can now remove the temporary directory.
Restart AdGuard Home:
.\AdGuardHome.exe -s start
How do I uninstall AdGuard Home?
Depending on how you installed AdGuard Home, there are different ways to uninstall it.
Before uninstalling AdGuard Home, don’t forget to change the configuration of your devices and point them to a different DNS server.
Regular installation
In this case, do the following:
Unregister AdGuard Home service:
./AdGuardHome -s uninstall.Remove the AdGuard Home directory.
Docker
Simply stop and remove the image.
Snap Store
snap remove adguard-home