Skip to main content

AdGuard Home

AdGuard Home is a DNS-based, network-wide ad and tracker blocker. Every client on the home LAN is configured to point at it for resolution; AdGuard answers known ad/tracker domains with NXDOMAIN and forwards everything else upstream.

Why a DNS-level blocker

  • Catches every device, no extension required. Smart TVs, phones, printers, anything DHCP-configured — they all stop reaching ad networks the moment the resolver does.
  • Catches before the request leaves the LAN. Browser-side blocking still leaks DNS to the ISP; this doesn't.
  • One config to maintain. Block-lists update via the AdGuard scheduler; clients don't need to know anything.

Why AdGuard, not Pi-hole

Pi-hole was the previous default. AdGuard ended up the pick here because:

  • Single binary, no PHP/Lighttpd stack. Smaller container, simpler upgrades.
  • DNS-over-HTTPS + DNS-over-TLS out of the box. Pi-hole bolts these on; AdGuard does them natively.
  • Per-client rules / parental controls in the UI without third-party tooling.

Blocky and Unbound + hosts files are both reasonable alternatives. Either would do the job; AdGuard's UI is the differentiator for occasional administration.

Why on Maresa (the Synology), not on the cluster

DNS for the home LAN needs to keep working even when the Kubernetes cluster is down or being upgraded. Running AdGuard on the always-on Synology — same box that hosts Syncthing and the home NetBird agent — gives it a different blast radius from the cluster. A bad Talos upgrade can't take DNS resolution with it.

A second copy would be ideal for HA, but the home LAN already falls back to upstream resolvers if AdGuard is unreachable, which is good enough for a homelab.

Operational notes

  • The blocklist refresh happens on AdGuard's own schedule — no Renovate involvement.
  • The admin UI is published through the local Traefik at adguard.maresa.int.kueber.eu, on the internal TLD only.
  • Custom DNS records for *.maresa.int.kueber.eu (Traefik dashboard, Syncthing UI, AdGuard UI itself) are added in the UI under Filters → DNS rewrites.
  • If AdGuard goes down, set the UniFi DHCP scope to fall back to a public resolver until it's back; this is fastest from the UniFi UI under Settings → Internet → Advanced → DNS.

Cluster Deployment

AdGuard Home — Maresa Docker host

Cluster-specific notes only. General product info and rationale live in docusaurus/docs/apps/adguard-home.mdx.

Layout

  • Container image digest-pinned (adguard/adguardhome:v0.107.74).
  • DNS published to the host on 53/tcp + 53/udp; admin UI on 3000/tcp (fronted by Traefik with TLS via Let's Encrypt DNS-01, acmedns resolver).
  • Persistent state on the Synology volume: /volume1/docker/adguard-work (data) and /volume1/docker/adguard-conf (config).
  • Joined to the shared web Docker network so it can be reached by Traefik.

Deviations from defaults

None — follows the standard Maresa docker-compose pattern (image-digest pin, host volume on /volume1/docker/<app>, fronted by Traefik on the internal *.maresa.int.kueber.eu zone).