AdGuard Home

What it is

AdGuard Home is a DNS server with ad-blocking and parental-control features built in. Every DNS query from my main workstation goes through it: ad/tracker domains return 0.0.0.0, internal hostnames get rewritten to a local IP, and everything else gets forwarded encrypted to a public resolver.

Why I run it

Two jobs. First, ad-block at the DNS layer — kills ads everywhere on the machine without per-browser extensions and without breaking apps the way some content-blockers do. Second, and this is the operationally important one: AdGuard owns the wildcard rewrite that lets *.lab resolve to my reverse proxy. Without that single rewrite, none of the internal hostnames in this catalog would work.

How I use it

The rewrite list is famously short: one wildcard entry, *.lab → <NPM IP>. That single line means I can add a new service to the catalog with one entry in Nginx Proxy Manager and no DNS change at all. Adding new internal hostnames used to mean updating two places (DNS + proxy) and the two would drift; the wildcard collapses the problem.

Upstreams are configured as DNS-over-HTTPS to Cloudflare and Google (parallel resolution mode), bootstrapped via Quad9 over plain DNS so the encrypted connections can establish. Two blocklists are active: AdGuard's built-in filter (~166k rules) and OISD Big (~250–300k rules). Optimistic caching is on.

Setup notes

• Host: a Docker container on the edge LXC, alongside Nginx Proxy Manager and Uptime Kuma.
• Reverse proxy: yes, for the admin UI — the resolver itself listens on UDP/TCP 53 directly.
• Backups: container config in the PBS schedule for the host LXC.
• Update cadence: manual, alongside other infra updates. Watchtower advisor flags new versions for review.
• Failover: a second AdGuard instance lives on the other Proxmox node and is configured as my workstation's alternate DNS. See adguard-secondary.

Runbook

• Healthy looks like: web UI loads, query log shows live traffic, recent queries show a mix of blocked and forwarded.
• All .lab services unreachable from my desktop: primary AdGuard is probably down. Windows DNS client falls over to the secondary after about five seconds. If it doesn't, check which DNS the active adapter is actually using.
• One specific .lab hostname doesn't resolve: check that the wildcard rewrite is still enabled, and that there's no override entry below it pointing somewhere wrong.
• Devices other than my desktop can't resolve .lab: expected — only my workstation has AdGuard configured as its DNS. The router hands out the ISP's DNS to everything else on the LAN.
• Where logs live: Query Log in the admin UI for per-request detail; Docker logs on the host for the resolver process itself.