AdGuard Home (secondary)

What it is

A second AdGuard Home instance, running on the opposite Proxmox node from the primary, configured as my workstation's alternate DNS. Mirrors the primary's wildcard rewrite, blocklists, and DoH upstreams.

Why I run it

The primary AdGuard lives on a Docker LXC on the Optiplex node. If that node goes down — and it did once, hard, a few weeks ago — I lose .lab resolution and ad-blocking until it comes back. The secondary on the laptop node means my workstation can still resolve .lab URLs and still block ads through a single node failure.

Worth being honest about the scope: this is workstation-only failover, not network-wide DNS redundancy. Other devices on the LAN (phone, IoT, guests) get their DNS from the router and don't use either AdGuard. The original plan was network-wide via DHCP, but the primary was already workstation-only in practice — adding the secondary network-wide would have been a new design, not a redundancy improvement.

How it works

My workstation's active adapter has two DNS servers configured: primary AdGuard first, secondary AdGuard second. Windows' DNS client tries the primary, waits about five seconds, then falls over to the secondary. The user experience during a primary failure is a brief stall on the first query, then normal operation through the alternate.

Both AdGuards share identical settings: wildcard *.lab → NPM IP rewrite, DoH upstreams to Cloudflare and Google with Quad9 as bootstrap, AdGuard built-in filter plus OISD Big, optimistic caching on. Procedurally, I change the secondary first when I want to update a setting — it's the lower-blast-radius instance — then mirror to the primary.

Setup notes

• Host: a tiny native-install LXC on the laptop node, not Docker. Different deploy pattern from the primary, deliberately — I wanted the failover instance to fail independently from anything Docker-related.
• Reverse proxy: the admin UI is proxied through NPM; the resolver itself is on UDP/TCP 53.
• Backups: PBS captures the LXC; the AdGuardHome config is plain YAML on disk.
• Sync model: manual. There is no automatic mirror between the two AdGuards — I treat drift as my own responsibility.

Runbook

• Healthy looks like: web UI loads, query log shows traffic when the primary is offline, both AdGuards' settings pages match side-by-side.
• Workstation still hits primary when primary is down: Windows takes about five seconds to give up on the preferred DNS before falling over. ipconfig /flushdns plus a fresh nslookup forces the issue.
• Test upstreams fails on the secondary: outbound HTTPS to the DoH endpoints is the most likely culprit. Bootstrap DNS resolves the hostnames of the DoH servers, not the queries themselves — if bootstrap can't reach Quad9, the encrypted upstreams can't establish.
• A setting on secondary doesn't match primary: most likely drift from a primary-only change. Settings → DNS settings side by side, apply the missing change to whichever lags.
• What this does not protect: my workstation on cellular or external Wi-Fi. Tailscale routes back through the primary AdGuard's network, not the secondary, so remote .lab resolution still depends on the primary being up.