Why DNS Is Your Most Underrated Security Control
Learn how to deploy AdGuard Home as your network DNS resolver and ad blocker. Step-by-step guide covering installation, blocklists, DHCP, static leases, and production hardening.
DNS SECURITY
Why DNS Is Your Most Underrated Security Control
Every device on your network — phones, laptops, smart TVs, IoT sensors — resolves domain names before making any connection. DNS is the first step in every outbound request. That makes it the most powerful and most overlooked place to apply security controls.
Most home and small office networks rely on DNS servers provided by their ISP or router manufacturer. These servers log your queries, inject ads, and offer zero filtering. They have no awareness of malicious domains, no blocklists, and no way to give you visibility into what your devices are actually talking to.
AdGuard Home changes this entirely. It runs on your own hardware, resolves DNS locally, applies blocklists at the network level, and gives every device on your network ad blocking and threat filtering without installing anything on the devices themselves. Zero-Exposure Infrastructure guide
What AdGuard Home Actually Does
AdGuard Home is a network-wide DNS server and DHCP controller. When a device requests a domain that matches a blocklist entry, AdGuard returns a null response — the connection never happens. This works for every device on the network simultaneously, including devices where you cannot install software.
How DNS Filtering Works at the Network Level
Every DNS query from every device on your network passes through AdGuard Home before reaching the upstream resolver. Blocked domains never make it further.
DNS query lifecycle — from device request to network-level filtering
Network-Wide Coverage
Every device benefits automatically. No client software, browser extensions, or per-device configuration required.
Zero-Latency Blocking
Blocked domains are answered instantly with a null response — no round trip to an external server.
Query Visibility
Every DNS query is logged and searchable. You can see exactly what every device on your network is trying to reach.
Upstream Flexibility
AdGuard forwards non-blocked queries to any upstream resolver — including DNS-over-HTTPS and DNS-over-TLS providers.
Deployment Overview
AdGuard Home runs as a host service or Docker container and takes over DNS and optionally DHCP for the entire network.
Install AdGuard Home on your server or dedicated device. It runs on Linux, macOS, Windows, and ARM — including Raspberry Pi.
Point your router's DHCP DNS setting to your AdGuard Home server IP. All devices will use it automatically on their next DHCP lease renewal.
Configure upstream DNS resolvers. Use DNS-over-HTTPS or DNS-over-TLS providers to encrypt queries that leave your network.
Enable blocklists. AdGuard ships with curated lists — add community lists for expanded coverage of ads, trackers, and malicious domains.
Optionally take over DHCP. Running AdGuard as your DHCP server lets you assign static leases and ensures all devices always use AdGuard for DNS.
CONFIGURATION
Production Configuration: Beyond the Defaults
Upstream DNS Selection
The upstream resolver is where AdGuard forwards queries that are not blocked. The default options — Google or Cloudflare — work but send your query data to third parties. For a privacy-first setup, configure DNS-over-HTTPS with a resolver that has a strict no-logging policy.
AdGuard supports multiple upstreams simultaneously with load balancing and automatic failover. Configure at least two upstreams from different providers to ensure resolution continues if one is unreachable. Cloudflare Tunnel guide
Blocklist Strategy
More blocklists are not always better. Overly aggressive lists block legitimate services and create support burden when things stop working. Start with AdGuard's default lists and the OISD blocklist — these cover the vast majority of ad and tracker domains with minimal false positives.
Add specialized lists incrementally and monitor the query log after each addition. Any sudden increase in blocked queries to known-good domains signals a list that needs adjustment or removal.
Static Leases and DHCP Control
When AdGuard takes over DHCP, you gain the ability to assign static IP addresses to devices by MAC address. This is essential for servers and infrastructure devices that need predictable addressing — and it eliminates the need to configure static IPs at the device level.
Static leases also make the query log more useful: instead of seeing raw IP addresses, you see hostnames for every device, making it immediately clear which device is generating unusual traffic patterns.
PRIVACY STACK
Extend Privacy Beyond DNS
Controlling your DNS queries is one layer of network privacy. Your email metadata — who you talk to, when, how often — is equally exposed with standard providers. Proton Mail applies end-to-end encryption to the layer most people ignore.
Try Proton MailThis is an affiliate link. If you purchase, I earn a commission at no extra cost to you.
Hardening AdGuard Home for Production
A default AdGuard Home installation is already a significant improvement over ISP DNS. These hardening measures close the remaining gaps.
- Configure DNS-over-HTTPS or DNS-over-TLS for all upstream resolvers • Never send plaintext DNS queries to external servers • Use multiple upstream providers for redundancy • Validate DNSSEC on supported domains
- Restrict admin UI access to internal network only — never expose externally • Change default admin credentials immediately after installation • Disable the admin interface on the DNS port — use a separate management port • Enable HTTPS for the admin interface if accessible over the network
- Enable DNS rebinding protection to block private IP responses from public domains • Configure safe search enforcement on major search engines • Block DoH/DoT bypass attempts from client devices • Prevent clients from using alternative DNS servers via firewall rules
- Set query log retention to a value appropriate for your privacy requirements • Enable statistics but consider the privacy implications of long retention periods • Use the query log actively — unusual patterns indicate compromised or misbehaving devices • Export logs periodically if you need long-term traffic analysis
Recommended Blocklist Configuration
A layered blocklist strategy that maximizes coverage while minimizing false positives.
Foundation Lists
Start here. AdGuard DNS filter and OISD Basic cover the majority of ads and trackers with very low false positive rates. Enable these on day one.
Extended Coverage
Add after the foundation is stable. These lists expand coverage to less common trackers, telemetry endpoints, and regional ad networks.
Security Lists
Block known malware domains, phishing sites, and command-and-control servers. These lists are maintained by security researchers and update frequently.
Custom Rules
Add domain-specific rules for your environment. Block services you never use, allowlist services that get caught by aggressive lists.
AdGuard Home Production Checklist
Verify each item before considering your DNS setup production-ready.
AdGuard Home caches DNS responses aggressively. After deploying a new internal service or subdomain, always clear the AdGuard DNS cache before testing — stale cache entries will cause resolution failures that appear as service errors. The cache can be cleared from the admin interface under Settings → DNS Settings → Clear DNS Cache.