Pi-hole vs AdGuard: the honest version
Pi-hole is technically excellent. It is mature, well documented, and has an active community. The problem is that the default blocklist is aggressive enough to break a few legitimate sites every week, and you end up whitelisting domains while the rest of the household waits for things to work again. I ended up with a whole text file of exceptions and was still dealing with it months later.
AdGuard Home has much more conservative defaults. It blocks the obvious without hitting the innocent. On top of that, parental controls and safe search work out of the box without extra configuration, and per-client rules give you granular control without needing a weekend to set up.
Pi-hole is still the right choice for power users who want full control and nobody at home complaining. AdGuard is the right choice for everyone else.
What you need
- Raspberry Pi (3, 4, or 5) running Raspberry Pi OS Bookworm/Bullseye, or Ubuntu Server 22.04/24.04
- USB3 SSD adapter + 120 GB+ SSD (strongly recommended over SD card; see the Pi-hole guide for details)
- Docker and Docker Compose installed
- SSH access
- A static or reserved IP address for the Pi
If you have not set a static IP yet, the process is covered in the Pi-hole setup guide. The steps are identical.
Docker Compose installation
AdGuard Home runs as a single binary, but Docker Compose makes it easy to update and manage alongside other services on the same Pi.
Create a directory and a docker-compose.yml:
mkdir ~/adguardhome && cd ~/adguardhomeversion: "3"
services:
adguardhome:
image: adguard/adguardhome:latest
container_name: adguardhome
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "3000:3000/tcp"
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/confStart the container:
docker compose up -dAdGuard Home is now running and waiting for initial configuration via the setup wizard on port 3000.
The setup wizard (port 3000)
The first time you need to go through a wizard. Navigate to:
http://[pi-ip]:3000The wizard asks you to select a network interface, set an admin username and password, and then shows what you need to configure on your router. Use the IP you have reserved for the Pi.
Once the wizard finishes, the web interface is available on port 80:
http://[pi-ip]Port 3000 is only used for the initial setup.
Router DNS configuration
For all devices on the network to use AdGuard Home, point your router's DHCP DNS at the Pi's IP. Log in to your router (typically 192.168.1.1 or 192.168.0.1), find the DHCP settings, and set the primary DNS to the Pi's IP.
Primary DNS: 192.168.1.100 (Pi's IP)
Secondary DNS: 1.1.1.1 (Cloudflare fallback)Restart devices on your network or renew their DHCP lease so they start using AdGuard Home.
DNS upstream and DoH
Under Settings, DNS settings, you can choose upstream DNS servers. The defaults are fine, but you can switch to Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or enable DNS-over-HTTPS directly from the interface:
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-queryAdGuard Home supports DoH and DoT with no extra configuration. It is built in from the start, unlike Pi-hole where you need Unbound or a separate DoH proxy to get the same result.
Blocklists: the default is good enough
The setup wizard adds the AdGuard DNS filter automatically. It covers around 50,000 domains and is deliberately conservative. Most households do not need more than that.
If you want more coverage, go to Filters, DNS blocklists, Add blocklist. OISD Basic is a good choice:
https://big.oisd.nl/Steven Black is an alternative but more aggressive. Start with OISD Basic and see if it causes false positives on your network before adding more. It is easier to add later than to figure out what broke because a blocklist was too heavy-handed.
Update all blocklists via Filters, DNS blocklists, Update all. This also happens automatically on the default schedule.
Parental controls and Safe Search
This is where AdGuard Home differs most from Pi-hole. Go to Settings, General settings:
- Parental control: Blocks categories like adult content and gambling at the DNS level
- Safe search: Forces Google, Bing, and YouTube into safe search mode
Both are enabled with a single click. Pi-hole can achieve something similar but it requires manual DNS overrides and extra blocklists. Here it is just a toggle, and it works.
Per-client rules
Under Settings, Client settings, you can add devices by MAC address or IP and give them individual settings. Kids' tablets can have parental control enabled and safe search forced, while the adults' machines run with standard settings.
If you do not know the MAC addresses, you can find them in your router's DHCP table or directly in AdGuard Home's query log, which identifies clients automatically.
Test that it works
From a terminal on any device on your network:
nslookup doubleclick.net [pi-ip]If the response is 0.0.0.0, AdGuard Home is blocking correctly. The Query Log in the web interface shows which rule matched and whether the request was blocked or allowed. It is significantly more detailed than Pi-hole's default log.
Useful commands
# Restart AdGuard Home
docker compose restart adguardhome
# Follow logs
docker compose logs -f adguardhome
# Stop
docker compose down
# Update to a new version
docker compose pull && docker compose up -dWhat AdGuard does NOT do
AdGuard Home blocks DNS queries, not HTTPS traffic. YouTube ads are served from Google's own domains and bypass DNS blocking entirely. That is not a bug. It is an architectural constraint of DNS-based blocking in general, and Pi-hole has the same limitation.
Apps with hardcoded DNS servers bypass AdGuard Home the same way they bypass Pi-hole. It is not common but it happens. The fix is DNS interception on the router, but that is outside the scope of this guide.
AdGuard Home does not do HTTPS inspection either. It sees the domain name in the DNS query, not the content of the HTTPS traffic.
For most households, AdGuard is the right choice
Pi-hole is still excellent software, but it is built for people who want to maintain it. AdGuard Home requires far less ongoing attention, has better defaults for a family network, and delivers parental controls without extra work.
Installation takes 15 minutes. Configuration is straightforward. And for the next six months you will not spend a weekend whitelisting domains you have never heard of.