What is DNS-based ad blocking?
Your DNS resolver returns NXDOMAIN for known ad and tracker domains instead of the real IP address. The browser tries to load the ad, gets told the domain does not exist, and gives up. No ad. No browser extension required.
It works at the network level, so every device on your network is covered: phones, TVs, IoT devices, anything that uses your Pi as its DNS server. A solid starting blocklist for both tools is OISD full, maintained at oisd.nl. It covers most ad and tracking domains without over-blocking.
Pi-hole
Pi-hole is the oldest and most widely used option. r/pihole on Reddit has over 500,000 members, and there are guides, scripts and troubleshooting threads for almost every situation you could run into. The project integrates well with dnsmasq, so you can configure local DNS records and split DNS for your home network.
The weaknesses are real. Setup requires more configuration, and DNS-over-HTTPS is not
built in. You need to install an extra tool like cloudflared or
stubby and configure it separately. No native DNS-over-TLS support either.
The web UI is functional but looks like it last received a design update for Internet
Explorer 9.
For edge cases involving complex split DNS or local DNS zones, Pi-hole gives you more to work with. It is the right choice if you already know your way around dnsmasq.
AdGuard Home
AdGuard Home is a single Go binary with no dependencies. DNS-over-HTTPS and DNS-over-TLS are configured directly in the settings panel, no extra software needed. You can set client-level rules so a specific device uses a different upstream DNS than the rest of the network. Updates are handled automatically.
The UI is noticeably better than Pi-hole's. Responsive, clear, and you do not need to know dnsmasq syntax to get started. The blocklist ecosystem is slightly smaller than Pi-hole's, but OISD works perfectly.
The downside is a smaller community. Troubleshooting documentation for edge cases is not as thorough as Pi-hole's. You will rarely hit that wall in practice, but it does happen.
Feature comparison
| Feature | Pi-hole | AdGuard Home |
|---|---|---|
| DNS-over-HTTPS (DoH) | Via cloudflared (extra step) | Built-in |
| DNS-over-TLS (DoT) | Not native | Built-in |
| Client-specific rules | No | Yes |
| DHCP server | Yes | Yes |
| Web UI | Functional, dated | Modern, responsive |
| Installation | Bash script or Docker | Single binary or Docker |
| Community | Very large (r/pihole 500k+) | Growing but smaller |
| Active development | Yes | Yes |
| Licence | EUPL-1.2 | GPL-3.0 |
Installation: AdGuard Home
The Docker Compose method is the recommended approach on a Pi setup already running Docker:
adguardhome:
image: adguard/adguardhome:latest
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "3000:3000/tcp" # initial setup UI
- "80:80/tcp" # web UI after setup
volumes:
- ./adguard/work:/opt/adguardhome/work
- ./adguard/conf:/opt/adguardhome/conf
Port 53 requires running
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=0
on some Pi OS versions, or using network_mode: host in the Compose file.
The setup wizard runs on port 3000 on first boot, then moves to port 80.
Installation: Pi-hole
pihole:
image: pihole/pihole:latest
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "8080:80/tcp"
environment:
TZ: 'Europe/Copenhagen'
WEBPASSWORD: 'skift_dette'
volumes:
- ./pihole/etc:/etc/pihole
- ./pihole/dnsmasq.d:/etc/dnsmasq.dWhich should you pick?
New setup today: AdGuard Home. Simpler, DoH/DoT is built in, better UI, and you skip the extra configuration step for encrypted DNS.
Already running Pi-hole and it works: stay. There is no reason to migrate unless you specifically want DoH/DoT or client-level rules.
Need complex split DNS with local zones and full dnsmasq control: Pi-hole gives you more to work with there.
We chose AdGuard Home for our own homelab. The setup was simpler, and DNS-over-HTTPS worked from day one.
Recommended setup after installation
Whichever you pick, four things are worth configuring from the start:
- Set the primary upstream DNS to
https://dns.cloudflare.com/dns-query(DoH) - Add the OISD full blocklist:
https://big.oisd.nl/domains - Enable DNSSEC
- Point all devices to your Pi as their DNS server via the router's DHCP settings