AdGuard Home is an open-source, network-wide ad and tracker blocking DNS server with a web dashboard, parental controls, and DNS-over-HTTPS/TLS support. This guide deploys AdGuard Home using Docker Compose with Traefik handling automatic HTTPS for the dashboard, after freeing the system's port 53. By the end, you'll have AdGuard Home resolving and filtering DNS queries with an HTTPS-secured admin console.
Free Port 53
Ubuntu's systemd-resolved binds port 53 by default. Release it before deploying.
1. Stop and disable systemd-resolved:
$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved
2. Replace the resolver configuration:
$ sudo rm /etc/resolv.conf
$ echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
Set Up the Directory Structure
1. Create the project directory structure:
$ mkdir -p ~/adguard/{work,conf,letsencrypt}
$ cd ~/adguard
2. Create the environment file:
$ nano .env
DOMAIN=adguard.example.com
LETSENCRYPT_EMAIL=admin@example.com
TZ=UTC
Deploy with Docker Compose
1. Add your user to the Docker group:
$ sudo usermod -aG docker $USER
$ newgrp docker
2. Create the Docker Compose manifest:
$ nano docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
environment:
DOCKER_API_VERSION: "1.44"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
adguard:
image: adguard/adguardhome:latest
container_name: adguard
restart: unless-stopped
environment:
TZ: ${TZ}
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
ports:
- "53:53/tcp"
- "53:53/udp"
- "3000:3000/tcp"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.routers.adguard.tls=true"
- "traefik.http.routers.adguard.tls.certresolver=le"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
3. Start the services:
$ docker compose up -d
4. Verify the services are running:
$ docker compose ps
Initial Configuration
- Open
https://adguard.example.comand complete the install wizard on first launch (the setup runs on port 3000 initially, then switches to port 80 behind Traefik on subsequent visits). - Create the admin account.
- Configure upstream DNS servers and enable the default block lists.
Test Resolution
From an allowed client, confirm blocking and normal resolution:
$ dig @SERVER_IP flurry.com
$ dig @SERVER_IP vultr.com
The first should resolve to 0.0.0.0 (blocked); the second should return real records.
Next Steps
AdGuard Home is running with HTTPS for the dashboard. From here you can:
- Add custom block lists and allow lists for per-network policies
- Enable DNS-over-HTTPS or DNS-over-TLS for encrypted client queries
- Point your LAN's DHCP server at AdGuard for network-wide filtering
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)