-
Notifications
You must be signed in to change notification settings - Fork 1.9k
FAQ
Warning
This article is outdated. See the up-to-date version in our Knowledge Base.
- Why AdGuard Home doesn't block ads?
- Where can I inspect the logs?
- How to configure AdGuard Home to write verbose-level logs?
- How to show a custom block page?
- How to change dashboard interface's address?
- How to set up AdGuard Home as default DNS server?
- Are there any known limitations?
- Why am I getting
bind: address already in use
error when trying to install on Ubuntu? - How to configure a reverse proxy server for AdGuard Home?
- How to fix
permission denied
errors on Fedora? - How to fix
incompatible file system
errors? - How to update AdGuard Home manually?
- How to uninstall AdGuard Home?
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
Suppose that AdGuard Home must block somebadsite.com
but for some reason it
doesn't. Let's try to resolve this issue.
Most likely you didn't configure your device to use AdGuard Home as its default DNS server. To check if you're using AdGuard Home as the default DNS server:
-
On Windows, open a Terminal window (Start → Run →
cmd.exe
). On other systems, open your Terminal application. -
Execute
nslookup example.org
. It will print something like this:Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: Name: example.org Address: <IPv4> Name: example.org Address: <IPv6>
-
Check if the
Server
IP address is the one on which AdGuard Home is running. If not, you need to configure your device, see below. -
Ensure that your request to
example.org
appears in the AdGuard Home UI on the Query Log page. If not, you need to configure AdGuard Home to listen on the specified network interface. The most straightforward way to do so is to reinstall AdGuard Home with default settings.
If you are sure that your device uses AdGuard Home as its default DNS server, but the problem persists, it might have something to do with an AdGuard Home misconfiguration. Please check and ensure that:
-
You have the “Block domains using filters and hosts files” setting enabled on the “Settings → General settings” page.
-
You have the appropriate safety mechanisms, such as Parental Control, enabled on the “Settings → General settings”.
-
You have the appropriate filters enabled on the “Filters → DNS blocklists” page.
-
You don't have any exception rule lists that may allow the requests enabled on the “Filters → DNS allowlists” page.
-
You don't have any DNS rewrites that may interfere with the “Filters → DNS rewrites” page.
-
You don't have any custom filtering rules that may interfere with the “Filters → Custom filtering rules” page.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
The default location of the plain-text logs (not to be confused with the query logs) depends on the operating system and installation mode:
-
OpenWrt Linux: use the
logread -e AdGuardHome
command. -
Linux systems with systemd and other Unix systems with SysV-style init:
/var/log/AdGuardHome.err
. -
macOS:
/var/log/AdGuardHome.stderr.log
. -
Linux systems with Snapcraft use the
snap logs adguard-home
command. -
FreeBSD:
/var/log/daemon.log
(since v0.108.0-b.4). Before v0.108.0-b.4 no logs are written by default. -
OpenBSD:
/var/log/daemon
(since v0.108.0-b.4). Before v0.108.0-b.4 no logs are written by default. -
On Windows: the Windows Event Log is used.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
To troubleshoot a complicated issue, the verbose-level logging is sometimes required. Here's how to enable it:
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Configure AdGuard Home to write verbose-level logs:
- Open
AdGuardHome.yaml
in your editor. - Set
log.file
to the desired path of the log file, for example/tmp/aghlog.txt
. Note that the directory must exist. - Set
log.verbose
totrue
.
NOTE: Before v0.107.34 use
verbose
andlog_file
properties. - Open
-
Restart AdGuard Home and reproduce the issue:
./AdGuardHome -s start
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
Before doing any of this, please note that modern browsers are set up to use HTTPS, so they validate the authenticity of the web server certificate. That means that using any of these will result in warning screens.
There are a couple of proposed extensions that, when they become reasonably well supported by clients, would allow for a better user experience, including the RFC 8914 Extended DNS Error codes and the DNS Access Denied Error Page RFC draft. We'll implement them when browsers actually start to support them.
To use any of these ways to show a custom block page, you'll need an HTTP server
running on some IP address and serving the page in question on all routes.
Something like pixelserv-tls
.
There is currently no way to set these parameters from the UI, so you'll need to edit the configuration file manually:
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Open
AdGuardHome.yaml
in your editor. -
Set the
dns.parental_block_host
ordns.safebrowsing_block_host
settings to the IP address of the server (in this example,192.168.123.45
):# … dns: # … # NOTE: Change to the actual IP address of your server. parental_block_host: 192.168.123.45 safebrowsing_block_host: 192.168.123.45
-
Restart AdGuard Home:
./AdGuardHome -s start
-
Open the web UI.
-
Open the “Settings → DNS settings” page.
-
In the “DNS server configuration” section, select the “Custom IP” radio button in the “Blocking mode” selector and enter the IPv4 and IPv6 addresses of the server.
-
Click “Save”.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
-
Stop AdGuard Home:
./AdGuardHome -s stop
-
Open
AdGuardHome.yaml
in your editor. -
Set the
http.address
setting to a new network interface. For example:-
0.0.0.0:0
to listen on all network interfaces. -
0.0.0.0:8080
to listen on all network interfaces with port8080
. -
127.0.0.1:0
to listen on the local loopback interface only.
-
-
Restart AdGuard Home:
./AdGuardHome -s start
See the “Configuring Devices” section on the “Getting Started” page in the Knowledge Base.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
Here are some examples of what cannot be blocked by a DNS-level blocker:
-
YouTube, Twitch ads.
-
Facebook, Twitter, Instagram sponsored posts.
Essentially, any advertising that shares a domain with content cannot be blocked by a DNS-level blocker.
DNS will never be enough to do this. Your only option is to use a content blocking proxy like what we do in the standalone AdGuard applications. We're going to bring this feature support to AdGuard Home in the future. Unfortunately, even in this case, there still will be cases when this won't be enough or would require quite complicated configuration.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
This happens because the port 53 on localhost
, which is used for DNS, is
already taken by another program. Ubuntu comes with a local DNS called
systemd-resolved
, which uses the address 127.0.0.53:53
and thus prevents
AdGuard Home from binding to 127.0.0.1:53
. You can see that by running:
sudo lsof -i :53
The output should be similar to:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 14542 systemd-resolve 13u IPv4 86178 0t0 UDP 127.0.0.53:domain
systemd-r 14542 systemd-resolve 14u IPv4 86179 0t0 TCP 127.0.0.53:domain
To fix this, you need to either disable the systemd-resolved
daemon or choose
a different network interface and bind to an accessible IP address on it, for
instance, the IP address of your router inside your network. But if you do need
to listen on localhost
, there are several solutions.
Firstly, AdGuard Home can detect such configurations and disable
systemd-resolved
for you if you press the “Fix” button, which is shown near
the address already in use
message on the installation screen.
Secondly, if that doesn't work, follow the guide below. Note that if you're using AdGuard Home with docker or snap, you'll have to do it yourself.
-
Create the
/etc/systemd/resolved.conf.d
directory, if necessary:sudo mkdir -p /etc/systemd/resolved.conf.d
-
Deactivate
DNSStubListener
and update DNS server address. To do that, create a new file,/etc/systemd/resolved.conf.d/adguardhome.conf
, with the following content:[Resolve] DNS=127.0.0.1 DNSStubListener=no
Specifying
127.0.0.1
as DNS server address is necessary because otherwise the nameserver will be127.0.0.53
which doesn't work withoutDNSStubListener
. -
Activate another
resolv.conf
file:sudo mv /etc/resolv.conf /etc/resolv.conf.backup sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
-
Restart
DNSStubListener
:sudo systemctl reload-or-restart systemd-resolved
After that, systemd-resolved
shouldn't be shown in the output of lsof
, and
AdGuard Home should be able to bind to 127.0.0.1:53
.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
If you're already running a web server and want to access the AdGuard Home
dashboard UI from a URL like http://YOUR_SERVER/aghome/
, you can use this
configuration for your web server:
location /aghome/ {
proxy_cookie_path / /aghome/;
proxy_pass http://AGH_IP:AGH_PORT/;
proxy_redirect / /aghome/;
proxy_set_header Host $host;
}
:80/aghome/* {
route {
uri strip_prefix /aghome
reverse_proxy AGH_IP:AGH_PORT
}
}
Or, if you just want to serve AdGuard Home with automatic TLS, use a configuration similar to the example shown below:
DOMAIN {
encode gzip zstd
tls YOUR_EMAIL@DOMAIN
reverse_proxy AGH_IP:AGH_PORT
}
When you use TLS on your reverse proxy server, there's no need to use TLS on
AdGuard Home. Set allow_unencrypted_doh: true
in AdGuardHome.yaml
to allow
AdGuard Home respond to DoH requests without TLS encryption.
Since v0.107.0, you can set the parameter trusted_proxies
to the IP
address(es) of your HTTP proxy to make AdGuard Home take the headers containing
the real client IP address into account. See the configuration and
encryption pages for more information.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
-
Move the
AdGuardHome
binary to/usr/local/bin
. -
As
root
, execute the following command to change the security context of the file:chcon -t bin_t /usr/local/bin/AdGuardHome
-
Add the required firewall rules in order to make it reachable through the network. For example:
firewall-cmd --new-zone=adguard --permanent firewall-cmd --zone=adguard --add-source=192.168.0.14/24 --permanent firewall-cmd --zone=adguard --add-port=3000/tcp --permanent firewall-cmd --zone=adguard --add-port=53/udp --permanent firewall-cmd --zone=adguard --add-port=80/tcp --permanent firewall-cmd --reload
If you are still getting code=exited status=203/EXEC
or similar errors from
systemctl
, try uninstalling AdGuard Home and installing directly into
/usr/local/bin
by using the -o
option of the install script:
curl -s -S -L 'https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh' | sh -s -- -o '/usr/local/bin' -v
See issue 765 and issue 3281.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
You should move your AdGuard Home installation or working directory to another location. See the limitations section on the “Getting Started” page.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
In case the button isn't shown or an automatic update has failed, you can update manually. In the examples below, we'll use AdGuard Home releases for Linux and Windows for AMD64 CPUs.
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
-
Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line:
curl -L -S -o '/tmp/AdGuardHome_linux_amd64.tar.gz' -s\ 'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'
Or, with
wget
:wget -O '/tmp/AdGuardHome_linux_amd64.tar.gz'\ 'https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz'
-
Navigate to the directory where AdGuard Home was installed. On most Unix systems the default directory is
/opt/AdGuardHome
, but on macOS it's/Applications/AdGuardHome
. -
Stop AdGuard Home:
sudo ./AdGuardHome -s stop
(On OpenBSD you probably want to use
doas
instead ofsudo
.) -
Backup your data. That is, your configuration file and the data directory (
AdGuardHome.yaml
anddata/
by default). For example, to backup your data to a new directory called~/my-agh-backup
:mkdir -p ~/my-agh-backup cp -r ./AdGuardHome.yaml ./data ~/my-agh-backup/
-
Unpack the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your
~/Downloads
directory and want to unpack it to/tmp/
:tar -C /tmp/ -f ~/Downloads/AdGuardHome_linux_amd64.tar.gz -x -v -z
On macOS, something like:
unzip -d /tmp/ ~/Downloads/AdGuardHome_darwin_amd64.zip
-
Replace the old AdGuard Home executable file with the new one. On most Unix systems the command would look something like:
sudo cp /tmp/AdGuardHome/AdGuardHome /opt/AdGuardHome/AdGuardHome
On macOS, something like:
sudo cp /tmp/AdGuardHome/AdGuardHome /Applications/AdGuardHome/AdGuardHome
You may also want to copy the documentation parts of the package, such as the change log (
CHANGELOG.md
), the README file (README.md
), and the license (LICENSE.txt
).You can now remove the temporary directory.
-
Restart AdGuard Home:
sudo ./AdGuardHome -s start
(On OpenBSD you probably want to use
doas
instead ofsudo
.)
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
In all examples below, the PowerShell must be run as Administrator.
-
Download the new AdGuard Home package from the releases page. If you want to perform this step from the command line:
$outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip' $aghUri = 'https://static.adguard.com/adguardhome/release/AdGuardHome_windows_amd64.zip' Invoke-WebRequest -OutFile "$outFile" -Uri "$aghUri"
-
Navigate to the directory where AdGuard Home was installed. In the examples below, we'll use
C:\Program Files\AdGuardHome
. -
Stop AdGuard Home:
.\AdGuardHome.exe -s stop
-
Backup your data. That is, your configuration file and the data directory (
AdGuardHome.yaml
anddata/
by default). For example, to backup your data to a new directory calledmy-agh-backup
:$newDir = Join-Path -Path $Env:USERPROFILE -ChildPath 'my-agh-backup' New-Item -Path $newDir -ItemType Directory Copy-Item -Path .\AdGuardHome.yaml, .\data -Destination $newDir -Recurse
-
Unpack the AdGuard Home archive to a temporary directory. For example, if you downloaded the archive to your
Downloads
directory and want to unpack it to a temporary directory:$outFile = Join-Path -Path $Env:USERPROFILE -ChildPath 'Downloads\AdGuardHome_windows_amd64.zip' Expand-Archive -Path "$outFile" -DestinationPath $Env:TEMP
-
Replace the old AdGuard Home executable file with the new one. For example:
$aghExe = Join-Path -Path $Env:TEMP -ChildPath 'AdGuardHome\AdGuardHome.exe' Copy-Item -Path "$aghExe" -Destination .\AdGuardHome.exe
You may also want to copy the documentation parts of the package, such as the change log (
CHANGELOG.md
), the README file (README.md
), and the license (LICENSE.txt
).You can now remove the temporary directory.
-
Restart AdGuard Home:
.\AdGuardHome.exe -s start
Warning
This section is outdated. See the up-to-date version in our Knowledge Base.
The way to uninstall AdGuard Home depends on how you installed it.
IMPORTANT: After uninstalling AdGuard Home, don't forget to change your devices configuration and point them to a different DNS server.
In this case you need to do the following:
-
Unregister AdGuard Home service:
./AdGuardHome -s uninstall
. -
Remove the AdGuard Home directory.
Simply stop and remove the image.
snap remove adguard-home