How to Install and Configure Ad

1. What we are configuring and why: the philosophy of private DNS

DNS (Domain Name System) is the "phonebook" of the internet. Every time you enter a website address, your device asks a DNS server: "What is the IP address for google.com?". Traditionally, these requests are sent in plain text through your Internet Service Provider's (ISP) servers. This creates two critical issues: the provider sees all your online activities, and advertising networks can use DNS queries to track your interests.

AdGuard Home is a network-wide software suite for blocking ads and tracking. Unlike browser extensions, it works at the system level. If an app on your smartphone tries to send analytics to a developer's server, AdGuard Home simply returns an empty response (IP 0.0.0.0), and the request is blocked before it even leaves your network.

Why choose a self-hosted solution on a VPS instead of using public DNS (e.g., AdGuard DNS or Cloudflare)?

• Full control: You decide which filter lists to use and which domains to whitelist.
• Privacy: Your query logs are not stored on third-party servers. You can disable logging entirely.
• Flexibility: The ability to configure DNS-over-HTTPS (DoH) makes your DNS traffic indistinguishable from regular HTTPS traffic, bypassing blocks and censorship.
• Performance: Your own server on a high-quality connection often responds faster than overloaded public nodes.

In 2026, as the number of trackers in mobile apps and Smart TVs has reached its peak, having your own DNS filter is no longer a luxury but a basic element of digital hygiene.

2. What VPS configuration is needed for this task

AdGuard Home is an extremely efficient and resource-light application written in Go. It is capable of processing thousands of requests per second even on the most modest hardware. However, stable operation with encryption enabled and large filter lists (over 500,000 rules) requires certain parameters.

For most scenarios (personal use + family), an entry-level cloud server is ideal. You can choose a VPS with these specifications in a location as close as possible to your physical location. Ping (latency) is a critical factor for DNS. If the server is 200 ms away from you, every website load will start with that delay.

When is a Dedicated server needed? Only if you plan to launch a public DNS server for a large audience or a corporate network with thousands of users, where hardware isolation and the absence of "noisy neighbors" on the hypervisor are important.

3. Server preparation: security and system utilities

After renting a VPS and gaining SSH access, the first step is to secure the system. We will be using Ubuntu 24.04/26.04 LTS.

Update system packages to the latest 2026 versions:

sudo apt update && sudo apt upgrade -y
    

Install the basic set of utilities needed for diagnostics and operation:

sudo apt install -y curl wget git ufw tar net-tools dnsutils build-essential
    

Configure the basic firewall (UFW). We need to open ports for SSH, the AdGuard Home web interface, and the DNS protocols themselves:

# Allow SSH (ensure your port is 22 if not changed)
sudo ufw allow 22/tcp

# Port for initial AdGuard Home setup
sudo ufw allow 3000/tcp

# Standard DNS (UDP/TCP)
sudo ufw allow 53/udp
sudo ufw allow 53/tcp

# DNS-over-TLS (DoT)
sudo ufw allow 853/tcp

# DNS-over-HTTPS (DoH) and web interface (HTTPS)
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp

# DNS-over-QUIC (DoQ)
sudo ufw allow 7844/udp

# Enable firewall
sudo ufw enable
    

Tip: It is also recommended to set up SSH key authentication and disable password login in /etc/ssh/sshd_config to prevent brute-force attacks.

4. Resolving the conflict with systemd-resolved on port 53

In modern Ubuntu distributions, the systemd-resolved service occupies port 53 by default for local resolution. This will prevent AdGuard Home from starting. We need to free up this port.

Create a configuration directory if it doesn't exist, and edit the file:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo nano /etc/systemd/resolved.conf
    

Make the following changes to the /etc/systemd/resolved.conf file:

[Resolve]
DNS=127.0.0.1
DNSStubListener=no
    

Now create a symlink for /etc/resolv.conf to work correctly and restart the service:

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved
    

Check that port 53 is now free with the command sudo lsof -i :53. If the output is empty, everything is done correctly.

5. Installing AdGuard Home: a step-by-step algorithm

We will use the official installation method via an automated script that downloads the latest binary build, configures permissions, and creates a systemd system service.

Run the installation command:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
    

This command will perform the following actions:

• Detect your processor architecture (x86_64, ARM, etc.).
• Download the latest stable version of AdGuard Home (current for 2026).
• Extract the files to the /opt/AdGuardHome directory.
• Register the AdGuardHome service in the system.

Check the service status to ensure it is running:

sudo systemctl status AdGuardHome
    

If you see active (running), the server is ready for initial configuration.

6. Initial setup via the web interface

Now open your browser and go to: http://YOUR_SERVER_IP:3000.

You will be greeted by the AdGuard Home setup wizard:

1. Getting Started: Click "Get Started".
2. Interface Setup:
   • Web Interface: Select "All Interfaces" and port 3000 (or 80 if it is free).
   • DNS Server: Select "All Interfaces" and port 53.
3. Create Administrator: Enter a username and a strong password. These credentials will be used to log into the control panel.
4. Completion: The system will show you instructions for configuring DNS on various devices.

Once completed, the control panel will be available at http://YOUR_SERVER_IP:3000. Log in using the credentials you created.

7. Configuring encryption: SSL, DoH, and DoT

Using standard DNS over port 53 in the open internet is insecure—any intermediate node can intercept or spoof your requests. In 2026, using encrypted protocols is the standard.

Obtaining an SSL Certificate (Let's Encrypt)

To use DoH and DoT, you will need a domain name pointed to your VPS IP. We will use certbot to obtain a free certificate:

# Install certbot
sudo apt install -y certbot

# Obtain certificate (replace dns.example.com with your domain)
sudo certbot certonly --standalone -d dns.example.com
    

Your certificates will be saved in /etc/letsencrypt/live/dns.example.com/.

Configuration in AdGuard Home

Go to the "Settings" -> "Encryption settings" section in the web interface:

• Check the "Enable encryption" box.
• Server name: Enter your domain (e.g., dns.example.com).
• HTTPS port: 443.
• DNS-over-TLS port: 853.
• Path to certificate file: /etc/letsencrypt/live/dns.example.com/fullchain.pem.
• Path to private key file: /etc/letsencrypt/live/dns.example.com/privkey.pem.

Click "Save configuration". Your server now supports:

• DoH: https://dns.example.com/dns-query
• DoT: tls://dns.example.com

8. Fine-tuning filters and performance optimization

Go to the "Filters" -> "DNS filters" section. By default, only the AdGuard DNS filter is enabled, but for maximum effectiveness, you should add additional lists.

Recommended lists (2026):

• OISD (Big): One of the most comprehensive and high-quality lists, minimizing false positives.
• Steven Black's List: An excellent database for blocking ads and malicious sites.
• NoTrack: A specialized list against trackers.

Configuring Upstream Servers

In the "Settings" -> "DNS settings" section, specify where AdGuard Home will forward allowed requests. For maximum privacy, use encrypted upstreams:

https://dns.cloudflare.com/dns-query
https://dns.google/dns-query
tls://9.9.9.9
    

Select the "Parallel requests" method to minimize latency: AdGuard Home will send the request to all upstreams simultaneously and choose the fastest response.

Caching

Set the cache size to at least 64 MB (or more if RAM allows). This will allow for instant responses to repeated requests for popular domains without contacting external servers.

9. Backups, updates, and system maintenance

AdGuard Home stores all settings and data in a single directory /opt/AdGuardHome. This simplifies the backup process.

Automatic Backup Script

Let's create a simple script that will archive the configuration and send it to a safe location:

#!/bin/bash
BACKUP_DIR="/home/user/backups"
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
mkdir -p $BACKUP_DIR

# Stop the service for data consistency
sudo systemctl stop AdGuardHome
tar -czf $BACKUP_DIR/agh_backup_$TIMESTAMP.tar.gz /opt/AdGuardHome
sudo systemctl start AdGuardHome

# Delete backups older than 30 days
find $BACKUP_DIR -type f -mtime +30 -delete
    

Add this script to crontab -e so it runs once a week.

Updating AdGuard Home

Updates happen directly from the web interface. When a new version is released, an "Update" button appears at the top of the panel. The process takes about 10 seconds and runs automatically.

10. Troubleshooting + FAQ: solving common issues

What is the most common error during installation?

The most frequent problem is bind: address already in use on port 53. This almost always means that systemd-resolved or another DNS resolver (like dnsmasq) is still running. Check this with the command sudo netstat -tulpn | grep :53 and ensure you have followed the steps in section 4 of this guide.

What to do if some sites stop opening?

This is called "overblocking". Go to the "Query Log" section, find the blocked domain (it will be highlighted in red), and click the "Unblock" button. AdGuard Home will automatically add a rule to your personal whitelist.

What is the minimum VPS configuration required?

For stable operation for a single user, 512 MB of RAM and 1 CPU core are sufficient. However, if you plan to store logs for a long period (several months), you will need more disk space (from 20 GB) and preferably 1 GB of RAM for a smooth web interface experience when viewing large logs.

What to choose—VPS or dedicated for this task?

For a personal DNS server, a VPS is the ideal choice. A dedicated server would be overkill in terms of power and cost. The only case where a dedicated server is justified is when creating a public DNS service with DDoS protection at the network level and the need to process millions of requests per hour.

How to check if DoH is working?

You can use online DNS check services (e.g., dnsleaktest.com) or the kdig console utility:

kdig -d @dns.example.com +https / google.com
    

If you see a successful response with an IP address, then encryption is configured correctly.

Does AdGuard Home affect internet speed?

It does not affect the raw bandwidth (Mbps). It does affect page load speed—positively. By blocking heavy ad scripts and banners before they load, you save traffic and your device's CPU resources. Latency might increase slightly for the first request, but due to caching, subsequent requests will be executed instantly.

11. Conclusions and next steps

Installing AdGuard Home on your own VPS is a powerful step toward ensuring digital privacy and security. You have created a reliable barrier against ads and tracking that works on all your devices, from your laptop to your smart light bulb.

What to do next?

• Integration with Unbound: You can install unbound on the same VPS to turn AdGuard Home into a full recursive DNS server. This allows you to avoid trusting even upstreams like Google or Cloudflare.
• Mobile Device Setup: Add your DoH address to the "Private DNS" settings on Android or use configuration profiles for iOS.
• Monitoring: Set up Telegram notifications via the AdGuard Home API if the server becomes unavailable or if the number of blocked threats spikes.

Regularly check for updates to your filter lists and don't forget to update your VPS security system. Your internet is now cleaner and safer.