KnowledgebaseSelf-Hosting › AdGuard Home on a LYLIX VPS — DNS-level ad blocking for your devices

AdGuard Home on a LYLIX VPS — DNS-level ad blocking for your devices

AdGuard Home is a DNS server with built-in ad/tracker blocking, served as the resolver for any device on your network (or via VPN). Pi-hole's main competitor; nicer web UI, supports DoH/DoT out of the box, single binary install. Runs on the smallest LYLIX VPS.

Install

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

Starts as a systemd service on port 3000 for the setup wizard.

Visit http://<vps-ip>:3000, follow the wizard:

  1. Pick the admin interface address (default :3000 — change to a different port if you'll run a reverse proxy on 80/443).
  2. Pick the DNS server address — :53 by default. Make sure no other resolver (systemd-resolved) is bound there:
# Free up port 53 on Ubuntu (systemd-resolved binds it by default)
systemctl disable --now systemd-resolved
echo 'nameserver 1.1.1.1' > /etc/resolv.conf

3. Create admin credentials.

Reachability

Two patterns for using AdGuard Home from your devices:

  • Public DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT) — your phone/laptop talks to https://dns.example.com/dns-query over HTTPS. Available from anywhere; no VPN required. Requires DoH/DoT support on the client (modern OS / browser).
  • Plain DNS over VPN — Wireguard road-warrior pushes AdGuard Home's IP as the resolver; clients use it as standard DNS while on the VPN. Higher friction (must be VPN-connected).

DoH/DoT is the modern answer. Configure via Settings → DNS Settings → Encryption Settings, generate Let's Encrypt cert (or pair with Caddy/nginx reverse proxy as DNS-over-HTTPS endpoint).

Block lists

Settings → Filters → DNS Blocklists. Built-in defaults are solid; the popular community lists worth adding:

  • OISD (consolidated ad/tracker/malware list)
  • StevenBlack hosts (consolidated)
  • EasyList
  • NoCoin (cryptojacking)

Don't add 20 overlapping lists — diminishing returns and increased latency on each DNS lookup as the engine evaluates each list. 3-5 high-quality lists is enough.

What it doesn't do

  • HTTPS-level ad blocking — DNS blocks work for ad-server domains, but in-page YouTube ads (served from googlevideo.com, hard to distinguish from real content) get through. uBlock Origin in the browser still helps.
  • Block ads inside apps that use hardcoded IPs (some mobile games). Nothing DNS-based can stop that.

Backups

Configuration lives in /opt/AdGuardHome/AdGuardHome.yaml. Query logs in /opt/AdGuardHome/data/. Restic both daily.

Why run it on a public VPS at all?

The standard Pi-hole / AdGuard Home setup is "on a Raspberry Pi at home." Running it on a public VPS makes sense when:

  • You want ad-blocking on mobile DEVICES (not just home WiFi) without running a VPN constantly.
  • You travel and want the same DNS everywhere.
  • You don't want home-network DNS as a single point of failure.

Caveats:

  • Your VPS sees every DNS query you make from devices using it. Trust yourself to operate it securely.
  • Public DoH endpoint = potential abuse target. Configure access controls (Settings → Client settings → allow only specific client IDs).

Also Read

Paperless-ngx on a LYLIX VPS — document scanning and search
Immich on a LYLIX VPS — self-hosted photo backup (Google Photos alternative)
Uptime Kuma — self-hosted uptime monitoring and status pages
Nextcloud at production scale on a LYLIX VPS — storage, OCC, malware scanning
Headscale on a LYLIX VPS — running your own Tailscale control plane

« « Back

Powered by WHMCompleteSolution