Network-Wide Ad Blocking Setup Guide

foundations Updated:

What Is Network-Wide Ad Blocking?

Network-wide ad blocking filters ads and trackers at the DNS level for every device on your network. Instead of installing ad blockers on each browser and device individually, a DNS-based blocker sits between your network and the internet, intercepting and blocking ad-serving domains before they reach any device.

This means your smart TV, gaming console, IoT devices, mobile apps, and every browser on every device get ad blocking automatically — no per-device configuration needed.

How DNS-Based Blocking Works

Every time a device visits a website or an app phones home, it makes a DNS query to resolve a domain name to an IP address. A DNS-based ad blocker intercepts these queries:

Device requests: ads.doubleclick.net

DNS blocker checks blocklist

Domain is on blocklist → returns 0.0.0.0 (blocked)
Domain is NOT on blocklist → forwards to upstream DNS → returns real IP

The device receives 0.0.0.0 for blocked domains, so the ad content never loads. The connection simply fails silently.

Prerequisites

  • A Linux server, Raspberry Pi, or Docker host on your network
  • Docker and Docker Compose installed (guide)
  • Access to your router’s DNS settings
  • A static IP address for your DNS server (or a DHCP reservation)
  • 10 minutes for initial setup

Choosing Your DNS Blocker

FeaturePi-holeAdGuard Home
Setup difficultyEasy (wizard)Easy (wizard)
Default blocklistSteven Black’s (~85K domains)AdGuard DNS filter (~45K domains)
Encrypted DNS (DoH/DoT)Requires separate setupBuilt-in
DHCP serverBuilt-inBuilt-in
Query log dashboardDetailed, per-deviceDetailed, per-device
CommunityLargest self-hosted DNS communityGrowing, active development
RAM usage50-100 MB60-120 MB
Best forMost usersUsers wanting encrypted DNS

Both are excellent. Pi-hole has a larger community and more documentation. AdGuard Home has better encrypted DNS support out of the box. You can’t go wrong with either.

Step 1: Deploy Your DNS Blocker

Option A: Pi-hole

services:
  pihole:
    image: pihole/pihole:2026.02.0
    container_name: pihole
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8080:80/tcp"
    environment:
      TZ: "America/New_York"
      FTLCONF_webserver_api_password: "your-secure-password"
      FTLCONF_dns_upstreams: "9.9.9.9;149.112.112.112"
      FTLCONF_dns_listeningMode: "all"
    volumes:
      - pihole_data:/etc/pihole
      - pihole_dnsmasq:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN

volumes:
  pihole_data:
  pihole_dnsmasq:

Option B: AdGuard Home

services:
  adguardhome:
    image: adguard/adguardhome:v0.107.72
    container_name: adguardhome
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "3000:3000/tcp"    # Initial setup wizard
      - "8080:80/tcp"      # Web UI after setup
    volumes:
      - adguard_work:/opt/adguardhome/work
      - adguard_conf:/opt/adguardhome/conf

volumes:
  adguard_work:
  adguard_conf:

Start your chosen blocker:

docker compose up -d

Ubuntu: Disable systemd-resolved First

Ubuntu 18.04+ runs systemd-resolved on port 53 by default, which conflicts with Pi-hole and AdGuard Home. Disable it before deploying:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 9.9.9.9" | sudo tee /etc/resolv.conf

Step 2: Initial Configuration

Access the web UI:

  • Pi-hole: http://your-server-ip:8080/admin
  • AdGuard Home: http://your-server-ip:3000 (first run), then http://your-server-ip:8080

Walk through the setup wizard. Key settings:

SettingRecommended Value
Upstream DNS9.9.9.9 (Quad9) or 1.1.1.1 (Cloudflare)
DNSSECEnable
Query loggingEnable (30-day retention)
Admin passwordStrong, unique password

Step 3: Configure Your Router

This is the critical step. Change your router’s DNS settings to point all devices to your blocker.

Log into your router’s admin panel and change the DNS server:

  1. Find DHCP Settings or LAN Settings
  2. Set Primary DNS to your server’s IP (e.g., 192.168.1.100)
  3. Set Secondary DNS to your server’s IP again (not a public DNS — devices will bypass blocking by using the secondary)
  4. Save and restart the router

All devices that obtain their IP via DHCP will now use your DNS blocker.

Method 2: DHCP from Pi-hole/AdGuard Home

If your router doesn’t allow changing DNS settings (some ISP routers lock this), disable DHCP on the router and enable it on Pi-hole or AdGuard Home. This gives the blocker full control over DNS assignment.

Pi-hole: Settings → DHCP → Enable DHCP server AdGuard Home: Settings → DHCP Settings → Enable

Method 3: Per-Device DNS

As a last resort, configure DNS on individual devices. This only protects configured devices.

  • Windows: Settings → Network → Change adapter options → Properties → IPv4 → Use the following DNS
  • macOS: System Preferences → Network → Advanced → DNS
  • Linux: Edit /etc/resolv.conf or NetworkManager settings
  • iOS/Android: WiFi settings → Configure DNS → Manual

Step 4: Add Blocklists

The default blocklists are a good start. Add more for comprehensive blocking:

ListDomainsFocus
Steven Black’s Unified~85KAds + malware + fake news
OISD (small)~70KAds + tracking (curated, low false positives)
Hagezi Light~60KAds + tracking (regularly updated)

Pi-hole: Adlists → Add a new list → Paste URL → Update Gravity AdGuard Home: Filters → DNS blocklists → Add blocklist → Add a custom list

Avoid adding too many lists. 200-300K total domains provides excellent blocking with minimal false positives. Beyond 500K, you’ll start blocking legitimate services.

Step 5: Verify It’s Working

Test from any device on your network:

# Should return 0.0.0.0 or NXDOMAIN (blocked)
nslookup ads.google.com your-server-ip

# Should return a real IP (not blocked)
nslookup google.com your-server-ip

Visit ads-blocker.com or d3ward.github.io/toolz/adblock.html in a browser to check blocking effectiveness.

Check the dashboard — you should see queries from devices across your network appearing in the query log.

Advanced: Encrypted DNS

Standard DNS queries are sent in plaintext — your ISP can see every domain you resolve. Encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) prevents this.

AdGuard Home supports encrypted DNS natively. Enable it in Settings → Encryption Settings.

Pi-hole requires an additional service. Add cloudflared as a DoH proxy:

services:
  cloudflared:
    image: cloudflare/cloudflared:2026.2.0
    container_name: cloudflared
    restart: unless-stopped
    command: proxy-dns --port 5053 --upstream https://dns.quad9.net/dns-query
    networks:
      - dns

networks:
  dns:

Then configure Pi-hole to use cloudflared#5053 as its upstream DNS.

Advanced: Recursive Resolution with Unbound

For maximum privacy, run your own recursive DNS resolver that queries root nameservers directly — eliminating all third-party DNS providers:

services:
  unbound:
    image: mvance/unbound:1.22.0
    container_name: unbound
    restart: unless-stopped
    volumes:
      - ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
    networks:
      - dns

Configure Pi-hole or AdGuard Home to use Unbound as its upstream. Your DNS queries will never leave your network except to query authoritative nameservers directly.

Common Mistakes

Using a Public DNS as Secondary

If you set Primary DNS to Pi-hole and Secondary DNS to 8.8.8.8, devices will sometimes use the secondary — bypassing all ad blocking. Set both primary and secondary to your blocker’s IP.

Forgetting About IPv6

If your network uses IPv6, devices may bypass your IPv4 DNS blocker. Either disable IPv6 on your router or configure your blocker to listen on both IPv4 and IPv6.

Blocking Too Aggressively

Start with default lists. Add more gradually. If a website breaks, check the query log to find which domain was blocked, then whitelist it.

Next Steps

Related Articles

foundations

DNS Explained for Self-Hosting

Understand how DNS works and how to configure it for your self-hosted services — A records, CNAME, split DNS, and local ...

foundations

Split DNS for Self-Hosted Services

Set up split DNS to resolve internal services locally and external domains through upstream resolvers. Covers Pi-hole, A...

best

Best Self-Hosted Ad Blockers in 2026

The best self-hosted DNS ad blockers compared — Pi-hole, AdGuard Home, Blocky, and Technitium ranked with features, setu...

replace

Self-Hosted Alternatives to Google DNS

Replace Google DNS with a self-hosted DNS server. Compare Pi-hole, AdGuard Home, Blocky, and Technitium for complete net...

replace

Self-Hosted Alternatives to Paid Ad Blockers

Replace browser-based ad blockers and paid subscriptions with network-wide self-hosted DNS filtering using Pi-hole, AdGu...

foundations

Encrypted DNS: DoH, DoT, and DoQ Explained

Understand DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC — what they are, why they matter, and how to set them up for ...

Comments