AdGuard Home: DNS Not Resolving — Fix

By Alex Thornton ad-blocking-dns Updated:

The Problem

AdGuard Home is running but DNS resolution fails. Devices can’t load websites, or DNS queries fall back to a different resolver. Symptoms include:

Updated March 2026: Verified with latest Docker images and configurations.

  • Websites not loading after setting AdGuard Home as DNS server
  • nslookup or dig queries timing out against AdGuard Home’s IP
  • AdGuard Home dashboard shows 0 queries
  • DNS works for some devices but not others
  • “Connection refused” when querying AdGuard Home’s IP on port 53
  • Ads still appearing despite AdGuard Home running

The Fix

Method 1: Port 53 Conflict (Most Common)

On Ubuntu 22.04+ and many Debian-based systems, systemd-resolved runs a stub DNS listener on port 53. AdGuard Home can’t bind to port 53 if something else is already using it.

Check what’s using port 53:

sudo ss -tulnp | grep :53

If systemd-resolved appears:

# Option A: Disable systemd-resolved completely
sudo systemctl disable --now systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

# Option B: Change systemd-resolved to not listen on port 53
sudo mkdir -p /etc/systemd/resolved.conf.d
cat << 'EOF' | sudo tee /etc/systemd/resolved.conf.d/adguardhome.conf
[Resolve]
DNSStubListener=no
EOF
sudo systemctl restart systemd-resolved
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Then restart AdGuard Home:

docker compose restart adguardhome

If running in Docker, verify port bindings:

docker port adguardhome
# Should show:
# 53/tcp -> 0.0.0.0:53
# 53/udp -> 0.0.0.0:53
# 3000/tcp -> 0.0.0.0:3000

If port 53 isn’t listed, check your docker-compose.yml:

ports:
  - "53:53/tcp"
  - "53:53/udp"
  - "3000:3000/tcp"   # Web UI (initial setup)
  - "80:80/tcp"       # Web UI (after setup)

Method 2: Upstream DNS Misconfigured

If AdGuard Home accepts queries but can’t resolve them, the upstream DNS servers are misconfigured or unreachable.

Check in the web UI: Go to Settings → DNS settings → Upstream DNS servers.

Common issues:

  • Empty upstream list — AdGuard Home has nowhere to forward queries
  • Upstream DNS unreachable from the Docker container

Fix: Add reliable upstream DNS servers:

# Cloudflare (DNS-over-HTTPS)
https://dns.cloudflare.com/dns-query

# Google (DNS-over-HTTPS)
https://dns.google/dns-query

# Quad9 (DNS-over-HTTPS)
https://dns.quad9.net/dns-query

# Or plain DNS
1.1.1.1
8.8.8.8
9.9.9.9

Test upstream connectivity from the container:

docker exec adguardhome nslookup google.com 1.1.1.1
# Should return an IP address

If this fails, check Docker’s network configuration — the container may not have internet access:

docker exec adguardhome ping -c 3 1.1.1.1

Method 3: Clients Not Using AdGuard Home

Your devices may not be sending DNS queries to AdGuard Home.

Verify from a client:

# Linux/macOS
nslookup google.com your-adguard-ip
# Should resolve. If it doesn't, AdGuard Home isn't reachable.

# Then check what DNS the system is actually using:
nslookup google.com
# Server line shows the active DNS. Should be your AdGuard Home IP.

Fix — Set DNS at the router level:

  1. Log into your router admin panel
  2. Find DHCP settings (usually under LAN/Network)
  3. Set Primary DNS to your AdGuard Home’s IP
  4. Remove secondary DNS — if you set 8.8.8.8 as secondary, some devices will use it instead
  5. Reboot the router
  6. Renew DHCP on client devices: 
    # Linux
sudo dhclient -r && sudo dhclient
# Windows
ipconfig /release && ipconfig /renew

Fix — Use AdGuard Home’s built-in DHCP: If your router doesn’t support custom DNS, disable the router’s DHCP and enable AdGuard Home’s DHCP server:

  1. In AdGuard Home, go to Settings → DHCP settings
  2. Select the network interface
  3. Configure IP range, gateway, and subnet
  4. Enable DHCP
  5. Disable DHCP on your router (important — two DHCP servers cause conflicts)

Method 4: Docker Network Mode Issues

If AdGuard Home runs in Docker with the default bridge network, it sees all queries as coming from the Docker gateway IP (usually 172.17.0.1) instead of individual client IPs. This breaks per-client statistics and filtering.

Fix — Use host networking:

services:
  adguardhome:
    image: adguard/adguardhome:v0.107.73
    container_name: adguardhome
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf

With network_mode: host, the container uses the host’s network directly. No port mapping needed — AdGuard Home binds to port 53, 80, and 3000 on the host. This also enables DHCP server functionality (which requires raw socket access).

Trade-off: Host networking gives the container full access to the host network. If you prefer isolation, use macvlan instead:

networks:
  adguard-macvlan:
    driver: macvlan
    driver_opts:
      parent: eth0  # Your host's network interface
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1
          ip_range: 192.168.1.250/32

Method 5: Firewall Blocking DNS

A host firewall may block incoming DNS traffic on port 53.

# Check if port 53 is open (UFW)
sudo ufw status | grep 53

# If not listed, allow it:
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 3000/tcp  # Web UI

For iptables:

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

Method 6: DNS-over-HTTPS Bypassing AdGuard Home

Modern browsers use DNS-over-HTTPS (DoH) which bypasses network-level DNS filtering entirely.

Disable DoH in browsers:

  • Chrome: chrome://settings/security → “Use secure DNS” → Off
  • Firefox: about:preferences#privacy → “DNS over HTTPS” → Off
  • Edge: edge://settings/privacy → “Use secure DNS” → Off

Block DoH at the network level: In AdGuard Home, add these to your blocklist to prevent DoH bypass:

  1. Go to Filters → DNS blocklists → Add blocklist
  2. Add domains: dns.google, cloudflare-dns.com, doh.opendns.com, dns.quad9.net

Or use the custom filtering rules:

||dns.google^
||cloudflare-dns.com^
||doh.opendns.com^
||dns.quad9.net^
||mozilla.cloudflare-dns.com^

Prevention

ActionHow OftenWhy
Check query logWeeklyVerify clients are using AdGuard Home
Update filter listsAutomatic (configured interval)Keep blocklists current
Monitor upstream healthAfter outagesEnsure DNS still resolves
Check for DoH bypassAfter browser updatesBrowsers may re-enable DoH
Review DHCP leasesMonthlyEnsure all devices get correct DNS

Related Articles

replace

Self-Hosted Alternatives to Paid Ad Blockers

Replace browser-based ad blockers and paid subscriptions with network-wide self-hosted DNS filtering using Pi-hole, AdGu...

apps

How to Self-Host AdGuard Home with Docker

Set up AdGuard Home with Docker Compose as a network-wide ad blocker and DNS server. Modern Pi-hole alternative with HTT...

compare

AdGuard Home vs Blocky: Which DNS Ad Blocker?

AdGuard Home vs Blocky compared — features, UI, resource usage, encrypted DNS, and which self-hosted DNS ad blocker fits...

compare

AdGuard Home vs Technitium: Which DNS Server?

AdGuard Home vs Technitium DNS compared — ad blocking, DNS features, web UI, resource usage, and which self-hosted DNS s...

compare

Pi-hole vs AdGuard Home: Which Ad Blocker?

Pi-hole vs AdGuard Home compared — features, performance, setup complexity, and which network-wide ad blocker you should...

replace

Self-Hosted Alternatives to Commercial DNS

Replace Google DNS, Cloudflare DNS, and OpenDNS with self-hosted recursive resolvers and DNS filtering using Pi-hole, Ad...

Read Next Self-Hosted Alternatives to Paid Ad Blockers

Comments