My recommendations for the ultimate AdGuard Home Configuration :)
For AdGuard DNS, see here.
NOTE: This project can be found on both Codeberg, which will act as the main & preferred way to contribute, and GitHub.
Block domains using filters and hosts files -> ✅
Filter update interval -> 1 hour
(You can set this to 12 hours
if it causes you any issues)
Use AdGuard browsing security web service -> ❌ (See DNS settings
below)
Enable log -> ✅ (Having logs on is important for troubleshooting breakage)
Anonymize client IP -> ✅
Query logs rotation -> Custom -> 1 hour
Make sure to select Save.
Enable statistics -> ✅
Statistics retention -> Custom -> 1 hour
Make sure to select Save.
Upstream DNS servers ->
I would strongly recommend setting this to be Quad9 for the following reasons:
- ⭐️ Based in Switzerland
- ⭐️ Non-profit
- ⭐️ Extremely effective at blocking malicious domains and threats right as they arise, moreso than AdGuard's protection above and most other DNS providers, see here for a comparison.
Therefore, I would recommend setting this box to:
https://dns.quad9.net/dns-query
tls://dns.quad9.net
Make sure no other entries are present, so that Quad9's blocking is not bypassed.
Parallel requests -> ✅
Fallback DNS servers -> Leave empty
Bootstrap DNS servers -> Remove any entries that are already present, and set this box to the following for Quad9:
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9
You can now select Test upstreams to ensure that you configured this correctly, and then don't forget to select Apply.
Rate limit -> 0
Enable EDNS client subnet -> ❌
Enable DNSSEC -> ✅
Disable resolving of IPv6 addresses -> ❌ (Should be default, IPv6 is important)
Blocking mode -> Default
(Other options can cause issues)
Select Save.
This is out of scope for this guide, I'll probably make a separate guide dedicated just to setting this up. In the meantime, here's AdGuard's documentation on this. I would recommend configuring it if possible.
The following settings are under Filters
Here's where it gets fun.
Despite popular opinion, due to the reasons WaLLy3K has listed here, I think it's a good idea to use multiple lists and sources, rather than just limiting yourself to one or two giant lists. I myself constantly notice domains being blocked that were caught by only one or two lists and missed by others. I'm not saying you should go overboard, but I do think it's a good idea to use a variety of high quality lists for the best coverage possible.
I would generally recommend using the following built-in lists:
- ⭐️
AdAway Default Blocklist
(Appears to be included, but not checked/enabled by default or even listed on the selection screen here)
General
-
⭐️
AdGuard DNS filter
(Enabled by default) -
⭐️
AdGuard DNS Popup Hosts filter
-
⭐️
AWAvenue Ads Rule
-
⭐️
Dan Pollock's List
-
⭐️
HaGeZi's Pro++ Blocklist
-
⭐️
OISD Blocklist Big
-
⭐️
Peter Lowe's Blocklist
-
⭐️
Steven Black's List
If you're fine with a little breakage, I would highly recommend using HaGeZi's
Ultimate Blocklist
instead of HaGeZi's
Pro++ Blocklist
.
Other
-
⭐️
Dandelion Sprout's Anti Push Notifications
-
⭐️
Dandelion Sprout's Game Console Adblock List
-
⭐️
HaGeZi's Allowlist Referral
(SeeCustom filtering rules
section below) -
⭐️
Perflyst and Dandelion Sprout's Smart-TV Blocklist
-
⭐️
WindowsSpyBlocker - Hosts spy rules
Security
-
⭐️
Phishing URL Blocklist (PhishTank and OpenPhish)
-
⭐️
Dandelion Sprout's Anti-Malware List
-
⭐️
HaGeZi's Badware Hoster Blocklist
-
⭐️
HaGeZi's DynDNS Blocklist
-
⭐️
HaGeZi's The World's Most Abused TLDs
(Causes rare breakage but heavily improves security, I've seen this work in real-time, blocking scam/spam domains before they were picked up by any lists) -
⭐️
HaGeZi's Threat Intelligence Feeds
-
⭐️
NoCoin Filter List
-
⭐️
Phishing Army
-
⭐️
Scam Blocklist by DurableNapkin
-
⭐️
ShadowWhisperer's Malware List
-
⭐️
Stalkerware Indicators List
-
⭐️
The Big List of Hacked Malware Web Sites
-
⭐️
uBlock filters - Badware risks
-
⭐️
Malicious URL Blocklist (URLHaus)
Custom lists
I would additionally recommend adding the following lists:
-
⭐️ Admiral:
https://v.firebog.net/hosts/Admiral.txt
-
⭐️ Ad Wars:
https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts
-
⭐️ anudeepND's Blacklist:
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
-
⭐️ My BadBlock:
https://badblock.celenity.dev/abp/badblock.txt
-
⭐️ CAMELEON:
https://sysctl.org/cameleon/hosts
-
⭐️ CoinBlocker:
https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
-
⭐️ DeveloperDan Ads & Tracking:
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
-
⭐️ Digital Side Threat Intel:
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
-
⭐️ Divested Combined Blocklist:
https://divested.dev/hosts-domains-wildcards
-
⭐️ EasyList:
https://v.firebog.net/hosts/Easylist.txt
-
⭐️ EasyPrivacy:
https://v.firebog.net/hosts/Easyprivacy.txt
-
⭐️ Feudo Tracker Abuse:
https://feodotracker.abuse.ch/downloads/ipblocklist.txt
-
⭐️ FMHY Unsafe sites filterlist - Plus:
https://raw.githubusercontent.com/fmhy/FMHYFilterlist/main/filterlist.txt
-
⭐️ FrogEye First Party Trackers:
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
-
⭐️ HaGeZi's Encrypted DNS Servers:
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/doh.txt
-
⭐️ HaGeZi/xRuffKez's Newly Registered Domains (14 days):
https://raw.githubusercontent.com/xRuffKez/NRD/main/lists/14-day/adblock/nrd-14day_adblock.txt
-
⭐️ HaGeZi's Threat Intelligence Feeds - IPs:
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif-ips.txt
-
⭐️ hBlock:
https://hblock.molinero.dev/hosts_adblock.txt
-
⭐️ hostsVN:
https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
-
⭐️ KADhosts:
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
-
⭐️ Maltrail Malware Domains:
https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt
-
⭐️ Prigent-Ads:
https://v.firebog.net/hosts/Prigent-Ads.txt
-
⭐️ Prigent-Crypto
https://v.firebog.net/hosts/Prigent-Crypto.txt
-
⭐️ Prigent-Malware:
https://v.firebog.net/hosts/Prigent-Malware.txt
-
⭐️ Quidsup NoTrack Malware Blocklist:
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
-
⭐️ Quidsup NoTrack Tracker Blocklist:
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
-
⭐️ RPiList-Malware:
https://v.firebog.net/hosts/RPiList-Malware.txt
-
⭐️ RPiList-Phishing:
https://v.firebog.net/hosts/RPiList-Phishing.txt
-
⭐️ Spam404:
https://raw.githubusercontent.com/Spam404/lists/master/adblock-list.txt
-
⭐️ Ut1 Cryptojacking Domains:
https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/cryptojacking/domains
-
⭐️ Ut1 Malware Domains:
https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/malware/domains
-
⭐️ Ut1 Phishing Domains:
https://raw.githubusercontent.com/olbat/ut1-blacklists/master/blacklists/phishing/domains
-
⭐️ WaLLy3K's Personal Blocklist:
https://v.firebog.net/hosts/static/w3kbl.txt
Additionally, if you're fine with a little breakage, I would highly recommend:
-
1Hosts (Pro):
https://o0.pages.dev/Pro/adblock.txt
-
My BadBlock + instead of BadBlock:
https://badblock.celenity.dev/abp/badblock_plus.txt
-
HaGeZi's Encrypted DNS Servers - IPs:
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-ips.txt
It might seem like a lot, but these are carefully picked high quality lists with strong coverage, and it doesn't really hurt to use multiple like this.
You could also consider, depending on your preference:
-
DeveloperDan's AMP Blocklist:
https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
- Blocks AMP websites -
BadBlock - DRM:
https://badblock.celenity.dev/abp/drm.txt
- Blocks websites associated with DRM technology/its provisioning
I would recommending adding the following here:
-
⭐️ BadBlock Whitelist:
https://badblock.celenity.dev/abp/whitelist.txt
-
⭐️ HaGeZi's URL Shorteners:
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt
You should use this feature to your advantage and block any services that you don't use or care about. This can dramatically improve your privacy by preventing connections to them from even being made. If you use a service, don't block it, just block what you're comfortable with and works best for you.
I usually block the following:
-
Facebook
-
Instagram (Facebook)
-
LinkedIn
-
QQ
-
Rakuten Viki
-
Snapchat
-
Spotify
-
TikTok
-
Viber (Rakuten)
-
VK.com
-
WeChat
-
WhatsApp (Facebook)
Then select Apply.
While being nice from a usability perspective, HaGeZi's Referral Allowlist and the AdGuard DNS filter list do allow some questionable ad/tracking domains we don't want unblocked. I would recommend adding the following to your filtering rules:
||adservice.google.*^$important
||adsterra.com^$important
||amplitude.com^$important
||analytics.edgekey.net^$important
||analytics.twitter.com^$important
||app.adjust.*^$important
||app.*.adjust.com^$important
||app.appsflyer.com^$important
||doubleclick.net^$important
||googleadservices.com^$important
||guce.advertising.com^$important
||metric.gstatic.com^$important
||mmstat.com^$important
||statcounter.com^$important
Now select Apply.
-
Use a privacy-respecting browser like Firefox with my Phoenix.
-
Use a content blocking browser extension like uBlock Origin. (See recommended settings here)
-
Enable Safe Browsing in your browser if possible and if it's not done in a privacy-invasive way. (You should use i.e. Google Safe Browsing on "Standard" Mode, Firefox's Safe Browsing, Brave's Safe Browsing, & Safari's Fraudulent Website Warning, you should avoid most other options i.e. Google Safe Browsing on "Enhanced" Mode, Microsoft SmartScreen, & Opera Sitecheck).
-
Use a (reputable) anti-virus if possible. On Windows, you can use the built-in Microsoft Defender Antivirus, on macOS, you can stick to the built-in XProtect, on Android, you can use Hypatia, and on Linux, you can use ClamAV. NOTE: You should install Hypatia through the DivestOS Official Repo instead of F-Droid's main repo, as it will allow you to receive quicker updates directly from the developer. It's also recommended to use F-Droid Basic as your F-Droid client of choice.
-
Use a (reputable) VPN. I would generally recommend either Mullvad, IVPN, or ProtonVPN.