Configure Personal DNS Manager

Configure Personal DNS Manager

CompactHost ·

Running your own DNS manager changes how you think about network control. Instead of relying on your ISP's resolvers or Google's public DNS, you get granular control over every domain lookup on your network—whether you want to block tracking domains, redirect internal hostnames, or simply understand what your devices are asking for.

Why Run Your Own DNS Manager?

I've been using a personal DNS manager for three years, and the freedom it gives me is worth every minute of setup. When a device on my network tries to connect to an ad server, my DNS manager intercepts it before the connection even happens. When I need to access my Nextcloud instance by hostname instead of IP, it's already there. And when my wife asks why her fitness tracker is talking to 40 different domains, I can show her the logs.

A personal DNS manager also acts as a caching layer—repeated requests are answered locally, faster and without hitting your ISP's nameservers. Over time, you'll notice slightly snappier browsing. More importantly, you own your DNS data. No third party logs your queries or sells that information.

The most popular open-source option is AdGuard Home, though some prefer the simpler Pi-hole if you're running it on Raspberry Pi. I prefer AdGuard Home because it's written in Go, smaller memory footprint than Pi-hole, and the web interface feels more polished. That said, I'll show you both approaches.

Installing AdGuard Home via Docker

I assume you have Docker installed and a server (VPS, old laptop, Raspberry Pi, whatever) running Linux. This approach takes five minutes and doesn't pollute your system with dependencies.

First, create a persistent directory for your configuration:

mkdir -p ~/adguard-home/work ~/adguard-home/conf

Now, the Docker Compose file. I use Compose because it's cleaner than memorizing long docker run commands:

version: '3.8'
services:
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard-home
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "3000:3000/tcp"
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf
    environment:
      - TZ=UTC
    restart: unless-stopped
    networks:
      - dns-net

networks:
  dns-net:
    driver: bridge

Save that to docker-compose.yml in your ~/adguard-home directory, then start it:

cd ~/adguard-home
docker-compose up -d

AdGuard Home will bind to port 53 (DNS) and port 3000 (web interface). Open your browser to http://your-server-ip:3000 and you'll see the setup wizard. Follow it through: choose a username and password, select your network interface, and let it configure itself.

Tip: If port 53 is already in use by systemd-resolved on your server, you'll see a bind error. On Ubuntu/Debian, disable it with sudo systemctl disable systemd-resolved and sudo systemctl stop systemd-resolved. Then remove the line nameserver 127.0.0.53 from /etc/resolv.conf and add your own (e.g., nameserver 8.8.8.8).

Pointing Your Network to Your DNS Manager

Once AdGuard Home is running, you need your devices to use it. There are a few approaches depending on your network setup.

Router-level (best for home networks): Log into your router (usually 192.168.1.1 or 192.168.0.1) and change the DHCP DNS settings to point to your AdGuard Home server's IP. Every device that gets a DHCP lease will automatically use your DNS manager. No individual device configuration needed.

Device-level (for mobile or remote devices): On iPhone, go to Settings → Wi-Fi → your network → Configure DNS, and set it to Manual. Add your AdGuard Home IP. Android is similar: Settings → Wi-Fi → long-press your network → Modify → DNS 1. This is essential if you're running AdGuard on a VPS and want remote devices to use it—you'll need to expose it securely (more on that below).

Hybrid (Tailscale + AdGuard): If you're using Tailscale for remote access, you can set AdGuard as your local DNS and Tailscale will advertise it to all connected nodes. This is my preferred setup for remote networks.

Configuring Blocklists and Filters

Out of the box, AdGuard Home doesn't block anything. You need to add blocklists. In the AdGuard Home web interface, go to Filters → DNS blocklists. Here are some trusted lists I use:

Add each one, save, and they'll download and apply. After 30 minutes, you'll start seeing DNS requests blocked in the Query Log. Check the dashboard—you should see a percentage of blocked requests climbing as traffic flows through.

Watch out: If you add too many blocklists, you risk blocking legitimate traffic. I've seen people add 15+ lists and then wonder why their email won't load. Start with one or two reputable ones, monitor for breakage, and add more gradually. You can whitelist specific domains in the Allowlist if needed.

Creating Custom DNS Records

One reason I prefer AdGuard Home over Pi-hole is the custom DNS records feature. Go to Filters → Custom DNS, and add entries for your internal services. For example:

Now, any device on your network can reach these services by hostname instead of IP. This is crucial for internal TLS certificates and convenience. If you move a service to a different IP, you change it here once instead of on every device.

Securing Remote Access with Tailscale

If you're running AdGuard Home on a home server and want to use it while away from home, exposing port 53 to the internet is dangerous. I use Tailscale instead. Install Tailscale on your server and your devices, and they'll securely tunnel back to your DNS manager over WireGuard.

In your Tailscale network settings, use your server's Tailscale IP as the DNS server on your mobile devices or laptop. No port forwarding, no DDNS, no exposed DNS resolver. Just encrypted peer-to-peer tunnels.

Alternatively, if you're using AdGuard Home on a cheap VPS (like those from RackNerd), you can expose it with a reverse proxy and mTLS authentication, but that's more complex and Tailscale is simpler for personal use.

Monitoring and Logging

The real power of AdGuard Home appears in the Query Log. You'll see every single DNS request your devices make. It's eye-opening: you'll notice which apps phone home the most, which services are redundant, and which domains are trying to track you.

Set a retention policy in Settings → General settings → Log retention period. I keep 7 days of logs. You can search the logs by domain, response type, and result status. This is invaluable for debugging network issues and understanding your network's behavior.

Performance Tuning

AdGuard Home is lightweight—it runs comfortably on a Raspberry Pi or with 512MB RAM on a VPS. But a few settings help:

Integrating with Home Lab Services

Once your DNS manager is running, other self-hosted services become easier to manage. Nextcloud, Jellyfin, Gitea, and other services can be accessed by memorable hostnames instead of IPs and ports. With a reverse proxy like Caddy or Traefik in front of them, you can even use HTTPS on internal hostnames—AdGuard plays nicely with that workflow.

For example: nextcloud.home.lab resolves via AdGuard to your internal Caddy instance, Caddy routes it to your Nextcloud container, and everything is encrypted. Your DNS manager is the foundation of a professional-feeling home lab.

What's Next?

Your personal DNS manager is now running. Spend a week monitoring the Query Log and getting comfortable with what your devices are doing. Add a couple of trusted blocklists and notice the improvement in ad blocking. If you're running a larger home lab, consider pairing this with a reverse proxy like Caddy to handle HTTPS and routing for your internal services.

If you want to expand further—perhaps running multiple services on a reliable VPS—RackNerd offers affordable KVM VPS and hybrid dedicated servers perfect for DNS managers, caching layers, and other infrastructure roles. Or keep it local on an old laptop or Raspberry Pi. The beauty of self-hosting is the choice.

```