Network-Wide Ad Blocking with Tailscale and AdGuard Home
One of the frustrations with traditional network-wide ad blocking is that it only works when you’re at home. The moment you leave your network, you’re back to seeing ads and trackers on every device. But if you’re already running Tailscale, there’s a simple fix: run AdGuard Home on a device in your tailnet and point all your devices at it. The result? Every device on your Tailscale network gets full ad blocking and secure DNS resolution, whether you’re at home, in a coffee shop, or on the other side of the world. I’ve been taking digital privacy more seriously in recent years. I prefer encrypted email via PGP , block ads and trackers wherever possible, and generally try to minimise the data I leak online. I’ve been running Pi-hole for years, but it always felt like a half-measure. It worked great at home, but my phone and laptop were unprotected the moment I stepped outside. I could have set up a VPN back to my home network, but that felt clunky. With Tailscale, the solution is elegant. Every device is already connected to my tailnet, so all I need is a DNS server that’s accessible from anywhere on that network. AdGuard Home fits the bill perfectly. It’s lighter than Pi-hole, has a cleaner interface, and supports DNS-over-HTTPS out of the box for upstream queries. The other benefit is that this setup preserves Tailscale’s Magic DNS. I can still access my tailnet devices by name (like ), while all other DNS queries go through AdGuard for secure resolution and ad blocking. SSH into your always-on device and run the official installer: This installs AdGuard Home to and sets it up as a systemd service. Once installed, open the setup wizard in your browser at . During setup: The key here is binding to your Tailscale IP rather than . This ensures AdGuard only listens on your tailnet, not on your local network or the public internet. By default, AdGuard will use your system’s DNS servers for upstream queries. That’s not ideal. We want encrypted DNS all the way through. In AdGuard Home, go to Settings → DNS settings → Upstream DNS servers and replace the defaults with: These are Quad9’s DNS-over-HTTPS and DNS-over-TLS endpoints. Quad9 is a privacy-focused resolver that also blocks known malicious domains. For the Bootstrap DNS servers (used to resolve the upstream hostnames), add: I’d also recommend enabling DNSSEC validation and Optimistic caching in the same settings page for better security and performance. Now the easy part. Open your Tailscale admin console and: That’s it. Every device on your tailnet will now use your AdGuard instance for DNS resolution. This setup gives you: If you do keep logging enabled, the query logs can be useful for identifying apps that are phoning home or misbehaving. But there’s a trade-off here. By default, AdGuard Home logs every DNS query from every device. That’s useful for debugging, but it felt uncomfortable to me. The majority of my family use my tailnet, and I have no interest in knowing what sites they’re visiting. I also don’t need my own traffic logged if it isn’t necessary. I’ve turned off query logging entirely in Settings > General settings > Query log configuration , and disabled statistics as well. Ad blocking still works without any of this data being stored. Since all your devices depend on this DNS server, you’ll want to make sure it’s reliable. If the device running AdGuard goes offline, DNS resolution will fail for your entire tailnet. A few options to mitigate this: For my setup, I’m running it on a small Intel NUC that’s always on anyway. It’s been rock solid so far. This is one of those setups that takes ten minutes and then quietly improves your life. Every device on my tailnet now gets ad blocking and secure DNS without any per-device configuration. The combination of Tailscale’s networking and AdGuard’s filtering is genuinely elegant. If you’re already running Tailscale, this is worth the effort. A device on your Tailscale network that’s always on (a small home server, Raspberry Pi, or even an old laptop) AdGuard Home installed on that device Access to your Tailscale admin console Set the DNS listen address to your device’s Tailscale IP (e.g., ) Set the admin interface to the same Tailscale IP on port 3000 Create an admin username and password Add your device’s Tailscale IP as a Global nameserver Enable Override local DNS Ad and tracker blocking everywhere , not just at home Encrypted DNS queries , so your ISP can’t see what domains you’re resolving Malware protection via Quad9, which blocks known malicious domains at the DNS level A single dashboard to view query logs and statistics for all your devices in one place No client configuration since Tailscale pushes the DNS settings automatically Run AdGuard on a device that’s always on (a dedicated home server or cloud VPS) Add a fallback DNS server in Tailscale (though this bypasses AdGuard when your server is down) Run a second AdGuard instance on another device and add both as nameservers
Security
DevOps
JSON
Tutorial
Web Development
HTML
Music
Business
Open Source
Career
Android
Media
Writing
Cloud
Hardware
Programming