AdGuard Home
AdGuard Home provides network-wide DNS filtering and ad blocking. It runs in an ephemeral NixOS container on the host network.
Source: server/containers/adguard.nix
Network
| Property | Value |
|---|---|
| Private network | No (host network) |
| Web UI | 127.0.0.1:8080 |
| DNS | Port 53 (TCP + UDP, all interfaces) |
| Subdomain | adguard.nemnix.site (behind Authelia) |
| Ephemeral | Yes (state is rebuilt on restart) |
Why Ephemeral?
containers.adguard = {
ephemeral = true;
# ...
};AdGuard Home is configured with mutableSettings = false, meaning all settings are declared in Nix. There is no runtime state that needs to persist. The container is rebuilt from scratch on every restart.
DNS Configuration
Upstream Resolvers
upstream_dns = [
"tls://dns.quad9.net" # DNS-over-TLS
"quic://dns.adguard-dns.com" # DNS-over-QUIC
];Both upstreams use encrypted transport. Queries are sent in parallel (upstream_mode = "parallel").
Bootstrap DNS
bootstrap_dns = [
"94.140.14.14" # AdGuard
"94.140.15.15"
"9.9.9.9" # Quad9
"149.112.112.112"
];Bootstrap DNS servers are used to resolve the hostnames of the upstream DNS servers themselves.
DNS Features
| Feature | Value |
|---|---|
| DNSSEC | Enabled |
| HTTP/3 upstreams | Enabled |
| Cache size | 256 MB |
| Optimistic caching | Enabled |
| Rate limiting | Disabled (0) |
Optimistic caching returns expired cache entries immediately while refreshing them in the background, reducing perceived latency.
DNS Rewrites
filtering.rewrites = [{
domain = "*.nemnix.site";
answer = "192.168.1.20";
}];All *.nemnix.site subdomains resolve to the server's local IP. This enables split-horizon DNS -- internal clients reach services directly without going through Cloudflare Tunnel.
Blocklists
All blocklists are from the Hagezi project:
| List | Purpose |
|---|---|
tif.txt | Threat Intelligence Feeds (malware, phishing, C2) |
ultimate.txt | Ultimate ad/tracker blocking |
spam-tlds.txt | Spam top-level domains |
dns-rebind-protection.txt | DNS rebinding attack protection |
filters = map (url: { enabled = true; inherit url; }) [
"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt"
"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/ultimate.txt"
"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds.txt"
"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adguard/dns-rebind-protection.txt"
];Monitoring
Query logs and statistics are retained for 7 days:
querylog = { enabled = true; interval = "168h"; };
statistics = { enabled = true; interval = "168h"; };Traefik Route
The web interface is accessible via adguard.nemnix.site, protected by Authelia:
routers.adguard = {
rule = "Host(`adguard.nemnix.site`)";
service = "adguard";
entrypoints = [ "websecure" ];
middlewares = [ "authelia" ];
};Since AdGuard Home has no native authentication (when mutableSettings = false), Authelia provides the authentication layer.