Network-wide ad blocking with encrypted upstream DNS via Quad9 on Raspberry Pi 3B+
Devices on network
↓ DoT/DoH (encrypted)
AdGuard Home (ad & tracker blocking) — port 53 / 853
↓
Quad9 DNS (encrypted upstream resolver — 9.9.9.9)
On your router set a static IP using DHCP reservations.
This setup is using a static IP on a Pi instead of router, since my router does not support reservations
Set a static IP on the Pi
↓
Open the terminal on the Pi, using either SSH or keyboard, monitor, and hdmi.
↓
On the terminal type sudo nano /etc/dhcpcd.conf
Add at the bottom of config:
interface eth0
static ip_address=192.168.0.1/24 (Use your static IP that you setup)
static routers=192.168.0.1 (Use your routers IP)
static domain_name_servers=9.9.9.9
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/
Access the setup UI at:
http://192.168.0.1:3000 (Using the static IP you setup with port 3000)
in the AdGuard Home web UI:
- Go to Settings → DNS Settings
- Under Upstream DNS servers, remove everything and add:
tls://dns.quad9.net
- Under Bootstrap DNS servers, add:
9.9.9.9
149.112.112.112
Using tls:// prefix means AdGuard Home talks to Quad9 over encrypted DNS-over-TLS
In your router's DHCP settings, set the Primary DNS to:
192.168.0.1 (Your static IP)
This pushes AdGuard Home as the DNS server to every device on the network automatically.
Generate a Self-Signed Certificate
Generate the private key:
sudo openssl genrsa -out /etc/ssl/server.key 4096
Generate the certificate:
sudo openssl req -new -x509 -key /etc/ssl/server.key -out /etc/ssl/server.crt -day
Set permissions so AdGuard Home can read the files:
sudo chmod 644 /etc/ssl/server.key
sudo chmod 644 /etc/ssl/server.crt
Verify both files exsist:
ls -la /etc/ssl/server.key /etc/ssl/server.crt
Configure Encryption in AdGuard Home
Go to Settings → Encryption Settings and fill in:
-
Enable Ecryption = ON
-
Enable plain DNS = ON (until tested, then disable)
-
Server Name = 192.168.0.1 (Static IP)
-
HTTPS port = 443
-
DNS-overTLS port = 853
-
DNS-over-QUIC port = 853
-
Certificate path = /etc/ssl/server.crt
-
Private key path = /etc/ssl/server.key
Then hit save.
↓
Verify encryption is working
↓
Access AdGuard Home over HTTPS:
↓
https://192.168.0.1 (Static IP)
Your browser will show "Not secure" - this is expected for self-signed certificates. The encryption is still active.
This removes the browser "Not secure" warning peranently.
Windows:
-
Go to https://192.168.0.1 (Static IP)
-
Click “Not secure” → Certificate → Details → Copy to file
-
Save the .crt file
-
Double click → Install Certificate → Trusted Root Certification Authorities
Android:
Settings → Security → Install certificate → CA certificate
iOS:
Settings → General → VPN & Device Management → Install Profile
Configuring Devices for Encryption DNS
Android (Private DNS):
Settings → Network → Private DNS → enter: 192.168.0.1 (Static IP)
Windows (DoH):
Settings → Network → DNS → Add DNS over HTTPS server URL: https://192.168.0.1/dns-query (Static IP)
Linux (systemd-resolved):
sudo nano /etc/systemd/resolved.conf
Add:
DNS=192.168.0.1
DNSOverTLS=yes
Certificate Renewal
The self-signed certificate expires after 365 days. Renew it by running:
sudo openssl genrsa -out /etc/ssl/server.key 4096
sudo openssl req -new -x509 -key /etc/ssl/server.key -out /etc/ssl/server.crt -da
sudo chmod 644 /etc/ssl/server.key /etc/ssl/server.crt
DNS not resolving after setup
sudo sysytemctl status AdGuardHome
Test AdGuard Home is blocking ads:
dig doubleclick.net @127.0.0.1
Test Quad9 upstream is reachable:
dig google.com @9.9.9.9
Check Pi RAM usage:
free -h
Restart AdGuard Home:
sudo systemctl restart AdGuardHome