A few days ago, I discussed how my homelab depended on Cloudflare and mentioned I was experimenting with several alternatives to reduce my dependency on it. I have already reduced one of those dependencies by replacing Cloudflare Tunnel with Pangolin. The next service on the list was removing Cloudflare from the DNS chain. Not because my existing setup was broken, but because the stack had grown over time. Pi-hole handled DNS filtering, whereas dnscrypt-proxy encrypted the queries once they were outside my network.

AdGuard Home was already in homelab discussions, Reddit threads, and YouTube videos. I decided to run it alongside my existing Pi-hole stack and see what everyone was talking about. While experimenting with AdGuard, I found something I didn’t expect. One AdGuard Home feature made my entire two-container DNS stack unnecessary and ultimately replaced it.

Why I ended up running two services just to handle DNS

One problem at a time

As a publisher myself, I am against blocking ads, but these days, websites and apps have more ads than the actual content. When my mother uses her Android device, she never properly navigates the apps without accidentally clicking the ads, and some of them are intrusive. That was when I decided to implement network-wide adblocking. I had just set up my home lab server. So while setting up Pi-hole, I only had one thing in mind: network-wide ad-blocking to get as clean a browsing experience as possible across all my family's devices. And Pi-hole solved the problem I had at that time.

Later, while I was learning more about networking, I realized that Pi-hole was only handling filtering. It was filtering the requests and clearing out the clean ones. Pi-hole was working as a watchman and was only gatekeeping the DNS queries within my network. Once outside the network, those queries traveled in plaintext containing all my network metadata. This wasn’t a Pi-hole limitation; it was working as it was supposed to. That was when I decided to add another layer to the stack: DoH encryption. My first choice was Cloudflare DoH, but it was already deprecated, so I went ahead and self-hosted dnscrypt-proxy.

Once I configured dnscrypt-proxy as Pi-hole’s dependency and added it as a custom upstream DNS server, all upstream queries were now encrypted. When everything was working fine, why did I even think of replacing the Pi-hole setup? As a homelab enthusiast, I already knew self-hosting gives us freedom and ownership, but it also comes with maintenance tradeoffs. Since I implemented Pi-hole network-wide, DNS resolution for every device depended on it. If anything went wrong, I had to troubleshoot two containers and two configurations. With time, that became a friction point, and two containers solving one problem started to feel like unnecessary overhead.

The part of AdGuard Home I wasn't expecting

I didn't install it for this

I wasn’t even looking to replace dnscrypt-proxy or Pi-hole particularly. With time, I had been hearing about AdGuard Home (AGH) and wanted to test it side by side with Pi-hole and see what the fuss was about. I installed it on my home Debian server while Pi-hole was already running.

The installation took a couple of minutes; I dropped the Docker Compose file in the Portainer stack, and it was deployed in a few seconds. Once deployed, I opened http://local-server-ip:3333 in my browser to start the one-time setup wizard. It was a basic five-step setup, and I was done in a couple of minutes. Then it redirected me to the login page at the set port, http://local-server-ip:8085, and logged in with my credentials.

My first impression was that everything felt familiar, just that the UI was a little different, but the content was similar. Quickly navigated to DNS blocklists and added the ones I was using in Pi-hole — OISD big list and Steven Black unified hosts list. Since my server's IP address was already set as a DNS server in my dual-WAN gateway, I just had to stop Pi-hole and dnscrypt-proxy, and AGH was in full action within a couple of seconds. The dashboard started populating with numbers and stats.

While going through AGH’s settings, I noticed something under DNS settings I wasn't expecting: native support for encrypted DNS-over-HTTPS (DoH). And I had a moment of realization that this is literally what dnscrypt-proxy was doing for me. Then I started comparing configurations and pointed AGH at the same encrypted upstream provider (Quad9). I verified it with AGH’s test functionality, and it was working fine.

Originally, I was comparing AdGuard Home against Pi-hole. After I configured encrypted DoH on AGH, I compared it against Pi-hole and dnscrypt-proxy combined. In my current setup, one was handling filtering, and another encrypted upstream DNS. But AdGuard was handling both of them alone. The moment everything was working, I realized one of the containers in my stack no longer had a purpose.

Running one container instead of two is a bigger upgrade than it sounds

Less to manage, less to break

The biggest benefit wasn’t speed. It wasn’t blocking more ads or having better privacy. It was the simplicity that won me over. After moving from Pi-hole and dnscrypt-proxy to AdGuard Home, I had one dashboard, one backup, one update cycle, and one log source.

One dashboard for filtering, clients, query logs, and upstream DNS settings. One backup: no separate config folders, no remembering which services store what. One update cycle: one container to update, one service to maintain. And finally, one place to troubleshoot — instead of checking the Pi-hole dashboard, dnscrypt-proxy logs, and upstream settings — I now needed to open AdGuard Home only.

The AdGuard Home dashboard was so similar to Pi-hole that I didn’t need to change my muscle memory. The dashboard showed actual clients, blocking stats, upstream encryption status, and the peace of mind that everything works properly.

Pi-hole is excellent. dnscrypt-proxy is powerful. Neither failed. Neither became bad software overnight. Nothing was wrong with my old setup, but I was at a point in my homelab where maintaining two services no longer made sense when one could do it.

One container was all it ever needed

When I first started with the AdGuard experiment, my intention was not to replace either Pi-hole or dnscrypt-proxy. Both of them were good in what they did. But by the end, I had replaced both with AdGuard Home. The switch wasn't about performance, and nothing failed. One container was now doing what two used to do. And one container meant the same filtering, the same encrypted upstream DNS but fewer moving parts and less maintenance overhead.

Sometimes the best homelab improvement isn't adding another new tool — it's realizing you no longer need an old one.