Wong Edan's
Cover
Coding & Algorithms

Kill the Ads, Save Your Soul: The Homelab Manifesto

March 06, 2026 • By Azzar Budiyanto

The Digital Wild West and Why You Need a Sheriff

Listen, my fellow digital hoarders, packet-sniffing addicts, and command-line wizards. We live in an era where the internet feels less like a grand library of human knowledge and more like a neon-lit back alley where every billboard is actively trying to pick your pocket. If you are browsing the web without network-wide ad blocking, you are basically walking through a digital rainstorm without an umbrella, wondering why your socks are soaking wet. This is where the Wong Edan philosophy comes in. Sane people just install a browser extension and call it a day. We? We build a fortress. We build a DNS-sinkhole that makes trackers weep and advertisers question their life choices.

Why go through all this trouble? Because “Wong Edan” (the crazy one) knows that a browser extension only protects the browser. What about your smart TV that’s reporting your viewing habits back to a server in a different hemisphere? What about your mobile apps that are bloated with telemetry? What about that “smart” fridge that probably has more trackers than a bounty hunter? Network-wide ad blocking is the ultimate power move. It’s about taking back control of every single bit and byte that crosses your threshold. Today, we are diving deep—and I mean void-of-the-abyss deep—into setting up a network-wide ad blocker in your homelab.

The Core Concept: What is a DNS Sinkhole?

Before we start spinning up containers, let’s understand the magic trick. DNS (Domain Name System) is essentially the phonebook of the internet. When you type google.com, your computer asks a DNS server, “Hey, what’s the IP address for this?” The server responds with something like 142.250.190.46. Your computer then goes to that address.

A DNS sinkhole like Pi-hole or AdGuard Home acts as a middleman. When an ad tries to load from super-annoying-tracker.doubleclick.net, your device asks your homelab DNS server for the IP. Your server looks at its “blacklist,” realizes that domain is a piece of hot garbage, and instead of giving the real IP, it returns 0.0.0.0 (a dead end). The ad never loads because your computer literally can’t find it. The beauty? The client device (your phone, your TV, your toaster) doesn’t even know it happened. It just thinks the ad server is down. Efficiency, thy name is DNS blocking.

Choosing Your Weapon: Pi-hole vs. AdGuard Home

In the r/selfhosted community, this is the equivalent of the “Coke vs. Pepsi” war, except with more bash scripts and fewer sugary drinks. Both are phenomenal, but they have different vibes.

1. Pi-hole: The Battle-Hardened Veteran

Pi-hole is the OG. It’s what started the revolution. It is lightweight, written in C and PHP, and can run on a potato. If you have an old Raspberry Pi 1 B+ gathering dust, Pi-hole will run on it like a champ.

  • Pros: Massive community support, huge library of third-party “gravity” lists, and a very stable API.
  • Cons: The interface is starting to look a bit dated, and it doesn’t support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) out of the box without installing additional software like cloudflared or unbound.

2. AdGuard Home: The Modern Powerhouse

AdGuard Home is the sleek, modern alternative written in Go. It’s a single binary that handles everything. It’s my personal favorite for a “Wong Edan” setup because it packs everything into one package.

  • Pros: Built-in support for DoH, DoT, and DNS-over-QUIC. It has a beautiful, responsive UI and allows for easy client-level filtering (give the kids a strict filter and yourself the “Wild West” filter).
  • Cons: Slightly more resource-intensive than Pi-hole (though we are talking 100MB of RAM vs 50MB, so who cares?). It is also developed by a commercial company, though the Home version is fully open-source.

Hardware: Where Does the Beast Live?

You don’t need a rack-mounted server to do this, though if you have one, more power to you. You can host your DNS server on:

  • A Raspberry Pi: The classic choice. A Pi 3 or 4 is overkill, but a Pi Zero 2 W is the “Goldilocks” zone.
  • A Proxmox VM or Container: If you are already running a homelab, spinning up a Debian-based LXC container is the most efficient way. It takes seconds and uses negligible resources.
  • Docker: The “Wong Edan” way. Put it in a docker-compose.yml file so you can migrate it to any machine in seconds.
  • An Old Laptop: That laptop with the broken screen? Perfect headless server. Just disable the “suspend on lid close” setting.

The ‘Wong Edan’ Setup Guide: AdGuard Home on Docker

Let’s get our hands dirty. We are going to use Docker because we aren’t savages living in 2010. Docker ensures that our configuration is portable and isolated. Here is a sample docker-compose.yml to get you started:


version: '3'
services:
adguardhome:
image: adguard/adguardhome
container_name: adguardhome
restart: unless-stopped
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "443:443/tcp"
- "853:853/tcp"
- "3000:3000/tcp"

Once you run docker-compose up -d, you head over to http://[YOUR-IP]:3000 and follow the setup wizard. But wait! There is a trap. If you are running this on Ubuntu, port 53 is likely already taken by systemd-resolved. You’ll need to disable it or bind AdGuard to a specific IP address. This is where most people quit. But not you. You are Wong Edan. You wrestle with the config files until they submit.

Advanced Strategy: The Unbound Integration

Standard DNS blocking still relies on “Upstream DNS” (like Google 8.8.8.8 or Cloudflare 1.1.1.1). This means Google still knows every site you visit. If you want true privacy, you need Unbound. Unbound is a recursive DNS resolver. Instead of asking Google for the address, it goes straight to the “Root Servers.”

“I don’t trust anyone with my data, not even the people providing the service.” – Every r/selfhosted user ever.

By pairing AdGuard Home with Unbound, you become your own DNS authority. AdGuard filters the ads, and then asks your local Unbound instance to find the IP. No third party sees your requests. It’s beautiful. It’s private. It’s peak homelab performance.

The ‘Secret Sauce’ Filter Lists

A sinkhole is only as good as its blacklist. If you just use the default lists, you’re missing out. You need the “Edan” collection. Look for lists like:

  • OISD (Big): The holy grail. It’s curated to ensure it doesn’t “break” the internet for your non-technical family members.
  • Steven Black’s Unified Hosts: A massive compilation of ads, trackers, and malware domains.
  • Developer Dan’s Lists: Specifically targeted at tracking and telemetry.

Pro-tip: Don’t go overboard. If you add 50 lists and block 2 million domains, you will eventually find that your banking app or your favorite streaming service stops working. This leads to the dreaded “Wife Approval Factor” (WAF) drop, which can result in your homelab being physically unplugged.

Ad-Blocking on the Go: The WireGuard Tunnel

One of the findings from r/selfhosted mentioned: “I have ad blocking even when I am not inside my home network, this feels way too powerful.” This is the pinnacle of the craft. By setting up a WireGuard VPN on your homelab, you can “tunnel” your mobile phone’s traffic back to your home DNS server while you are on 5G or public Wi-Fi.

Imagine sitting in a coffee shop, using their sketchy Wi-Fi, but your phone is seeing zero ads because it’s secretly talking to the Raspberry Pi in your basement 50 miles away. You can use Tailscale for an even easier setup. It has an “Exit Node” and “Global Nameserver” feature that makes this process as easy as clicking a toggle. Suddenly, that 500MB data cap on your roaming plan lasts twice as long because you aren’t downloading 250MB of video ads.

Local DNS: The “I’m a Professional” Touch

Tired of typing 192.168.1.50:8080 to access your server? With your own DNS server, you can create “Local DNS Records.” You can map nas.home to your NAS IP, or stats.home to your dashboard. It makes your home network feel like a corporate enterprise, which is exactly the kind of overkill we strive for. When your friends come over and see you typing plex.home into a browser, they will think you’re a god. Don’t tell them it’s just a simple A-record entry in AdGuard.

The Great Cat-and-Mouse Game: YouTube Ads

We must address the elephant in the room: YouTube ads. Since YouTube serves ads from the same domains as the actual video content, DNS blocking (Pi-hole/AdGuard) generally cannot block YouTube ads on smart TVs or mobile apps. If you block the ad domain, you block the video.

To defeat this, you need a multi-layered approach. For browsers, use uBlock Origin. For Android, use YouTube Revanced. For TVs, look into SmartTubeNext. A true “Wong Edan” setup recognizes that DNS blocking is a powerful shield, but sometimes you need a surgical scalpel for the specific annoyances.

Maintenance and Troubleshooting (The “Why is the Internet Down?” Talk)

At some point, your server will crash. Maybe a power outage, maybe a corrupted SD card, or maybe you played with the settings too much at 2 AM. When this happens, your entire house loses internet. Not because the ISP is down, but because your devices can’t “find” anything.

Redundancy is key. Run two instances of your DNS server. One on a Pi, one in a VM. Set your router to hand out both IPs as Primary and Secondary DNS. If one dies, the other takes over. If you don’t do this, be prepared for the wrath of a family that can’t access TikTok or Netflix. You’ve been warned.

Conclusion: The Ultimate Power

Setting up network-wide ad blocking is more than just a technical project; it’s a rite of passage for any self-hosted enthusiast. It’s the moment you stop being a passive consumer of the internet and start being an active gatekeeper. You’ll notice the speed increase immediately—pages load faster because they aren’t waiting for a dozen tracking scripts to handshaking with servers in Russia or China.

You’ll see your “Blocked Queries” percentage climb to 15%, 25%, maybe even 40%. Every one of those blocked queries is a little victory. It’s a “No” to a data broker. It’s a “No” to a flashy banner. It’s the quiet satisfaction of a clean, minimalist web. So, go forth, install that sinkhole, and join the ranks of the Wong Edan. Your homelab is waiting, and the advertisers are already sweating.

Stay crazy, stay curious, and keep those packets flowing—on your own terms.