Skip to main content

Low Level Settings guide

How to reach the Low-level settings

Changing Low-level settings can cause problems with the performance of AdGuard, may break the Internet connection or compromise your security and privacy. You should only open this section if you are sure of what you are doing or our support-team has asked you about it.

To go to Low-level settings, open the main menu, tap Settings, choose Advanced and find Low-Level Settings at the bottom of the screen.

Low-level settings


Here you can set AdGuard’s startup delay after device boot-up (in seconds). This setting is only relevant if AdGuard autostart is enabled (Settings → General → AdGuard autostart).


Here you can select the way AdGuard will respond to blocked DNS queries:

0 — means block requests with Refused response code for Network filtering rules and with Unspecified IP for Host rules. 1 — means block requests with NXDomain for all kinds of filtering rules. 2 — means block requests with Unspecified IP for all kinds of filtering rules. 3 — means block requests with Unspecified IP for all kinds of filtering rules. 4 — means block requests with Refused response code for all kinds of filtering rules.

1 is used by default if the entered value is not valid.


Bootstrap DNS for DoH, DoT, and DoQ servers. The System DNS server is used by default.

If enabled AdGuard detects search domains and automatically forwards them to the fallback upstreams if they exist.


Here you can specify a fallback DNS resolver that will be used when the configured server is not available. If not specified, the system default DNS is used as a fallback. A string "none" means no fallback at all.

Here you can list domains that will be directly forwarded to the fallback upstreams (if they exist).


Here you can specify a timeout in milliseconds to be used for each DNS request. Please note that if you are using multiple upstreams, the fallback DNS resolver will only be used after all the timeouts of each upstream.


Here are already listed package names of apps for which AdGuard enforces HTTPS filtering. You can add this list with any app even if it targets Android 7+. But before check if the application trusts the AdGuard’s HTTPS certificate, which is located in the User storage, or the developers have not provided such an option.


Enforce notification about paused protection even when the notification icon is set to Disabled (for Android below Oreo).


Here you can list the packages and UIDs you want to exclude from filtering.


Here you can list the ports connections to which will be filtered.


Here you can enable HAR file capture. Use it only for debugging purposes! If the setting is enabled, AdGuard will create a directory named "har" inside the app cache directory. It contains information about all filtered HTTP requests in HAR 1.2 format and can be analyzed with the Fiddler program.


For the domains and package names listed here, notifications that they do not trust AdGuard's HTTPS certificate will be disabled.


If enabled, AdGuard will bypass the traffic of any app that does not trust our certificate. It is enabled by default.


Here you can find the list of IPv4 ranges excluded from filtering. For instance, we don’t filter connections to the private IP ranges. You can add this list if required.


Here you can list the IPv6 ranges which you want to exclude from filtering.

If enabled, AdGuard shows you a notification if any app doesn’t trust our HTTPS certificate.


If enabled, AdGuard blocks all Internet connections through IPv6 when working in "Proxy with automatic setup" mode.


Here you can disable AdGuard automatic root proxy reconfiguration when network connectivity changes.


Here you can list packages for which AdGuard will bypass QUIC traffic.


If enabled, AdGuard shows information about blocked HTML elements in the filtering log.

If enabled, AdGuard clears YouTube app data on booting to block YouTube ads. Root access is required.


If enabled, AdGuard sets the minimum oom_score_adj for its own process to stay alive all the time. Requires root access.


If enabled, AdGuard pauses protection when you open the Samsung Pay app. Requires usage access.


If enabled, AdGuard applies a workaround solution that mitigates the soft reboots issue caused by an Android 10 bug.


If enabled, AdGuard will create the special file name "tun.pcap". It contains all network packets transferred through the VPN. This file is located in the app cache directory and can be analyzed with the Wireshark program.


This feature disables automatic VPN pause in case of network absence, tethering, or power-saving mode.


This feature disables VPN automatic reconfiguration in case of network absence, tethering, or power-saving mode.


TUN interface IPv4 address.


If enabled, VPN will be configured to bypass all the IPv4 traffic. In this case, IPv4 will work, but it will not be filtered.


If enabled, VPN will bypass the LAN when possible. However, for complex networks, the LAN is not excluded and connections will be filtered, including local ones.


This feature disables the routes we use to exclude LAN from filtering.


TUN interface IPv6 address.


If enabled, VPN will be configured to bypass all the IPv6 traffic. In this case, IPv6 will work, but it will not be filtered.


This feature forcibly disables filtering for IPv6 networks. In this case, IPv6 will not work at all.


This feature forcibly enables filtering for IPv6 networks. The app doesn’t filter IPv6 on Lollipop and some cell carriers by default.


Here you can set the maximum transmission unit (MTU) of the VPN interface. The recommended interval for the experiments is from 1500 to 9000.


You always can reset Low-level settings to default.