A network appliance is only as trustworthy as the boundaries it's honest about. Here's where Shield is designed to be effective, and the cases we deliberately don't pretend to cover.
Network-wide blocking of known ad and ad-network domains across every device on your network.
Reduces unwanted cross-site tracking before the connection is made, including from devices that have no built-in blocker.
Blocks known harmful domains at the DNS layer before traffic ever leaves the network.
Optional category-based blocking with SafeSearch enforcement on Google, Bing, YouTube, DuckDuckGo and the other supported search engines.
Catalog-based blocking for supported apps and services, useful for parental and household controls.
Local nftables enforcement resists common encrypted-DNS bypass tricks and Apple Private Relay traffic.
Shield is a network‑level appliance. It is honest about what a network‑level appliance can and can't do, so you know when to reach for something else.
A phone on mobile data, a laptop on a café Wi-Fi, an IoT device on a separate network, none of those are on your Shield, so its policy doesn't apply. We don't pretend otherwise. Shield Vault's travel Wi-Fi mode is one calm answer for when you're away from home.
A VPN tunnels traffic past local DNS. So does encrypted DNS on a determined device. Shield blocks common bypass paths and Apple Private Relay, but a determined user on a managed device can still tunnel out, what we give you is visibility, not coercion.
Shield filters at the DNS layer and at the network layer. It does not deep-packet-inspect every app or break TLS to read inside encrypted connections. We think that's the right boundary for a calm home appliance, but it means some app behaviour is opaque to Shield by design.
Shield is designed to sit behind your modem on a normal home or office network. It is not hardened for being directly exposed on the public internet. If your network setup is unusual, talk to us before deploying it.
Shield protects the network. It is not anti-malware on your laptop, your phone, or your Mac. The two layers complement each other, but Shield is not a substitute for keeping endpoints up to date.
Shield does not maintain a browsing-history report, a behavioural-profiling dashboard, or a query-log feed back to us. Several AdGuard Home defaults that would have produced these by accident have been disabled or restricted in our build, that work is part of what makes Shield an appliance and not a hobby image.
Local‑first does not mean sealed off from the internet. Some functions reach out so the system stays useful and current. We list them so you know exactly what does and doesn't leave your network.
Shield is built on Raspberry Pi 5 silicon (2 GB on Core and Edge, 4 GB on Vault) with a Debian 12 base. AdGuard Home provides the DNS-layer filtering engine, with restricted defaults to match our privacy goals. nftables enforces network policy on the device. Software updates land as complete, signed bundles that are verified before they're applied. Shield's encrypted partitions are unlocked at boot through a hardware-assisted key path on a real ATECC secure element, bound to the device. On Shield Vault, the encrypted storage SSD is separate from the system partition and can be unlocked three independent ways: an ATECC-bound auto-unlock key used at boot, a user passphrase, and a recovery key.
For the disclosure policy and the deeper security story, see /security. If you believe you've found a security issue, write to security@wombatss.com.