diff --git a/03frontends.cfg b/03frontends.cfg
index 8b379f6..e773458 100644
--- a/03frontends.cfg
+++ b/03frontends.cfg
@@ -298,6 +298,7 @@ frontend frontend_default
 
   acl letsencrypt path_beg /.well-known/acme-challenge/
 
+  acl adguard hdr(host) -i adguard.benoit.jp.net
   acl archive hdr(host) -i blog.benpro.fr.archive.benoit.jp.net
   acl archive hdr(host) -i lekernelpanique.fr.archive.benoit.jp.net
   acl archive hdr(host) -i sysadmin-bookmarks.archive.benoit.jp.net
@@ -305,8 +306,10 @@ frontend frontend_default
   acl laminar hdr(host) -i laminar.benoit.jp.net
   acl linkding hdr(host) -i linkding.benoit.jp.net
   acl mastodon hdr(host) -i mastodon.benoit.jp.net
-  #http-request deny if dns !JP !SG !letsencrypt
 
+  http-request deny if adguard !JP !letsencrypt
+
+  use_backend adguard if adguard
   use_backend archive if archive
   use_backend forgejo if forgejo
   use_backend laminar if laminar
diff --git a/04listen.cfg b/04listen.cfg
index c6a24ec..5d3ee73 100644
--- a/04listen.cfg
+++ b/04listen.cfg
@@ -1,10 +1,13 @@
 # Listens (frontend and backend combined)
-  listen ssh
-    bind :22
-    bind :::22 v6only
-      mode tcp
-      option tcplog
-    server git-ssh forgejo.incus:10022 send-proxy check
+# Forgejo
+listen ssh
+  bind :22
+  bind :::22 v6only
+    mode tcp
+    option tcplog
+  server git-ssh forgejo.incus:10022 send-proxy check
+
+# Mailcow
 #  listen smtp
 #    bind :25
 #    bind :::25 v6only
@@ -29,9 +32,11 @@
 #      mode tcp
 #      option tcplog
 #    server mail 10.78.127.231:14190 send-proxy
-#  listen adguard-dot
-#    bind :853
-#    bind :::853 v6only
-#      mode tcp
-#      option tcplog
-#    server adguard 10.78.127.201:10853 send-proxy
+
+# Adguard
+listen adguard-dot
+    bind :853
+    bind :::853 v6only
+      mode tcp
+      option tcplog
+    server adguard adguard.incus:10853 send-proxy
diff --git a/05backends.cfg b/05backends.cfg
index 8b68b35..091a223 100644
--- a/05backends.cfg
+++ b/05backends.cfg
@@ -54,3 +54,13 @@ backend archive
   http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
   http-response set-header Cross-Origin-Resource-Policy "same-origin"
   server archive archive.incus:80 check
+
+backend adguard
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # add some Security headers
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  http-response set-header Cross-Origin-Resource-Policy "same-origin"
+  server adguard adguard.incus:3000 check