diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9289f722..7e816d56 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,13 @@ See also the [v0.107.50 GitHub milestone][ms-v0.107.50].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Fixed
+
+- Broken private reverse DNS upstream servers validation causing update failures
+  ([#7013]).
+
+[#7013]: https://github.com/AdguardTeam/AdGuardHome/issues/7013
+
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->
diff --git a/internal/dnsforward/http.go b/internal/dnsforward/http.go
index 76f88edc..ad438a23 100644
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -333,6 +333,13 @@ func (req *jsonDNSConfig) checkBootstrap() (err error) {
 	return nil
 }
 
+// containsPrivateRDNS returns true if req contains private RDNS settings and
+// should be validated.
+func (req *jsonDNSConfig) containsPrivateRDNS() (ok bool) {
+	return (req.UsePrivateRDNS != nil && *req.UsePrivateRDNS) ||
+		(req.LocalPTRUpstreams != nil && len(*req.LocalPTRUpstreams) > 0)
+}
+
 // checkPrivateRDNS returns an error if the configuration of the private RDNS is
 // not valid.
 func (req *jsonDNSConfig) checkPrivateRDNS(
@@ -340,7 +347,7 @@ func (req *jsonDNSConfig) checkPrivateRDNS(
 	sysResolvers SystemResolvers,
 	privateNets netutil.SubnetSet,
 ) (err error) {
-	if (req.UsePrivateRDNS == nil || !*req.UsePrivateRDNS) && req.LocalPTRUpstreams == nil {
+	if !req.containsPrivateRDNS() {
 		return nil
 	}
 
diff --git a/internal/dnsforward/upstreams.go b/internal/dnsforward/upstreams.go
index 0754daae..6fbe0638 100644
--- a/internal/dnsforward/upstreams.go
+++ b/internal/dnsforward/upstreams.go
@@ -103,20 +103,18 @@ func newPrivateConfig(
 		}
 	}
 
-	log.Debug("dnsforward: upstreams to resolve ptr for local addresses: %v", addrs)
+	log.Debug("dnsforward: private-use upstreams: %v", addrs)
 
 	uc, err = proxy.ParseUpstreamsConfig(addrs, opts)
 	if err != nil {
 		return uc, fmt.Errorf("preparing private upstreams: %w", err)
 	}
 
-	if !confNeedsFiltering {
-		return uc, nil
-	}
-
-	err = filterOutAddrs(uc, unwanted)
-	if err != nil {
-		return uc, fmt.Errorf("filtering private upstreams: %w", err)
+	if confNeedsFiltering {
+		err = filterOutAddrs(uc, unwanted)
+		if err != nil {
+			return uc, fmt.Errorf("filtering private upstreams: %w", err)
+		}
 	}
 
 	// Prevalidate the config to catch the exact error before creating proxy.
diff --git a/internal/home/dns.go b/internal/home/dns.go
index d64effd5..53ea5247 100644
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -156,7 +156,7 @@ func initDNSServer(
 	}
 
 	// Try to prepare the server with disabled private RDNS resolution if it
-	// failed to prepare as is.  See TODO on [ErrBadPrivateRDNSUpstreams].
+	// failed to prepare as is.  See TODO on [dnsforward.PrivateRDNSError].
 	err = Context.dnsServer.Prepare(dnsConf)
 	if privRDNSErr := (&dnsforward.PrivateRDNSError{}); errors.As(err, &privRDNSErr) {
 		log.Info("WARNING: %s; trying to disable private RDNS resolution", err)