Most home networks leak DNS data: every website you visit, every app you use, every device connecting—your ISP (internet service provider) sees it all. Pi-hole is a DNS filter that runs on your home network, blocking ads and tracking at the network level while encrypting DNS queries to hide your browsing from your ISP.
This guide walks through installing Pi-hole on a Raspberry Pi (or any Linux server) and configuring it to protect your entire home network.
Understanding DNS and Privacy
DNS (Domain Name System) is the internet’s phone book. When you visit google.com, your device asks: “What IP address is google.com?” Your ISP’s DNS server logs this request, creating a record of everywhere you browse.
Current flow (no privacy):
You → ISP DNS Server → "What is example.com?"
← ISP logs this query
← Returns IP address
← ISP sells this data to advertisers
With Pi-hole + encrypted DNS:
You → Pi-hole on home network → Encrypted to Cloudflare (1.1.1.1)
← Pi-hole filters ads/tracking
← Returns safe IP
← ISP sees only encrypted traffic to Cloudflare (doesn't know what you visited)
Pi-hole blocks requests to known ad and tracking domains before they even reach the internet. Requests to ad servers are blocked entirely, and DNS queries are encrypted to prevent ISP monitoring.
Hardware Requirements
Minimal Setup (Recommended)
Raspberry Pi 4 Model B:
- $55-75 depending on RAM
- 4GB RAM minimum, 8GB better
- MicroSD card 32GB+ (class 10 speed)
- Power supply (USB-C, 5V/3A)
- Optional: Ethernet cable (better than WiFi)
Total cost: ~$100-120 including all components
Installation: Straightforward, takes 30 minutes
Alternative Options
Use existing equipment:
- Old laptop (plug in, leave on)
- Spare desktop computer
- NAS device running Linux
- Virtual machine (if you have a home server)
Any Linux system works. Raspberry Pi is popular because:
- Low power consumption (4W vs 100W+ for laptop)
- Small form factor
- Reliable (no moving parts, designed for 24/7 operation)
- Cheap
Cloud-based (not recommended): Pi-hole can run on a cloud VPS, but your ISP still sees traffic to VPS, defeating the purpose. Stick with hardware at home.
Installation Steps
Step 1: Prepare Raspberry Pi
Hardware assembly:
1. Insert SD card into SD card reader
2. Download Raspberry Pi Imager (raspberrypi.com/software)
3. Select "Raspberry Pi OS Lite" (smaller, no desktop)
4. Select MicroSD card
5. Click Write
6. Wait 2-3 minutes for image to write
7. Eject SD card safely
First boot:
1. Insert SD card into Raspberry Pi
2. Connect ethernet cable (better than WiFi)
3. Plug in power
4. Wait 1-2 minutes for first boot
5. SSH into the Pi:
ssh pi@raspberrypi.local
(default password: raspberry)
Step 2: Initial Configuration
# Update system
sudo apt update && sudo apt upgrade -y
# Set static IP (so Pi doesn't change IP, breaking DNS resolution)
sudo nano /etc/dhcpcd.conf
# Add these lines:
interface eth0
static ip_address=192.168.1.50/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1
# Save and exit (Ctrl+X, Y, Enter)
sudo reboot
Step 3: Install Pi-hole
# Download and run installer
curl -sSL https://install.pi-hole.net | bash
# Follow the installer:
# 1. Choose network interface (eth0 if ethernet connected)
# 2. Confirm IP address (192.168.1.50)
# 3. Select upstream DNS provider
# 4. Choose blocklistss (default is fine)
# 5. Install FTL (lightweight resolver)
# 6. Install web interface (yes)
# After installation completes:
# - Write down the admin password (or it's shown on screen)
# - Note the web interface URL (usually http://192.168.1.50/admin)
Step 4: Access Pi-hole Dashboard
1. From any computer on network, visit: http://192.168.1.50/admin
2. Click "Login" in top right
3. Enter password from installation
4. Dashboard shows:
- Queries blocked (ads, trackers)
- Top domains being blocked
- Clients on network
- Recent blocked domains
Configuration
Configure Router to Use Pi-hole
Most important step: Tell your router to use Pi-hole for DNS
Router login (usually 192.168.1.1):
1. Visit 192.168.1.1 in browser
2. Login with router admin credentials
3. Go to Settings → DNS
4. Change DNS servers to:
- Primary DNS: 192.168.1.50 (Pi-hole IP)
- Secondary DNS: 8.8.8.8 (Google backup)
5. Save and apply
Now all devices on network automatically use Pi-hole
(no device configuration needed)
Configure Encrypted DNS Upstream
Pi-hole dashboard → Settings → DNS:
Upstream DNS Servers:
Choose one:
- Quad9 (privacy-first): 9.9.9.9 and 149.112.112.112
- Cloudflare (DNS over HTTPS): 1.1.1.2 and 1.0.0.2
- NextDNS (privacy-first): nextdns.io
- Mullvad (privacy-focused): 194.242.2.2
I recommend Quad9:
1. Check "Enable DNS over HTTPS (DoH)"
2. Enter: https://[resolver]/dns-query
3. For Quad9: https://doh.quad9.net/dns-query
4. Save and commit
This encrypts your DNS queries so ISP can't see where you browse
Select Blocklists
Settings → Adlists tab
Recommended blocklists (free):
- StevenBlack's hosts (ad servers)
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- HaGeZi multi NORMAL (blocks ads + tracking)
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/multi.txt
- Easylist (ad filtering)
https://easylist.to/easylist/easylist.txt
Start with 2-3 blocklists. More = slower (Pi-hole must check against all).
Monitor blocking rates and adjust if needed.
Using Pi-hole
Dashboard Monitoring
Home dashboard shows:
- "Gravity" = total blocked domains in all lists
- "Queries blocked" = queries stopped today
- "% blocked" = percentage of total DNS queries blocked
- Top blocked domains = which tracking/ad domains hit most
- Top domains = actual sites you visited (most traffic)
- Top clients = which devices making requests
Common questions:
- "Why is it blocking Google?"
→ Check if Google Analytics being blocked (it is, intentionally)
- "Can I whitelist this domain?"
→ Yes: Whitelist → Domain whitelist → Add domain name
- "How do I block a specific domain?"
→ Adlists → Add custom blocklist or use web interface filters
Creating Custom Rules
Query Log tab:
- Shows recent DNS requests
- Click domain to see full details
- "Add to Blacklist" blocks that domain
- "Add to Whitelist" exempts it from blocking
Example:
If you notice ads still getting through:
1. Find the ad domain in Query Log
2. Click "Add to Blacklist"
3. Query will block going forward
If something you use is blocked:
1. Find domain in Query Log
2. Click "Add to Whitelist"
3. It will work normally
Group Management
For families with children:
Settings → Group Management:
1. Create group "Kids"
2. Create whitelist for "Kids" group (safe domains only)
3. Create strict blocklist for "Kids" group
4. Assign kids' devices to group
Different blocking rules per device/user:
- Adults: Minimal blocking, only ads/trackers
- Kids: Strict blocking, also blocks porn sites, gaming, YouTube
Advanced Configuration
DNS over HTTPS on Devices
For maximum privacy, configure each device to use encrypted DNS:
iPhone/iPad:
Settings → Wi-Fi → [Your Network] → DNS Configuration
Set DNS to 1.1.1.2 (Cloudflare) or 9.9.9.9 (Quad9)
Mac:
System Preferences → Network → Advanced → DNS
Add DNS server
Windows:
Settings → Network & Internet → Change adapter options
Right-click → Properties → DNS settings
Android:
Settings → Wi-Fi → [Network] → Advanced → DNS
Manual or use private DNS setting
This adds extra encryption layer even within home network
Conditional Forwarding
If you have devices on network using local hostnames:
Settings → DNS → Conditional Forwarding
Enable:
- Conditional Forwarding: ON
- Local network: 192.168.1.0/24 (match your network)
- Local domain name: home.local
- Router IP: 192.168.1.1
Now you can ping local devices by name instead of IP:
- ping pi-hole.home.local (instead of 192.168.1.50)
- ping printer.home.local
VPN Setup (Advanced)
For privacy outside home network:
Option 1: Pi-hole + home VPN
- Install WireGuard on Pi-hole
- Connect phone to home VPN when traveling
- Uses home network DNS (Pi-hole filtering)
- Works anywhere, ISP can't track you
Option 2: Pi-hole → VPN to external DNS
- Pi-hole queries external DNS over encrypted VPN
- Extra privacy (even against home network monitor)
- More complex, slower
Troubleshooting
Some ads still getting through
Causes:
1. Not all blocklists enabled
2. Domain uses HTTPS + SNI (blocking at DNS level fails)
3. App has hardcoded DNS (ignores network DNS)
Solutions:
1. Add more blocklists (but watch performance)
2. Use HTTPS filtering (requires man-in-the-middle, complex)
3. Block at firewall level (advanced)
Note: Pi-hole can't block 100% (some apps ignore DNS)
Expect 70-85% of ad/tracker blocking
Websites broken after Pi-hole
Cause: Overly aggressive blocklist blocking legitimate services
Solution:
1. Find broken domain in Query Log
2. Check which blocklist blocked it
3. Disable that blocklist or add domain to whitelist
4. Test
Common false-positives:
- Google Analytics (intentionally blocked, safe to block)
- Apple services (sometimes blocked, usually safe)
- Content delivery networks (block carefully)
Network slower after Pi-hole
Cause: Pi-hole processing every DNS query takes CPU
Solutions:
1. Upgrade Raspberry Pi (4GB RAM minimum, 8GB better)
2. Use fewer blocklists (quality over quantity)
3. Add caching DNS server (recursive = faster queries)
4. Enable DNS caching in Pi-hole settings
Typical impact: <1ms added latency (imperceptible to users)
Privacy Impact
What Pi-hole protects against:
✓ ISP DNS monitoring: Encrypted to external DNS
✓ Ad networks tracking you: Blocked at network level
✓ Device malware contacting C&C servers: Blocked if domain known
✓ Family browsing history: Only Pi-hole admin sees logs
What Pi-hole can't protect against:
✗ Traffic to websites (ISP sees HTTPS traffic volume)
✗ Metadata (ISP sees you visited site, not which pages)
✗ ISP itself selling data (Pi-hole doesn't prevent this)
✗ Apps with hardcoded DNS (they bypass Pi-hole)
✗ VPN providers (if using VPN, ISP sees VPN traffic, not sites)
Maintenance
Monthly:
- Check dashboard for new blocking trends
- Review whitelist/blacklist rules
- Update blocklists (usually automatic)
Quarterly:
- Review Pi-hole version and update if newer
- Check for unusual traffic patterns
- Consider adding new blocklists based on trends
Yearly:
- Review entire configuration
- Audit which devices using Pi-hole
- Evaluate if blocking rules still relevant
Monitoring Impact
Metrics to watch:
- % of queries blocked (30-50% is typical)
- Gravity (total domains blocked) increasing?
- Performance impact on network
- Any network issues/devices not working
If blocking too aggressive:
- Disable some blocklists
- Add domains to whitelist
- Switch to lighter blocklists
Cost Analysis
Equipment (one-time):
- Raspberry Pi 4 8GB: $75
- Power supply: $10
- SD card: $15
- Ethernet cable: $5
Total: ~$105
Monthly savings:
- No ads (removes annoyance)
- Bandwidth saved from not downloading ads: ~2-5%
- Privacy value: Incalculable
Pi-hole pays for itself in peace of mind within a month
Comparison: Pi-hole vs Alternatives
| Feature | Pi-hole | NextDNS | Control D |
|---|---|---|---|
| Cost | $100 setup | Free-$20/mo | Free-$30/mo |
| Privacy | Excellent | Good | Good |
| Setup | Medium | Easy (cloud) | Easy (cloud) |
| Network-wide | Yes | Yes | Yes |
| Customization | Advanced | Basic | Medium |
| Performance | Fast | Cloud latency | Cloud latency |
Pi-hole is best if you want maximum privacy and control. DNS services are best for simplicity.
Next Steps
After Pi-hole is running:
1. Monitor dashboard for 1 week
2. Check if any sites broken (whitelist if needed)
3. Review top blocked domains
4. Add more blocklists if desired
5. Configure VPN (if privacy outside home matters)
6. Tell friends/family about setup
Pi-hole is the highest leverage privacy tool for home networks.
One setup protects all devices automatically.
Pi-hole transforms your home network from a data collection pipe into a privacy fortress. It’s an one-time investment that protects every device automatically—phones, tablets, smart TVs, even that sketchy IoT device your family insisted on buying.
Hardening Pi-hole Against Bypass
Pi-hole only protects devices that use it as their DNS resolver. Devices with hardcoded DNS addresses—some smart TVs, gaming consoles, and misconfigured IoT devices—bypass Pi-hole entirely. Plug this gap at the router level by intercepting all outbound DNS traffic and redirecting it to Pi-hole.
Most consumer routers running DD-WRT, OpenWrt, or Tomato firmware support this. On OpenWrt:
# Redirect all DNS traffic to Pi-hole regardless of device setting
# Edit /etc/config/firewall on your OpenWrt router
config rule
option name 'Redirect DNS'
option src 'lan'
option dest_port '53'
option target 'DNAT'
option family 'ipv4'
option dest_ip '192.168.1.50' # Pi-hole IP
# Apply changes
/etc/init.d/firewall restart
With this rule active, a device that hardcodes 8.8.8.8 as its DNS server still has those queries intercepted and redirected to Pi-hole. The device never knows its queries were rerouted.
For DoH (DNS-over-HTTPS) bypass—where apps or browsers encrypt DNS and send it directly to Cloudflare or Google over port 443—blocking is harder since port 443 carries all HTTPS traffic. You can block the specific IP ranges used by major DoH providers, though this is an ongoing maintenance task as providers change their infrastructure:
# Block known DoH provider IPs at router level
# Cloudflare DoH
iptables -A FORWARD -d 1.1.1.1 -j DROP
iptables -A FORWARD -d 1.0.0.1 -j DROP
# Google DoH
iptables -A FORWARD -d 8.8.8.8 -j DROP
iptables -A FORWARD -d 8.8.4.4 -j DROP
Firefox, which has DoH enabled by default in the US, respects the CANARY domain use-application-dns.net as a signal to disable DoH. Pi-hole can serve this domain:
# In Pi-hole admin: add to custom DNS
# Settings → DNS → Custom DNS
# Add: use-application-dns.net → 0.0.0.0
This tells Firefox running on any device in your network to use the system resolver (Pi-hole) instead of its built-in DoH configuration.
Integrating Pi-hole with Unbound for Recursive DNS
The default Pi-hole setup forwards DNS queries to an upstream provider like Cloudflare or Quad9. Even encrypted, those providers see your complete query history. For maximum privacy, run Unbound as a recursive resolver: your queries go directly to authoritative DNS servers for each domain, with no intermediary seeing your complete browsing history.
Install and configure Unbound alongside Pi-hole:
# Install Unbound
sudo apt install unbound
# Create Unbound configuration for Pi-hole integration
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
Add this configuration:
server:
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
# Privacy hardening
hide-identity: yes
hide-version: yes
qname-minimisation: yes
# Performance
prefetch: yes
num-threads: 1
so-rcvbuf: 1m
# Root hints (updated periodically)
root-hints: "/var/lib/unbound/root.hints"
# Aggressive NSEC for DNSSEC validation
aggressive-nsec: yes
# Hardened DNSSEC
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
Configure Pi-hole to use Unbound as its upstream resolver by pointing it to 127.0.0.1#5335 in the DNS settings. The result: your home network’s DNS queries never leave to an upstream provider in readable form. Each query resolves directly from authoritative root servers.
The privacy improvement is significant. Cloudflare and Quad9 promise privacy, but with Unbound, no provider receives your complete query history because no provider is in the path. The tradeoff is slightly higher latency for the first query to each domain (subsequent queries hit Unbound’s cache). For typical home network usage, this difference is imperceptible.
Long-Term Blocklist Management
Blocklist quality degrades over time. Ad networks register new domains, trackers migrate to new hostnames, and legitimate services occasionally appear on blocklists through false-positive errors. Active blocklist management keeps your Pi-hole effective without breaking legitimate services.
Evaluate your blocking rate monthly. A healthy Pi-hole typically blocks 15–40% of DNS queries depending on household browsing patterns. If your blocking rate drops suddenly, check whether blocklists have been updated and whether devices have been added that bypass Pi-hole.
Maintain a local exceptions file for services that get incorrectly blocked on your network. Store this separately from Pi-hole’s built-in whitelist so it survives updates:
# Create a local whitelist file
sudo nano /etc/pihole/whitelist.txt
# Common false positives (add as needed):
# spotify.com
# s.youtube.com (breaks YouTube if blocked)
# fonts.googleapis.com (breaks many websites)
# Apply whitelist
pihole -w $(cat /etc/pihole/whitelist.txt | tr '
' ' ')
Schedule automated blocklist updates through Pi-hole’s built-in gravity update mechanism:
# Add to crontab for weekly gravity updates at 3 AM Sunday
(crontab -l 2>/dev/null; echo "0 3 * * 0 pihole -g") | crontab -
When evaluating new blocklists, test in a staging configuration before enabling network-wide. Import the list, monitor the query log for 24 hours, and review which domains it blocks. Good blocklists block ad servers and trackers without touching CDNs, analytics that users have consented to, or first-party service domains.
Related Articles
- How to Set Up a Privacy Focused Home Network
- Create Separate Network Segment for Smart Home Isolating
- Set Up VLAN Isolation for IoT Devices on Home Network 2026
- Is Someone Monitoring My Home WiFi Network? How to Check
- Vpn For Remote Access To Home Network While Traveling
Built by theluckystrike — More at zovo.one