Why Run a Private DNS Server at Home
Your ISP logs every domain you visit. Google DNS logs it. Cloudflare DNS (1.1.1.1) claims privacy but still collects data. Your router’s DNS leaks queries even when you use a VPN.
Running your own DNS server means:
- No ISP logging of your web activity
- No commercial DNS provider tracking your browsing
- Ad-blocking at the network level (blocks ads before they load)
- Custom filtering (block social media, dating sites, gambling)
- Faster local resolution (cached queries)
- Complete DNS query control
This guide walks through setting up a private DNS server on hardware you control (Raspberry Pi, old laptop, or NUC) using Unbound, Pi-hole, or AdGuard Home.
Hardware Options
Raspberry Pi 4 (Recommended, $65)
Why:
- Low power consumption (5W)
- Quiet, 24/7 uptime without noise
- Small, can hide behind router
- Strong community (lots of tutorials)
- Sufficient for 50+ device households
Specs needed:
- Raspberry Pi 4 (2GB RAM minimum, 4GB better)
- SD card (32GB, fast)
- Power adapter (USB-C, 3A)
- Network cable (Ethernet strongly preferred over WiFi)
- Optional: case with heatsink ($10)
Setup time: 30 minutes
Old Laptop / Desktop
Why:
- Reuse hardware you already own
- Faster than Raspberry Pi
- Can handle higher query volumes
Cons:
- Higher power consumption (30-60W)
- Louder (fans)
- Takes up desk space
Good for: Households with 10+ devices or if running additional services (DHCP, media server).
NUC (Intel Mini PC, $200-400)
Why:
- Best performance/watt ratio
- Fan-less models available
- Professional appearance
- Handles 200+ devices
Good for: Large households, advanced configurations, or if you plan to run multiple services.
Option 1: Pi-hole (Easiest)
Pi-hole is the easiest entry point. It’s purpose-built for ad-blocking and DNS filtering at the network level.
Installation (30 minutes)
Step 1: Prepare Raspberry Pi
Download Raspberry Pi Imager (official):
1. Go to https://www.raspberrypi.com/software/
2. Download Raspberry Pi Imager for your OS
3. Insert SD card into computer
4. Open Imager
└─ Choose OS → Raspberry Pi OS Lite (headless, 64-bit)
└─ Choose Storage → Your SD card
└─ Advanced Options (gear icon):
├─ Set hostname: "pihole"
├─ Enable SSH (checked)
├─ Set username/password: pi / [strong password]
└─ Configure WiFi (if Ethernet not available)
5. Write (this erases the card)
6. Eject and insert into Raspberry Pi
7. Power on
Wait 2 minutes for first boot.
Step 2: Connect to Pi
From your computer:
# Find the Pi's IP address (check router admin panel for "pihole" or use this):
ping pihole.local
# SSH into it:
ssh pi@pihole.local
# Password: [the password you set]
Step 3: Install Pi-hole
curl -sSL https://install.pi-hole.net | bash
This will:
- Download Pi-hole code
- Ask configuration questions (defaults are fine)
- Install lighttpd web server for admin panel
- Configure DNS service
- Finish in 5-10 minutes
Step 4: Configure Your Router
Your router must tell all devices to use the Pi for DNS:
- Open browser:
192.168.1.1(or whatever your router IP is) - Log in (usually admin/admin or check router)
- Find DHCP or DNS settings (varies by router)
- Set Primary DNS to:
[Pi's IP address](find viaip addron Pi) - Set Secondary DNS to:
8.8.8.8(fallback) - Save and reboot router
Now all connected devices will use your Pi for DNS.
Step 5: Access Pi-hole Admin Panel
From any browser:
http://pihole.local/admin
(or http://[Pi's IP]/admin)
Default login:
- Username: admin
- Password: [set during install]
Change the admin password:
- Admin panel → Settings → Admin
- Change password
- Save
Configure Pi-hole
Enable DNSSEC (encrypts queries):
- Settings → DNS → DNSSEC (check “Enable DNSSEC”)
- Upstream DNS servers: Use Quad9 (9.9.9.9) for privacy
Add Blocklists (adblock lists):
Default blocklists are good, but add more:
Adlists:
├─ https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
│ └─ Blocks ads, malware, social media
├─ https://blocklistproject.github.io/Lists/ads.txt
│ └─ Aggressive ad blocking
├─ https://blocklistproject.github.io/Lists/tracking.txt
│ └─ Blocks trackers
└─ https://blocklistproject.github.io/Lists/facebook.txt
└─ Blocks Meta services (optional)
To add:
- Admin panel → Adlists
- Paste URL in box
- Click Add
- Gravity → Update Gravity (rebuilds blocklists)
- Takes 1-2 minutes
Monitor Pi-hole
Dashboard shows:
- Queries processed
- Ads blocked (% of total)
- Top domains blocked
- Top domains queried
Example output:
Queries processed (24h): 48,000
Ads blocked: 12,400 (25.8%)
Cache hit rate: 30%
Unique clients: 6
Option 2: Unbound (Technically Advanced, Max Privacy)
Unbound is a recursive DNS resolver. Unlike Pi-hole (which forwards queries to upstream DNS), Unbound asks root nameservers directly. No upstream provider sees your queries.
Installation (45 minutes, requires terminal comfort)
Step 1: Prepare Pi (same as Pi-hole)
ssh pi@pihole.local
Step 2: Install Unbound
sudo apt update && sudo apt install -y unbound
Step 3: Configure Unbound
Create configuration file:
sudo nano /etc/unbound/unbound.conf.d/custom.conf
Paste this config:
server:
verbosity: 0
num-threads: 2
port: 5335
interface: 127.0.0.1
interface: ::1
# Performance
so-rcvbuf: 4m
so-sndbuf: 4m
# Security
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
# Privacy
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
# DNS security
trust-anchor-file: "/etc/unbound/root.key"
# Root hints (where to ask for queries)
root-hints: "/etc/unbound/root.hints"
remote-control:
control-enable: no
Save: Ctrl+X, Y, Enter
Step 4: Get Root Hints
sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Step 5: Start Unbound
sudo systemctl start unbound
sudo systemctl enable unbound
Test it:
dig google.com @127.0.0.1 -p 5335
You should see DNS response.
Step 6: Install Pi-hole (for web UI)
Even though you’re using Unbound, Pi-hole provides a nice interface:
curl -sSL https://install.pi-hole.net | bash
During setup, when asked about upstream DNS:
- Set upstream DNS to:
127.0.0.1#5335(your local Unbound)
Now Pi-hole queries Unbound, which queries root nameservers directly. Zero tracking.
Option 3: AdGuard Home (User-Friendly, Advanced Features)
AdGuard Home is a middle ground: easier than Unbound, more powerful than Pi-hole.
Installation (30 minutes)
Step 1: Download AdGuard Home
ssh pi@pihole.local
# Get latest version
wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.107.46/AdGuardHome_linux_arm64.tar.gz
# Extract
tar xzf AdGuardHome_linux_arm64.tar.gz
# Install
cd AdGuardHome
sudo ./AdGuardHome -s install
Step 2: Access AdGuard Panel
From browser:
http://pihole.local:3000
(or http://[Pi’s IP]:3000)
Complete setup wizard:
- Admin login credentials
- Upstream DNS (use Quad9: 9.9.9.9 or Cloudflare: 1.1.1.1 for privacy)
- DHCP server (optional)
Step 3: Configure Router
Same as Pi-hole: set router’s DHCP DNS to Pi’s IP.
Configure AdGuard Home
Enable DNSSEC:
- Settings → DNS Settings → DNSSEC (checked)
Add Filtering Rules:
AdGuard supports regex filtering:
Default Filters:
├─ AdGuard Base filter (ads)
├─ Social Media filter (Facebook, TikTok, etc.)
├─ Privacy filter (tracking)
├─ Malware & Phishing filter
└─ Custom filter (you write rules)
Example custom rules:
! Block all .tk domains (cheap/spam)
*.tk
! Block specific domain
facebook.com
meta.com
! Allow subdomains of trusted.com
||trusted.com^
! Except app.trusted.com
@@||app.trusted.com^
Parental Controls (for families):
- Parental Controls tab
- Safe Search (force Google SafeSearch on all devices)
- Age Restriction (block adult content by keyword)
Comparison Table
| Feature | Pi-hole | Unbound | AdGuard Home |
|---|---|---|---|
| Ease of Setup | Very Easy | Hard | Easy |
| Query Privacy | Good (with Quad9 upstream) | Excellent (recursive) | Good (with Quad9 upstream) |
| Ad Blocking | Excellent | No (need Pi-hole on top) | Excellent |
| Filtering Rules | Basic | N/A | Advanced (regex) |
| Parental Controls | No | No | Yes |
| Web UI | Good | Optional | Excellent |
| Learning Curve | 30 min | 2 hours | 45 min |
| Memory Usage | ~50MB | ~30MB | ~80MB |
| Best For | Most users | Privacy purists | Families + privacy |
Advanced Configuration
DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT)
These encrypt DNS queries from your devices to your Pi. Requires certificates.
Simple approach: Use Pi-hole + Unbound upstream (Pi → Unbound queries are local and safe).
Complex approach: Install WireGuard on Pi, then clients connect via encrypted tunnel. Overkill unless you access DNS remotely.
Dynamic DNS (if you want to access from outside home)
If you travel and want to use your home DNS:
- Buy domain (NameCheap, $2-3)
- Install DDNS client on Pi:
sudo apt install ddclient - Configure for your domain registrar
- Now you can use
pihole.yourdomain.comfrom anywhere
Access admin panel: https://pihole.yourdomain.com/admin
Backup & Recovery
Backup Pi-hole config:
# Admin panel → Teleporter → Download
# This exports all settings as JSON
Restore on new Pi:
# Reinstall Pi-hole
# Admin panel → Teleporter → Upload backup
Troubleshooting
Q: Some devices still using ISP DNS
A: Check router DHCP settings. Sometimes devices have hard-coded DNS (8.8.8.8). Set device-specific DHCP entries:
- Router admin panel → DHCP → Static leases
- Assign fixed IP to device
- Set DNS in device settings to Pi’s IP
Q: Queries are slow
A: Check upstream DNS. Switch to:
- Quad9: 9.9.9.9 (privacy-focused)
- Cloudflare: 1.1.1.1 (fast)
- Avoid Google 8.8.8.8 (privacy concern)
Or use Unbound (queries root nameservers, no upstream).
Q: Too many ads still getting through
A: Add more blocklists. Start with:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://blocklistproject.github.io/Lists/ads.txt
Q: Pi keeps disconnecting
A: Power supply might be weak. Use official 3A Raspberry Pi PSU. Or Ethernet cable (WiFi is flaky).
Security Considerations
1. Firewall Your Pi
Restrict DNS access to your local network only:
# Don't expose to internet (critical!)
sudo ufw default deny incoming
sudo ufw allow from 192.168.1.0/24 to any port 53
sudo ufw enable
Never expose your DNS to the public internet. Attackers will use it to amplify DDoS attacks.
2. Update Regularly
sudo apt update && sudo apt upgrade -y
Run monthly to patch security vulnerabilities.
3. Use Strong Admin Passwords
Pi-hole/AdGuard admin panel should have strong password (20+ chars, random).
4. Monitor Blocklist Quality
Some blocklists are overly aggressive (block legitimate sites). Monitor:
- Pi-hole dashboard → Top Blocked Domains
- If you see sites you need (work email, banking), whitelist them
FAQ
Q: Will this slow down my internet?
A: No. DNS queries are 1-2% of traffic. Local caching actually speeds things up.
Q: What about gaming / work VPNs?
A: Work VPNs often use corporate DNS. Your Pi becomes fallback. Should be fine. Test before rolling out.
Q: Can I use this at an office?
A: Legally/technically yes, but check your IT policy first. May violate company security.
Q: Will this break any websites?
A: Potentially. Some aggressive blocklists block legitimate domains. Start conservative, add blocklists gradually.
Q: How many devices can one Pi handle?
A: 50-100 devices comfortably. Raspberry Pi 4 with Unbound can handle 200+.
Q: Should I still use a VPN?
A: Yes. Your Pi blocks ads/trackers and hides DNS from ISP. VPN hides all traffic from ISP. Use both.
Related Articles
- How to Protect Privacy When Selling Old Phone
- Best VPN Tools for Privacy and Security
- How to Encrypt Your Home Network
- How to Block Tracking on Your Devices
Built by theluckystrike — More at zovo.one