Pi-Hole [Link] is a DNS server with a blacklist that is automatically updated from the internet.
The blacklist blocks addresses (domains) known for advertisements, spam, and phishing.
Pi-Hole requires minimal CPU, RAM, or storage and can be installed on any Raspberry Pi, even the Zero, alongside many other applications without affecting performance.
It offers a web interface where you can add domains to a blacklist or whitelist. If no HTTP/HTTPS server is running, it can install Lighttpd automatically.
There are two main installation methods: on the host OS or in a Docker container. This guide covers the host installation.
su
After entering the root account, choose one of the methods below:
sudo su curl -sSL https://install.pi-hole.net | bash OR git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh
Follow the installation prompts. Once complete, exit the root account.
At the end, the installer will display the web GUI address and a randomly generated password. Change it immediately:
sudo pihole admin -p
Access the web interface in your browser at https://pi-hole-ip-address/admin
You can also use the command line to manage and monitor Pi-Hole:
Reconfigure:
sudo pihole reconfigure
Update the gravity (blocklist):
sudo pihole updateGravity
View resolved and blocked queries in real time:
sudo pihole tail
Listen on all interfaces:
sudo pihole -a -i all
Update Pi-Hole:
sudo pihole updatePihole
BONUS
Consider enabling filesystem overlay on your Raspberry Pi to protect the MicroSD card from corruption or failure over time.
sudo raspi-config
Navigate to Performance Options > Overlay File System > Yes > Yes to enable write-protection on both partitions.
Note: With this enabled, the SD card is read only once on boot and no data is retained across reboots. You will need to disable filesystem overlay before applying updates or making configuration changes, then re-enable it afterward.
Which upstream DNS resolver should I use?
When a DNS query comes in for the first time or its TTL has expired, Pi-Hole forwards it to the next hop in the DNS chain of trust.
Consider one of the following public DNS servers:
- Unfiltered
- Google (8.8.8.8 and 8.8.4.4)
- OpenDNS (208.67.222.222 and 208.67.220.220)
- OpenNIC (216.87.84.211 and 23.90.4.6)
- Malicious Domain Filtering
- Quad9 (9.9.9.9 and 149.112.112.112)
- Cloudflare (1.1.1.1 and 1.0.0.1, or for stricter filtering: 1.1.1.2)
- dns0.eu (193.110.81.0, or for stricter filtering: 193.110.81.9)
- CleanBrowsing Security Filter (185.228.168.9)
- Comodo Secure DNS (8.26.56.26 and 8.20.247.20)
What about DNSSEC?
DNSSEC addresses trust issues within the DNS infrastructure, including data integrity, authentication, cache poisoning, and man-in-the-middle attacks. It does not encrypt DNS traffic, so it offers no privacy benefit over plain DNS.
It can be tedious to configure manually, but Pi-Hole has it built in and ready to enable with a single click. It is definitely worth trying!