The Pi-Hole [Link] is nothing but a DNS server with Blacklist that is automatically updated from the internet.

The blacklist will not resolve the addresses (domains) that are known for being a source of advertisement, spam, and phishing.

Pi-Hole does not require much CPU, RAM, or storage and can be installed in any raspberry pi, even the Zero in parallel with many other applications, and will not affect the performance at all.

It offers a web interface where you can add domains do a blacklist or a whitelist. If there is no HTTP/HTTPS server running it can install the Lighttpd.

There are two main installation methods. On the host OS or in a Docker container. We will install it on the host.


After entering on the root account chose one of the methods below:

sudo su
curl -sSL | bash


git clone --depth 1 Pi-hole
cd "Pi-hole/automated install/"
sudo bash

Follow the installation instructions, there is no mystery. End get out of the root account.

At the end will be presented the address to the web GUI and a randomly generated password. Better change it immediately:

sudo pihole admin -p

Access on the browser https://pi-hole-ip-address/admin

Or use the command line to manage and monitor as below.

If you need to reconfigure:

sudo pihole reconfigure

Updating the gravity list issue:

sudo pihole updateGravity

See the log of the resolved and blocked in realtime with:

sudo pihole tail

Make it listen on all interfaces:

sudo pihole -a -i all

Updating the Pi-Hole:

sudo pihole updatePihole


Consider enabling file system overlay on your raspberry pi to protect the MicroSD card from get corrupted or fail over time.

sudo raspi-config

Navigate Performance Options > Overlay File System > Yes > Yes to enable the write-protect ob both partitions.

Note: it will read the SD card only once on boot and will not retain any data through reboots. It will require disabling the file system overlay before updates or configuration changes then re-enable after manually.

What recursion DNS resolve should I use?

When a DNS queries comes for the very first time or has already expired its TTL, it forwards to the next hop on the DNS chain of trust.

Consider on of the following public DNS servers:

  • Unfiltered
    • Google ( and
    • OpenDNS ( and
    • OpenNIC ( and
  • Malicious Domain Filter
    • Quad9 ( and
    • CloudFlare ( and, or for extra-strength
    • (, or for extra-strength
    • CleanBrowsing Security Filter (
    • Comodo Secure DNS ( and

What about DNSSEC?

DNSSEC promises to solve issues related to the trust hierarchy within the DNS infrastructure (data integrity, data authentication, cache poisoning, man-in-the-middle attacks) but it does not encrypts the data (there is no privacy enhancement compared to plain DNS).

It is a hustle to set up manually but Pi-Hole has already it implemented and ready to with a simple click. It is definitely worthy to try!