A working Pi-hole DNS server blocking ads on every device on your network, with a web dashboard showing blocked query statistics in real time.
What is Pi-hole and how does it work?
Pi-hole is a DNS-based ad blocker. When a device on your network wants to load a webpage, it first asks a DNS server to translate the domain name (like ads.google.com) into an IP address. Normally, this request goes to your ISP's DNS server or a public one like Google's 8.8.8.8.
When Pi-hole is your DNS server, it checks every domain lookup against a massive list of known ad and tracker domains. If the domain is on the list, Pi-hole returns a fake "no such address" response, and the ad never loads. If the domain is legitimate, Pi-hole forwards the request to an upstream DNS server and returns the real answer.
The result: no ads, no trackers, no DNS leaks to third parties - for every single device that uses your home network. You don't need to install anything on your phone, laptop, or TV. Change one setting in your router, and everything is covered.
This means it won't block ads loaded from the same domain as the content (like YouTube pre-roll ads), since blocking those domains would also break the video. For YouTube specifically, consider browser extensions like uBlock Origin as a complement.
Requirements
Before you start, make sure you have the following:
- Raspberry Pi 3B+, 4, or 5 - any of these work well. Pi-hole is lightweight enough to run on a Pi Zero 2W in a pinch.
- Raspberry Pi OS Lite (64-bit) - the headless version is ideal since Pi-hole is managed through a web browser, not a desktop.
- microSD card or USB SSD - 8GB minimum. SSD is preferred for longevity.
- Wired Ethernet connection - your Pi should be on ethernet, not Wi-Fi, for reliability as a DNS server.
- Router admin access - you'll need to change the DNS setting in your router. Most home routers allow this.
Step 1 - Set a static IP address
Your Pi-hole's IP address must not change. If it does, every device on your network will lose DNS resolution and appear to have no internet. Before installing Pi-hole, assign a static IP.
The simplest approach is to reserve an IP in your router's DHCP settings. Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1), find the DHCP reservation or static assignment section, and bind your Pi's MAC address to a fixed IP like 192.168.1.100.
Alternatively, set a static IP directly on the Pi by editing its network configuration:
sudo nano /etc/dhcpcd.confAdd the following lines at the bottom, adjusting for your network:
interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 8.8.8.8Save with Ctrl+X, then Y, then Enter. Reboot to apply:
sudo rebootThe static routers value must match your actual router's IP. Run ip route before editing and note the "default via" address - that's your gateway.
Step 2 - Run the Pi-hole installer
Pi-hole provides a one-command interactive installer. SSH into your Pi and run:
curl -sSL https://install.pi-hole.net | bashDownload and inspect it before running: curl -sSL https://install.pi-hole.net -o pihole-installer.sh && less pihole-installer.sh. Running scripts from the internet directly is a habit worth questioning.
The installer is a guided TUI (text-based UI) that walks you through:
- Network interface selection - choose
eth0for wired - Upstream DNS provider - the DNS Pi-hole forwards non-blocked requests to. Cloudflare (1.1.1.1) and Google (8.8.8.8) are common choices. You can change this later.
- Default blocklist - the installer adds StevenBlack's unified hosts list by default. You'll add more in Step 5.
- Admin web interface - select Yes to install it. This is how you'll manage Pi-hole.
- Logging - enabling query logging gives you statistics but stores more data. Your choice.
The installation takes about 5-10 minutes. At the end, the installer shows your admin panel URL and the randomly generated admin password. Write down the password.
Step 3 - Access the admin dashboard
Open a browser on any device and navigate to:
http://192.168.1.100/admin(Replace the IP with your Pi's actual static IP.)
Log in with the password from the installer. You'll see the Pi-hole dashboard showing DNS query statistics. It won't show much yet - you haven't pointed your router to it yet.
To change the admin password at any time, SSH into your Pi and run:
pihole -a -pStep 4 - Point your router to Pi-hole
This is the key step. You need to tell your router to use Pi-hole (192.168.1.100) as the DNS server for all devices on the network.
Log into your router admin panel and look for the DNS settings. This is often found under:
- DHCP settings or LAN settings
- The "Primary DNS" or "DNS Server" field
Set the primary DNS to your Pi-hole's IP address (192.168.1.100). Set the secondary DNS to a public server like 1.1.1.1 as a fallback for when your Pi is down.
Save and reboot your router. Within a few minutes, every device reconnecting to your network will start using Pi-hole for DNS. Watch the dashboard - you'll start seeing query counts rise almost immediately.
This is intentional for uptime. But it means Pi-hole's blocking is not guaranteed 100% of the time. If you want guaranteed blocking, set only the Pi-hole IP as DNS - but be aware that if your Pi goes down, all devices lose internet access.
Step 5 - Add more blocklists
The default install adds one blocklist with around 50,000 domains. You can dramatically increase coverage by adding community-maintained lists. In the Pi-hole admin panel, go to Adlists and add URLs from the Firebog curated list collection.
Some recommended additions:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
https://raw.githubusercontent.com/Zelo72/rbl/main/pihole/blocks/phishing.txtAfter adding lists, go to Tools → Update Gravity (or run pihole -g from SSH) to download and apply the new lists. Your block count should jump significantly.
Troubleshooting
Devices still seeing ads
First, verify that your device is actually using Pi-hole as its DNS server. On any device, look up the DNS config in network settings. It should show your Pi's IP. If it shows something else (like your ISP's DNS), the router change didn't apply - try rebooting the device or manually setting DNS in the device's Wi-Fi settings.
Pi-hole is blocking something it shouldn't
Go to the admin panel's Query Log, find the blocked domain, and click Whitelist. Alternatively, run from SSH:
pihole -w domain.comPi-hole dashboard not loading
The Pi-hole web interface is served by Lighttpd. Check its status:
sudo systemctl status lighttpdIf it's failed, restart it:
sudo systemctl restart lighttpdPi-hole is running but not blocking anything
Check that Pi-hole's DNS service is active:
pihole statusAnd verify port 53 is listening:
sudo ss -tulnp | grep :53Next steps
Once Pi-hole is running well, here's where to take it further:
- Add Unbound - replace your upstream DNS with a recursive resolver that doesn't send your queries to Google or Cloudflare.
- Add WireGuard - use Pi-hole's DNS filtering even when you're on mobile data away from home, by tunneling through your own VPN.
- Harden the Pi - if you set a secondary DNS, consider removing it and setting up a second Pi-hole instance as the secondary for true redundancy.
Marcus has been building homelab setups since 2015, with a focus on self-hosting, network security, and low-power server hardware. His Pi-hole setup has been running uninterrupted for over three years. He tests every guide on physical hardware before publishing.