Pi-hole is DNS filtering software that blocks DNS requests to online advertisers and tracking companies. It is typically used to provide ad-blocker and anti-tracking protection to all devices connected to a home network.
Pi-hole will happily run on almost any Linux system, but as its name suggests, it is very resource-light and works well on low-end devices such as the Raspberry Pi (any model). Indeed, it will even work on the ultra-lightweight Raspberry Pi Zero W!
How does Pi-hole work?
The Domain Name System (DNS) is basically just an internet-wide telephone book that maps URL web addresses to the IP addresses, which computers use to identify websites. Pi-hole sits between your network and its DNS server, filtering out DNS queries for IP addresses known to belong to advertisers and analytics companies.
A Pi-hole, therefore, reduces the number of ads seen, helps prevent tracking your browsing habits for advertisement purposes, and can improve page load times since it blocks all those data-hungry apps from loading in web pages you visit.
If you have ever used an adblocker such as uBlock Origin or Adblock Plus, then you know the deal. The benefit of Pi-hole, however, is seamless protection across all devices connected to your network without the need to install any additional software.
The Pi-hole software is 100% free and open source. It doesn’t cost a penny.
You are, however, encouraged to donate towards the project in order to cover expenses and reward the work of the volunteers who develop and maintain Pi-hole. Donations can be made via PayPal or a selection of cryptocurrencies. A number of alternative ways to support the project are also suggested.
If you are purchasing new hardware for the project, then a base Raspberry Pi costs $35 USD, to which you will also need (at minimum) to add an SD card to install the OS onto, and either a WiFi dongle or ethernet cable to provide an internet connection.
If you don't have a spare display, keyboard, and mouse, you can SSH into your Raspberry Pi from almost any other internet-connected device (which is something we plan to cover in a tutorial soon).
The Raspberry Pi Zero W comes in at the stupidly low price of $10, but are out of stock at the time of writing this article. If you plan on running a combined Pi-hole and PiVPN, then you may want a beefier machine, anyway. We haven’t put it through its tests, but the 4GB version of the new Raspberry Pi 4 Model B is reported to provide impressive bang-for-buck.
For just Pi-hole, though, an old Gen 1 Raspberry Pi you might have lying around gathering dust will do the job just fine. And if you are the kind of person who has old PC hardware lying about, you should be able to knock together a headless Linux box with minimal financial outlay.
- Open source
- Blocks ads
- Blocks trackers
- Whitelisting, blacklisting, and wildcards
- Web interface dashboard (optional)
- Works for all connected devices
- Highly customizable
Privacy and security
Pi-hole is a free and open source software that you run on your own machine, so jurisdiction is not really an issue.
It is important to understand, though (and contrary to some rather confusing descriptions we have read on the internet), that Pi-hole does not act as a full DNS server. Its sole intention is to filter out selected DNS queries, not resolve the DNS queries itself, which are still handled by a third party DNS service. It is, therefore, important to choose a DNS service that values your privacy.
Note that it is possible to run your own DNS server, which is beyond the scope of this guide, but it is something we may show you how to set up in the future.
By default, Pi-hole offers no technical security. Access to the Pi-hole should not be a major issue since it can only be used by devices connected to your local network (which itself should be secure).
A bigger problem is that DNS queries sent from the Pi-hole to the DNS resolver are not encrypted, and can be seen by your internet provider (ISP). It is possible, however, to set up the Pi-hole to use DNS-over-HTTPS in order to address this issue. Such is beyond the scope of this guide, but more information is available here.
For additional security, plus the ability to access the DNS filtering abilities of your Pi-hole from anywhere on the internet, you can VPN into it. But, once again, such is beyond the scope of this review and guide.
Extensive documentation, including a good FAQ, is available on the Pi-hole’s Discourse page. The Discourse page also hosts a lively community forum where you can ask for help. Alternatively, there is a Pi-hole subreddit and an official Twitter feed.
How to set up a Pi-hole on a Raspberry Pi
You can install Pi-hole using Docker, but we opted to use the one-step automated installer.
- Either fire up your Raspberry Pi and open Terminal (or SSH into it) and enter: curl -sSL https://install.pi-hole.net | bash This will run the Pi-hole automated installer. From here-on, installing Pi-hole is really just a matter of following the wizard. Given the amount of information that's thrown at you, we are not going to show every screen shown during the process (of which there are many), but will instead concentrate on any important decisions you need to make.
- In order to access your Pi-hole server from the internet, it will need a static IP address. In this step, decide which network interface you will use to connect to your Pi.
Above we see options for our Pi’s Ethernet, WiFi, and OpenVPN interfaces. The actual static IP used is decided later in the setup process (see Step 7).
- By default, Pi-hole filters DNS requests but does not resolve them itself. For this, you will need to use a third-party DNS service. Please check out our list of privacy-focused DNS services for recommended resolvers.
- Pi-hole filters content using blocklists - lists of IP addresses that it will block. You can add and delete blocklists after setup (in addition to whitelisting and blacklisting individual domains), but to get you started, Pi-hole suggests some popular and respected public-domain blocklists during installation.
We’re happy to use all of them!
- We think the next screen is a bit of a no-brainer since we can think of no reason why you would want to block IPv4 and not IPv6(or vice versa). So, if in doubt, stick with the default setting of blocking both kinds of IPs.
Even if your connection and/or device doesn’t support IPv6 (very likely), there is no harm in blocking malicious IPv6 domains, anyway!
- In Step 2, you selected which network interface the Pi-hole will use. It's now time to decide on a static IP. You are free to pick your own, but it’s simplest to just use your existing IP address. We are going to assume you want to install the web interface and web server. If you do, keep skipping through menus until you hit...
- Privacy modes. Do you want to log queries? And select a privacy mode for FTL (Faster Than Light - the open source daemon used to serve statistics to the web console)?
If you plan to use your Pi-hole just for yourself, then you might as well log everything. Doing so may help you to resolve problems and provide interesting insights into your own online behavior and the domains that would track you.
If others are going to use the Pi-hole, though (for example your family, staff/fellow workers, or customers), then you need to think carefully about the ethics of knowing their browsing habits and how much data you should retain. Or, indeed, that you even want to know!
See here for the full list of what each privacy level hides from the Pi-hole administrator (i.e. you). Even if you are using the Pi-hole to help protect children from unsuitable material on the internet, we strongly advise caution about actually monitoring what they get up to online.
- And that’s it! Your Pi-hole is now set up and will run automatically whenever your Raspberry Pi (or other configured device is turned on). Make a note of your Admin web page address and password. You can now disconnect any screens, keyboards, and the like, and store the device somewhere out of the way where it will quietly do its job of keeping you free from ads as you surf the internet!
Using the Pi-hole
- The simplest way to use the Pi-hole is to set up your router so that all devices which connect to it take advantage of its DNS filtering capabilities. Most modern routers allow you to specify the DNS server they use in their DHCP/DNS settings.
Just be sure to only set a single DNS entry (that of your Pi-hole, as configured above), and change the LAN settings, not the WAN settings.
If your router doesn’t support changing DNS server, then Pi-hole has a built-in DHCP server you can use instead. This can be enabled in the web console by going to Settings -> DHCP tab -> DHCP Settings -> "DHCP server enabled.”
As the warning says, for this to work it is essential to disable your router's DHCP server in its Admin page. If you have a fancy router, such as one running OpenWRT, DD-WRT, or Tomato firmware, then some advanced features are available with a little extra setup.
- You can configure each device individually to use the Pi-hole as a DNS server. Check out A Complete Guide to Changing your DNS Settings for a full low-down on doing this. Just use the DNS settings you specified during setup above.
Manage your Pi-hole using the web interface
It is possible to manage your Pi-hole via the command-line. But when it comes with a gorgeous GUI web interface, why would you?
Basic statistics can be viewed by anyone connected to your LAN network, but the full statistics glory, plus admin control, are only available once you enter the correct password.
A ridiculous number of statistics are available, including how many DNS queries have been made, how many of those were blocked, which type of query they were, how they were answered, top domains that were allowed, top domains that were blocked, and more.
The web console provides a beautiful GUI interface for accessing a variety of logs (depending on the privacy levels you set when setting up the Pi-hole), whitelisting and blacklisting domains, monitoring your LAN network, adjusting Pi-hole settings, and more.
Free and open source software that runs on $35 hardware (or less) and will provide highly effective, transparent, and fully customizable adblocker, tracker, and (limited) malware protection for all devices connected to your network? Yes, please!
As long as the idea of pasting a single command-line onto Terminal doesn't phase you, setting up a Pi-hole is very easy - just follow the prompts and go with the defaults! And once set up, the web console makes management a joy.
There is literally nothing we don’t like about this amazing software.