Pi-hole: Block Every Ad on Your Entire Network with Raspberry Pi

I noticed a banner ad on my smart fridge's UI last summer. A grocery delivery ad. On a fridge. That was the moment I gave up and finally set up Pi-hole on the Raspberry Pi 4 I'd been using as a glorified Pi-hole-shaped paperweight.

48 hours later, the network was quiet. Phone faster. TV home screen empty of garbage. ~14,000 blocked queries on day one.

You're about to do the same setup in under an hour. By the end of this guide, you'll have Pi-hole running on a $35 box, you'll know exactly which blocklists to add (and which to skip), and you'll have the fix in hand for when something inevitably breaks.

What Pi-hole Actually Does (And What It Won't)

Pi-hole is a DNS sinkhole. In plain English: every time a device on your network asks "what's the IP for ads.tracking-co.com?", Pi-hole intercepts the question and lies. "No such domain." The ad never loads. The tracker never fires. The shady redirect never resolves.

Because it works at the DNS layer, it covers your phone, your laptop, your smart TV, your console, your printer that phones home twice a day, the LED strip you bought drunk on a Tuesday — every single thing that joins your Wi-Fi. uBlock saves the browser. Pi-hole saves everything else.

I run mine on a Pi 4 that draws about 3 watts. It's been up 287 days uninterrupted. You don't need much.

What it absolutely won't do — set expectations before you start:

Block YouTube ads (same domain as the videos — physically impossible at the DNS layer, no matter what some Reddit thread tells you)
Fix Spotify Free
Replace your firewall
Help with apps that hardcode their own DNS or use DoH internally (Disney+, some mobile games, anything paranoid)

Everything else is fair game.

What You Need Before You Start

Four things. That's it.

Something that stays on 24/7. A Raspberry Pi works. So does an old laptop with the lid closed. So does a Docker container on the NAS you already own. So does a $5/mo VPS if you want to be fancy with Tailscale.
Wired ethernet on the Pi-hole box if at all possible. I learned this at 2am during a Wi-Fi hiccup — when Pi-hole drops, your whole house loses DNS. Don't put it on flaky Wi-Fi.
A static IP. Easiest path is a DHCP reservation on your router. Five clicks, done forever.
Router admin access. The password is printed on the bottom of the router 90% of the time. Check before you start digging through old emails.

RAM-wise Pi-hole is featherweight. Mine sits at ~80 MB under normal load. You've got headroom on basically anything you'd plug in.

The Install: Three Paths, Pick One

Path 1 — Official installer (the standard move)

Best if you've got a Raspberry Pi or a clean Debian/Ubuntu box:

curl -sSL https://install.pi-hole.net | bash

Yes, you're piping curl into bash. That's how the maintainers ship it. If that makes you twitch, save the script first and read it — the source is on GitHub, it's not malware.

The installer asks you a bunch of questions. Here's what you pick, no thinking required:

QuestionYour answerUpstream DNS providerCloudflare (1.1.1.1) or Quad9 (9.9.9.9). Not Google.BlocklistsAccept default — you'll tune this laterWeb admin interfaceYesWeb server (lighttpd)YesLog queriesYesPrivacy mode"Show everything" — it's your own network

At the very end it prints an admin password. Screenshot it before you close the terminal. I lost mine once and had to SSH back in to reset with pihole setpassword. Save yourself that minor pain.

Path 2 — Docker (if you already have a host)

You know who you are. Drop this into a docker-compose.yml:

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'Asia/Kolkata'
      FTLCONF_webserver_api_password: 'pick-something-not-this'
      FTLCONF_dns_listeningMode: 'all'
    volumes:
      - ./etc-pihole:/etc/pihole
      - ./etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped

Then:

docker compose up -d

Heads up — if your host already has something on port 53 (systemd-resolved on Ubuntu does this by default), you'll burn 20 minutes wondering why port 53 is "already in use." I did exactly that. Skip the pain — kill systemd-resolved first:

sudo systemctl disable --now systemd-resolved
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf

Path 3 — Fresh Raspberry Pi from scratch

Full starter pack, start to finish:

Flash Raspberry Pi OS Lite (64-bit) with Raspberry Pi Imager. Hit the gear icon in the imager — set hostname, enable SSH, configure Wi-Fi if you absolutely have to.
Boot it. SSH in: ssh [email protected]
sudo apt update && sudo apt full-upgrade -y — go make coffee
Pin a static IP via DHCP reservation on the router. Editing dhcpcd.conf works too but the router-side approach is one place to manage all your IPs.
Run the installer from Path 1.

Total wall-clock time: about 25 minutes if your apt mirror isn't trash.

Wire Your Network to Use Pi-hole

Pi-hole does literally nothing until your devices ask it for DNS. Two ways to flip that switch.

The right way: change DNS on your router

Log into the router admin page. Find DNS settings — usually under LAN, DHCP, or Internet. Set the primary DNS to your Pi-hole's IP.

Now the part most guides skip and you must not: delete any secondary DNS. No 8.8.8.8 backup. No 1.1.1.1 fallback. None. If you leave a backup, your devices will use it whenever Pi-hole is even slightly slow, and your blocking will be wildly inconsistent. You'll think Pi-hole is broken when really it's just getting bypassed half the time.

Save. Either reboot a device or run ipconfig /release && ipconfig /renew on Windows. On phones, toggle Wi-Fi off and back on. The DNS change kicks in on the next DHCP lease renewal — usually within seconds.

When your ISP-locked router won't let you change DNS

This happens constantly with ISP-supplied gear. Two moves:

Turn Pi-hole into your DHCP server. Disable DHCP on the router, enable it in Pi-hole under Settings → DHCP. Pi-hole now hands out itself as the DNS to every device on the network.
Buy a real router. A used Mikrotik hAP or a flashed OpenWrt box is $40 and changes your life. I should've done it years before I actually did.

Confirm it's working in 10 seconds

Visit http://pi.hole/admin and watch the query log light up. Or from any device on the network:

nslookup doubleclick.net <pi-hole-ip>

You should get 0.0.0.0 back. That's the sound of an ad domain dying in real time.

Read the Dashboard Like You Own the Place

Open http://pi.hole/admin, log in. The dashboard greets you with totals — queries today, percentage blocked, top blocked domains, top clients on your network.

Four pages you'll actually use:

Query Log — every single DNS query on your network, live. The most useful page in the entire UI. When something breaks, you come here first.
Adlists — the blocklists you've subscribed to.
Domain Management — manual allow/deny rules with regex support.
Local DNS — give your devices friendly hostnames. printer.home beats memorizing 192.168.1.50.

Bookmark the query log. You'll live there.

Curated Blocklists (Don't Be the Person With 47 Lists)

Real talk: the default StevenBlack list handles about 90% of normal ads and trackers. That's roughly 150,000 domains. Every extra list after that gives diminishing returns and exponentially increases the odds of breaking something random.

Here's the trap I see every week on r/pihole: someone posts "BEST 47 PIHOLE BLOCKLISTS 2026." Someone else adds all of them. Their banking app stops working. Their kid's homework site fails. They blame Pi-hole and turn it off.

Don't be that person. Use a small, curated set:

ListURLWhat it catchesStevenBlack unifiedhttps://raw.githubusercontent.com/StevenBlack/hosts/master/hostsAds, malware, generalOISD Bighttps://big.oisd.nl/Curated, low false positivesHagezi Multi Prohttps://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txtAds, tracking, maliciousAdGuard DNS filterhttps://v.firebog.net/hosts/AdguardDNS.txtMobile-focused

Add them under Adlists → paste URL → Add. Then rebuild gravity:

pihole -g

That command consolidates everything into the active blocking database. It also auto-runs every Sunday morning, so this is a one-and-done after the initial add.

Four lists. Not 47. Trust me.

When Stuff Breaks, Fix It in 30 Seconds

Most people who quit Pi-hole quit because something broke and they couldn't figure out why. Don't be them. The fix is almost always the same: open the query log.

Your move when something on your network stops working:

Try to use the broken thing. Let it fail naturally.
Open the query log. Filter by your device's IP.
Look at recently blocked domains. The culprit is almost always obvious from context.
Click the green "allow" button next to anything essential.

Done. 30 seconds once you've done it twice.

Repeat offenders I've personally had to whitelist over the years:

Random Microsoft Teams telemetry domains (varies by tenant — every org is slightly different)
spclient.wg.spotify.com on some Spotify setups
Apple push notification servers (rare but happens — usually on aggressive lists)
Smart TV firmware update endpoints when the TV gets stuck on a check
Some IoT cloud sync endpoints (Sonos has done this to me at least twice)
Mobile banking app analytics, which usually also serve real auth checks

When you need a sanity-check reference, github.com/anudeepND/whitelist is the community-maintained "known good" list. Don't apply all of it — use it as a lookup when you're not sure if a domain is critical.

Commands You'll Burn Into Muscle Memory

These nine cover ~95% of what you'll ever do at the CLI:

pihole -up              # update Pi-hole itself
pihole -g               # rebuild blocklists
pihole -c               # live stats in terminal — leave it open
pihole disable 5m       # pause blocking for 5 minutes
pihole enable           # resume
pihole -q doubleclick   # which lists is this domain on?
pihole tail             # watch DNS queries fly past live
pihole restartdns       # restart the resolver
pihole setpassword      # reset admin password

pihole -c is the homelab equivalent of a campfire. Open a terminal, leave it running, watch the queries scroll past. Genuinely satisfying.

Go Full Privacy with Unbound (5 Minutes, Worth It)

Default Pi-hole forwards your queries upstream to Cloudflare or whoever. They claim no logging. Maybe true. Maybe not. You're still trusting a third party.

Unbound removes the middleman entirely. It's a recursive resolver — instead of asking Cloudflare, it walks the DNS tree from the root servers down. No third party ever sees your aggregated query history.

I added Unbound about six months in and noticed two things: first lookups for fresh domains got slightly slower (a few hundred ms — barely perceptible), and my paranoid friend stopped giving me grief about Cloudflare.

Setup takes five real minutes:

sudo apt install unbound
sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root

Create /etc/unbound/unbound.conf.d/pi-hole.conf using the config from the official Pi-hole Unbound guide — about 30 lines, copy-paste.

Then in Pi-hole admin → Settings → DNS, uncheck every upstream provider and add 127.0.0.1#5335 as a custom DNS server. Save. You're now resolving DNS yourself like it's 1997.

Keep It Alive (5 Minutes a Month, Tops)

Pi-hole is the most low-maintenance self-hosted thing I run. Once a month, do this:

pihole -up to update Pi-hole
sudo apt update && sudo apt full-upgrade for the OS
Glance at the dashboard if anything's felt weird this week
Hit Settings → Teleporter → Backup. Save the tar file somewhere safe.

The Teleporter backup is gold. It bundles your blocklists, allow rules, local DNS, and settings into a single file. When my SD card died last year, I had a fresh install identically configured in 12 minutes. Take the backup. Future you will thank current you.

Do It This Weekend, Not "Someday"

Don't bookmark this. Don't slot it into "projects I'll get to eventually." Pi-hole takes one evening to install and pays back the time forever.

Tonight: grab a Raspberry Pi (or fire up that Docker container you've been meaning to spin up), run the curl command, change your router's DNS, walk away. Tomorrow your phone will load pages noticeably faster. Within a week you'll notice your smart TV's home screen has gone quiet. After a month you'll start looking at every "free" app on your devices and wondering exactly what it's been sending home.

I've had Pi-hole running for years. The only thing I regret is not setting it up the day I first heard about it. Your move.