Blog
·5 min read

Pi-hole: Network-wide Ad Blocking via DNS

How Pi-hole acts as a DNS sinkhole to block ads and trackers for every device on your network — no browser extension required.

NetworkingDNSHomelabSelf-hosted

Browser ad blockers are great, but they only cover one device and one browser. Pi-hole solves this at the network level by acting as your LAN's DNS resolver. Any device that uses your router for DNS — phones, smart TVs, IoT sensors, game consoles — gets ad blocking without installing anything.

How DNS-based blocking works

When a device wants to load ads.doubleclick.net, it first asks DNS: 'What's the IP for that domain?' Pi-hole intercepts that query. If the domain is on a blocklist, Pi-hole returns 0.0.0.0 instead of the real IP — the request goes nowhere. If it's not blocked, Pi-hole forwards the query upstream (to Cloudflare, Google, or your own recursive resolver).

  • No man-in-the-middle TLS inspection needed — just DNS
  • Works for all protocols, not just HTTP/HTTPS
  • Blocks trackers in native apps, not just browsers
  • Query logs give you a real picture of what your devices 'phone home' to

Setting it as your network DNS

The cleanest setup is to point your router's DHCP DNS field to the Pi-hole IP. Every device that gets an IP via DHCP automatically uses Pi-hole. Alternatively, set it per-device in network settings.

bash
# Point upstream DNS to Cloudflare + Quad9
# Pi-hole admin → Settings → DNS
Primary:   1.1.1.1
Secondary: 9.9.9.9

# Check what's being blocked
pihole -c          # chronometer
pihole -t          # live tail of query log
pihole -q domain   # check if a domain is blocked

Blocklists that actually work

The default StevenBlack list is a solid start (~130k domains). I also add the HaGeZi multi-pro list and Oisd for broader coverage. Too aggressive blocklists break legitimate services, so I keep a local whitelist for domains I've had to unblock.

Tip:Run Pi-hole in Docker alongside Unbound as a recursive resolver. Unbound handles root-level DNS resolution so no single upstream provider sees all your queries.

What surprised me after running it

  • A smart TV was making 800+ DNS queries per hour to ad/analytics endpoints
  • 20–30% of DNS queries on a typical home network are blocked
  • Pages actually load faster without ad content fetching in parallel
  • The query log is genuinely useful for debugging app connectivity issues
All postsPortfolio

More Posts

Nginx Proxy Manager: Reverse Proxy + SSL in Minutes

April 22, 2025

Immich: Self-Hosted Google Photos That Actually Works

March 15, 2025

Temporal.io: Workflow Orchestration That Survives Restarts

February 28, 2025