Objective
Deploy Pi-hole, a DNS server with network-level ad and tracker filtering. Protects all network devices without individual configuration.
Prerequisites
- Debian 11 / Ubuntu server or Raspberry Pi
- Static IP address recommended
- Minimum 512 MB RAM
- Root or sudo access
- Internet connection
Full Procedure
Step 1: Static IP configuration (recommended)
nano /etc/network/interfaces
Example configuration:
auto eth0 iface eth0 inet static address 192.168.1.200 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 1.1.1.1 8.8.8.8
Restart networking:
systemctl restart networking
Step 2: Automated Pi-hole installation
curl -sSL https://install.pi-hole.net | bash
Note: The installation script is interactive. Follow the steps below.
Step 3: Configuration during installation
Network interface selection
- Select the primary interface (e.g. eth0, ens33)
Upstream DNS provider selection
- Google: 8.8.8.8 / 8.8.4.4
- Cloudflare: 1.1.1.1 / 1.0.0.1 (recommended for privacy)
- Quad9: 9.9.9.9
- OpenDNS: 208.67.222.222 / 208.67.220.220
Blocklists
- Leave the default lists checked (StevenBlack, MalwareDomains)
Protocols
- IPv4: Yes
- IPv6: Yes (if your network supports IPv6)
Static IP address
- Confirm the displayed IP address
- Confirm the gateway
Administration web interface
- Install web interface: Yes
- Install lighttpd web server: Yes
Query logs
- Enable logs: Yes
- Privacy level: Show everything (or desired level)
Installation complete: Note the automatically generated admin password!
Step 4: Access the web interface
Access via browser:
http://192.168.1.200/admin
Log in with the password provided at the end of installation
Step 5: Change admin password
pihole -a -p
Enter the new password twice
Step 6: Configure network clients
Option A: Router DHCP configuration (recommended)
Change the router's primary DNS server to point to Pi-hole:
- Primary DNS: 192.168.1.200 (Pi-hole IP)
- Secondary DNS: 1.1.1.1 (optional, fallback)
All network devices will automatically use Pi-hole
Option B: Manual configuration per workstation
Windows:
- Control Panel → Network → Adapter Properties
- IPv4 → Properties → Preferred DNS: 192.168.1.200
Linux:
nano /etc/resolv.conf
nameserver 192.168.1.200
nameserver 1.1.1.1
Verification
DNS resolution test
nslookup google.com 192.168.1.200
Should return Google's IP address
Blocking test
Test with a known advertising domain:
nslookup ads.google.com 192.168.1.200
Should return 0.0.0.0 or Pi-hole's IP (blocked domain)
Browser test
Access a site with ads → ads should be blocked
Check in the Pi-hole dashboard that queries appear
Advanced configuration
Adding extra blocklists
Web interface → Group Management → Adlists
Recommended lists:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://v.firebog.net/hosts/Easylist.txt https://v.firebog.net/hosts/AdguardDNS.txt
Update the lists:
pihole -g
Whitelist (unblock a domain)
Web interface → Whitelist → Add
Or from the command line:
pihole -w example.com
Blacklist (block a specific domain)
pihole -b badsite.com
Enable Pi-hole DHCP server
Settings → DHCP → DHCP Server enabled
- Disable the router's DHCP first!
- Define the address range (e.g. 192.168.1.50 to 192.168.1.250)
- Gateway: 192.168.1.1 (router)
Useful commands
# Update Pi-hole pihole -up # Update blocklists pihole -g # Statistics pihole -c # Service status pihole status # Restart Pi-hole pihole restartdns # Real-time logs pihole -t # Flush DNS cache pihole restartdns reload
Security and Limitations
Advantages
- Network-level ad blocking (all devices)
- Protection against trackers and malware
- Improved network performance
- Bandwidth savings
- Detailed statistics dashboard
- No per-device configuration required
Limitations
Points to note:
- SPOF (Single Point of Failure): if Pi-hole goes down, no DNS
- Does not block YouTube ads (embedded in videos)
- May break some sites (false positives) → use whitelist
- Not an antivirus (blocks only via DNS)
- Devices can bypass with manual DNS (8.8.8.8)
Recommendations
- Configure a secondary DNS (fallback if Pi-hole is offline)
- Regular configuration backups:
pihole -a -t
- Monitoring with Uptime Kuma, Zabbix, etc.
- High availability: deploy 2 Pi-hole instances
Key Points for the BTS Oral
- Pi-hole: DNS server with filtering of malicious/advertising domains
- DNS sinkhole: blocking technique by resolving DNS to 0.0.0.0
- Advantages: full network protection, no per-device config
- Architecture: dnsmasq + lighttpd + PHP interface
- Blocklists: databases of malicious domains (StevenBlack, Firebog)
- Limitation: does not protect against already present malware
- Alternative: AdGuard Home, NextDNS