The Complete PiHole Setup Guide.
Welcome to the Ultimate Ad Blocking setup tutorial. This tutorial will provide you will the information and commands to setup PiHole for whole network adblocking. Also, some of the security concerns the ads bring will be discussed.
Table Of Contents
- Supported Systems
- The Reasons to Block Ads and Tracking
- 0. Gather Information
- 1. Install Dependencies
- 2. Install Optional Components
- 3. Configure UFW (Uncomplicated Firewall)
- 4. Install Pi-Hole
- 5. Install Options
- 6. Configure Your Router/Computer
- 7. Additional Block Lists
- 8. Items to Whitelist
- 9. Setting up DNS Crypt/DNS over TLS
- 10. Locking Down Your Router
- Additional Resource Links
The following is required to have been setup before you continue with this guide.
- Either a system with Ubuntu 20.04 or a Raspberry Pi with the latest
- Raspberry Pi OS
- UFW Installed and disabled
- A non-root user with sudo
- SSH or direct access to the system being used
- System is setup for static IP
- X86 Ubuntu 20.04 LTS
- Raspberry Pi – Newest Raspberry Pi OS
The Reasons to Block Ads and Tracking
As many of you may have seen in the news and on social media, malicious ads, and companies tracking your internet activities is becoming a major issue. Not only are these ads distracting but in many cases are used to track your activity and can even contain malware.
Another reason to block ads and tracking links is email spam. Most spammers use tiny invisible images inside emails to track that you not only received the email but also opened it. On top of this they can get many details about your computer and with some exploits can even get access to your computer.
With all this in mind, it makes sense to setup a system like PiHole to help protect your computer, network, and your privacy.
0. Gather Information
Please find the following information about your system you are installing Pi-Hole onto and save it for use in this tutorial.
- The systems IP – On Ubuntu use the
ip addr showOn Raspberry Pi OS use
- Check Free Space –
df -hand ensure that you have at least 5GB free
1. Install Dependencies
In this step, we will install all the required dependencies for getting Pi-Hole Installed.
sudo apt update && sudo apt -y dist-upgrade
2. Install Optional Components
Below are optional tools that can be very helpful when troubleshooting issues with your system but are not required to have a working Pi-Hole setup.
sudo apt update && sudo apt -y install vnstat glances bmon
This command will install the following components
- Vnstat – A tool for seeing historical bandwidth usage
- Glances – A tool for seeing system resource usage
- Bmon – a tool for monitoring live network statistics
3. Configure UFW (Uncomplicated Firewall)
Next, we will want to configure UFW to allow access to DNS and to the web interface.
yes | sudo ufw enable
sudo ufw allow 5300
sudo ufw allow 53
sudo ufw allow ssh
sudo ufw allow 80
sudo ufw allow 443
sudo ufw status
sudo ufw reload
These commands will allow access to the ports listed from any IP on your local network. This will configure and enable UFW.
4. Install Pi-Hole
*** Warning *** Never run untrusted scripts from the internet.
The below script is from the official Pi-Hole GitHub. If you would like to look at the script before running it please visit their GitHub at https://github.com/Pi-Hole/Pi-Hole.
The following command will download the official Pi-Hole install script and run it.
curl -sSL https://install.Pi-Hole.net | bash
5. Install Options
Now Pi-Hole install script will ask you the following questions to set the basic configuration of Pi-Hole. If you are not interested in descriptions of the following options it is safe to select the default for all options. Most of the options will be changed later.
This option allows you to select your primary DNS server to use. This is the DNS server Pi-Hole will use for DNS queries.
These are the basic blocklists. Both are very safe and tend to not have issues but they are missing some DNS names we will block later.
This allows you to select if you want to use both IPv4 and IPv6.
This screen shows your current server IP address and your routers/DHCP servers address. Make sure they are correct and write down the IP for later use.
This is a little misleading. Without the admin interface, Pi-Hole is very hard to configure and maintain. It is required for this tutorial to install the admin interface.
This is required by the admin interface.
If you want to see where and what things are looking for this needs to be on.
If your Pi-Hole is on a private network and not accessible from the internet; option 0 is what you will want to choose.
After the installer finishes, you will want to set your password for the Pi-Hole web interface. This password should be secure and should follow the following guidelines.
- 8 or more characters
- Contain Uppercase and Lowercase Letters
- Special Characters
- Should NOT contain Names, Words, Dates, etc.
The following command will ask you to enter a password for the Pi-Hole web interface
sudo pihole -a -p
6. Configure Your Router/Computer
Now to start using your new DNS server you will need to change your router’s DHCP settings to point to your Pi-Hole Server. Due to the sheer number of routers on the market, this change will not be explained fully here.
If you only want to have your desktop or laptop use Pi-Hole then change its DNS settings to point at your new Pi-Hole server. Please remember that you will need to reboot your computer for the changes to fully take effect.
At this point, you have a working basic Pi-Hole setup and if you are not interested in a more advanced setup you can stop here.
*** Note *** To access the Admin web interface; enter the IP of your Pi-Hole server in your browser.
7. Additional Block Lists
Next, we will begin to add the blocklists that I have found to be the best available.
*** Note *** These blocklists are maintained by community members and I am not responsible for any issues that are caused by using these lists. Also, some of these lists are very aggressive and will require steps to allow certain services to work after enabling these lists.
These are the lists I prefer to use and have had great success with. These are in addition to the official lists.
Log Into the Pi-Hole Admin Web Interface with the password you created earlier.
This will then load the main admin dashboard and show you statistics on your Pi-Hole.
Next, you will want to click on the Group Management menu item and then click on Adlists. At this point, you can paste the link for the list you want to add in the address box and then click add. Once it is added you can add a comment so that you know what list it is or why you added it.
Finally, you will need to update the blocklists. To do this you will need to click on the Tools menu item and then Update Gravity. Once on this page click update and once it is done the lists you added will be active. Pi-Hole will do a list update automatically after this point but it is always best practice to update the block list after adding new lists.
8. Items to Whitelist
With many of the lists out there some of the services you use may be blocked. This is where whitelisting comes in. In my experience, this only happens when either you are using a list that is either poorly maintained or is over-aggressive, or the services you are using is doing something it shouldn’t and not working because it silently requires the bad actions it’s taking to run.
Two good examples of this are CBS All Access and Google Chrome Sync. Personally I spent hours tracking down why these were not working. Both would fail without any visible error and simply didn’t work. Below are the items I have found to be necessary for these and other services to work.
- googleapis.l.google.com – Needed for Google Chrome Sync
- githubusercontent.com – Needed for GitHub User Content
- cbsinteractive.hb.omtrdc.net – Needed for CBS All Access
- pubads.g.doubleclick.net – Needed for CBS All Access
There is a great list on the Pi-Hole forums at https://discourse.Pi-Hole.net/t/commonly-whitelisted-domains/212. To add these to the white list follow the steps below.
Click on the Whitelist menu item. Then you will paste the domain into the domain field and click add to whitelist.
After doing this you can add comments to the whitelist items to make it easier to know what they are for in the future. Also on this page, you can enable and disable any whitelist items.
9. Setting up DNS Crypt/DNS over TLS
Now that you have a fairly secure Pi-Hole setup lets take the next step and encrypt and protect our DNS queries from your ISP and DNS man in the middle attacks. This is done by sending your DNS queries over HTTPS/TLS and no longer sending them in plain text.
If you would like to see if your ISP is intercepting your DNS queries the below sites can give you some information about that.
The above tests are not perfect but they do give you a good idea of your level of exposure. Plus in this day and age of continuous exploits, it is just a good idea to secure your DNS queries from prying eyes.
To achieve the aforementioned gold we will be using a project called DNSCrypt-Prox. It can be found at https://github.com/DNSCrypt/dnscrypt-proxy. Their installation documentation as of writing this is somewhat confusing and out of date. For these reasons, I will be guiding you through the process of installing and setting it up.
- First, you will need to SSH into your Pi-Hole server.
- Next Move to the opt directory
- Now Download the version of DNSCrypt-Proxy that supports the operating system and hardware you are using. Since I am using Ubuntu 20.04 on x86 I will download the following file. Dnscrypt-proxy-linux_x86_64-2.0.44.tar.gz. Do this with this command
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_x86_64-2.0.44.tar.gz
- Next, Extract the program and make sure to change the file name to match the one you downloaded.
sudo tar xzvf dnscrypt-proxy-linux_x86_64-2.*.tar.gz
- Now we need to change the folder name of the extracted files.
sudo mv linux-x86_64 dnscrypt-proxy
- Then remove the compressed archive since we don’t need it anymore. Again make sure to change the file name to match the one you downloaded.
sudo rm dnscrypt-proxy-linux_x86_64-2.*.tar.gz
- Now we need to move into the newly created directory so that we can edit the configuration file.
- Make a copy of the example configuration file so that configuration is easer. sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
- Now we need to edit the configuration file.
sudo nano dnscrypt-proxy.toml
- In most cases, it is better to have more than one upstream provider for DNS since if one goes down you can still use the internet but is you only have one upstream provider you will not be able to use the internet until they get back online. Due to this, we will configure to use Google and Cloudflare. I have found them to be the best for this setup. You will need to find the line starting with # server_names = [.
- Now edit that line to match the following
server_names = ['google', 'cloudflare']
- Next, find the line
listen_addresses = ['127.0.0.1:53']and change it to read
listen_addresses = ['127.0.0.1:5300']
- Finally, find the line that reads
require_dnssec = falseand change it to true.
- Now exit and save by pressing Control and X on your keyboard and answer Yes to saving the file.
- We need to create a service for DNS-Crypt Proxy and that can be done with this command
sudo ./dnscrypt-proxy -service install
- Then we need to start the service with
sudo ./dnscrypt-proxy -service start
- Due to the services running as root the following command needs to be ran for the install to work.
sudo setcap cap_net_bind_service=+pe dnscrypt-proxy
- Now the last step we need to change the DNS server settings in the Pi-Hole Admin interface.
- You will want to make sure your settings match the above image. And then click Save.
- After this is completed I recommend that you reboot your Pi-Hole server with
Now you can test again with the tools lister earlier to see if you are still leaking DNS queries.
10. Locking Down Your Router
Now that you have completed securing your DNS queries with DNSCrypt-Proxy you may notice that some devices are either still seeing ads or are not using your Pi-Hole Server. This is due to many devices like the Amazon Fire Stick and Roku, and software having backed in DNS servers. This allows them to circumvent your Pi-Hole server. To stop this we need to make changes to your router.
*** Note *** The following changes can break your network and may not work on all routers especially ISP-provided routers. Proceed at your own risk.
Luckily the changes needed are fairly simple. We will need to instruct your router to block ALL requests from Port 53. This is for outbound and inbound. Again due to the sheer number of routers out there you will need to look up instructions for your specific router on how to block traffic on specific ports.
Now that you have completed this tutorial you now have a secure network-wide tracking and ad blocking DNS server setup. If you would like even more anonymity combining this tutorial with TOR and/or a VPN is a good final step and Tutorials for these will be posted below.
Additional Resource Links
Below are links to the sources used in this tutorial and to additional information about the topics covered.
- Pi-Hole Project – https://Pi-Hole.net/
- DNSCrypt-Proxy Project – https://github.com/DNSCrypt/dnscrypt-proxy
- UFW Commands – https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
- Pi-Hole Forum Block Lists – https://discourse.Pi-Hole.net/t/update-the-best-blocking-lists-for-the-Pi-Hole-alternative-dns-servers-2019/13620
- FireBob Mirrored Block Lists – https://v.firebog.net/hosts/
- Pi-Hole Forum Commonly Whitelisted Domains List – https://discourse.Pi-Hole.net/t/commonly-whitelisted-domains/212
- GRC.com DNS Leak Test – https://www.grc.com/dns/dns.htm
- ExpressVPN DNS Leak Test – https://www.expressvpn.com/dns-leak-test
- Jeremy Campbell’s DNS Leak Test – https://www.dnsleaktest.com/
- IPLeak.net DNS Leak Test – https://ipleak.net/
- CloudFlare DNS Encryption Explained – https://blog.cloudflare.com/dns-encryption-explained/
- Brian Krebs Blog – https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/