Pi-Hole stores dnsmasq configuration in /etc/dnsmasq.d. Each one has it’s own DNS and DHCP services, so in order to have things resolve correctly I add the config to Pi-Hole. In particular, I have three networks: home, work, and lab. I do this mostly because my network is uncommonly complex. Last, but not least, I am adding some extra config options to Pi-Hole’s FTL (a.k.a. I have used all three of these, and they all work well, however at the moment I’m using NextDNS. Simply follow the guide here to deploy UnBound with Pi-Hole. If you don’t want to use anyone else’s DNS service, you can also configure your own resolver on your Pi-Hole instance. NextDNS also offers an excellent service (which I prefer!) and their client can be configured the same way as the CloudFlare client with Pi-Hole. If you want to adopt DoH/DoT for your outbound DNS traffic, I would recommend following this guide from Pi-Hole, which configures the cloudflared client on your Pi-Hole. I prefer DoT over DoH, so I take measures to actively block DoH on my firewall by blocking all traffic to the most common DoH servers, such as Google and CloudFlare. I’m a big fan of privacy and encourage you to use whatever secure DNS method you like, either DNS over HTTPS (DoH) or DNS over TLS (DoT). It will resolve host names for DHCP addresses it gives out, but any other result is forwarded. Pi-Hole uses dnsmasq (technically a fork, but the functionality we care about is identical), which means that it’s only a DNS forwarder.
To quickly get the list of sites to populate Pi-Hole’s list of lists, simply download from here. The latter meaning that there is some potential to break popular and/or desirable sites. I’ve trained my family to let me know when a site they visit is broken or misfunctioning, so I don’t mind using the “non-crossed lists”, meaning the ones with a check or > next to them. I find that the owner, WaLL圓K does a great job identifying new and cleaning up old lists, as well as the metadata about how prone the list is to breaking things other than ads. Specifically, I use the list of lists found at. To block all the things I want blocked I use a number of additional lists.
I’ll also assume that you’re capable of updating your network and/or clients to use the Pi-Hole.
I use a virtual machine (running CentOS 7.7) to host my instance, but you can use a RaspberryPi, almost any old hardware, even a container on an existing Linux machine if you’d like. I’m going to assume you are able to follow the Pi-Hole deployment instructions and get everything up and running in the default configuration. Additionally, I use Pi-Hole for DHCP on my network, having made the change when I moved from a pfSense router to a USG. I’m a bit over zealous, so I like to block ads, trackers, malware, and many other things. The default configuration is very good, particularly if you want to simply block the majority of ads. Anyway, it’s one of my favorite projects and I highly encourage anyone and everyone to check it out! Even if you don’t want to use the ad-blocking feature, the reporting and logging I find to be very helpful. Pi-Hole has been a staple of my homelab for several years now.