What is Pi-hole?

Pi-hole is a DNS sinkhole, used as a network-wide DNS level ad and malware blocker that works with domain blocklists and enforces it. The idea here is simple, you point it to blocklists that are available on the internet (it comes with one pre-enabled), and it takes care of preventing any of your devices from trying to reach those domains. Common examples are activity tracking websites and malware domains that should never be contacted.

How does it work?

For Pi-hole to work, it needs to be the default DNS resolver for all the devices on the network. But how do we achieve that, since most of them dynamically configure themselves using DHCP? We make this happen by modifying the DHCP settings on the router/DHCP server to use the Pi-hole’s IP rather than the default. For the strict security admins out there, you can also add redirection rules to redirect any outbound traffic on port 53 from a source IP other than Pi-hole itself to Pi-hole, so that none of the devices tries to bypass it. A good point to remember is that, usually, two DNS servers are listed, and devices can use either of them. If Pi-hole is one of them, and the other is a normal DNS server, you will not get complete protection as devices are still free to use the other entry for DNS. You can either have only one entry or have multiple instances of Pi-hole for redundancy since DNS is a core component for accessing the internet. I talk more about it in the next article . Once the devices talk to Pi-hole for their DNS needs, it can look up a list of configured bad domains and refuse to return the IP addresses for such requests.

Where/How can I install it?

Pi-hole can be installed on a wide variety of platforms. The most used and common ones are on a $35 Raspberry Pi (or a $10 Raspberry Pi Zero too!) or an Ubuntu machine running as a virtual machine or on bare metal. Installation is as simple as running a single command shown below on the terminal, regardless of if you want it installed as a docker container or on the host itself, and you are off to the races. The automated installer setup is very simple, confirm that there is a static IP set to the host, set the upstream resolvers, accept the default web server for administration, and that’s it. You can then navigate to http://<IP>/admin to configure your freshly baked installation of Pi-hole. For further instructions on supported operating systems and advanced configuration options, head over to Pi-hole for more information.

1
curl -sSL https://install.pi-hole.net | bash

What to block?

Pi-hole comes with a pre-installed blocklist with 98996 entries (as of writing this) located here . A blocklist is a simple list of IP-to-address mappings separated by a space and one entry per line as you would see in a /etc/hosts file. To add more, head over to the Pi-hole UI > Group Management > Adlists, and enter the URL to another list.

A good collection of such lists for various categories can be found at blocklistproject/Lists .