How to Set Up Pi-hole on Your Home Network: Block Ads, Trackers, and Telemetry at the DNS Level

How to Set Up Pi-hole on Your Home Network: Block Ads, Trackers, and Telemetry at the DNS Level

Last updated: March 2026

Key Takeaways:

• Pi-hole is a free, open-source DNS sinkhole that blocks advertisements, tracking scripts, and telemetry across every device on your network — phones, laptops, smart TVs, IoT devices, and anything else that connects — without installing software on each device individually.
• The entire setup costs nothing beyond the hardware. A Raspberry Pi Zero 2 W ($15) or a Raspberry Pi 5 ($60-80) is all you need. Pi-hole itself is completely free, and this guide uses only free software at every step.
• Once configured as your network's DNS server, Pi-hole gives you visibility into every DNS query every device on your network makes — revealing which smart home devices phone home, which apps track you, and how much of your bandwidth goes to advertising infrastructure you never asked for.
• Pi-hole also serves as a critical security layer for home AI deployments. If you run local AI agents like OpenClaw, Ollama, or MCP servers on your network, Pi-hole blocks known malicious domains and telemetry endpoints at the DNS level before they ever reach your AI stack.

What Pi-hole Does and Why It Matters

Every time a device on your network tries to load a web page, open an app, or phone home to a server, it starts by making a DNS query — translating a domain name (like ads.doubleclick.net) into an IP address. Normally, these queries go to your ISP's DNS server or a public resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1), and they resolve every domain without question.

Pi-hole intercepts this process. It sits between your devices and the upstream DNS resolver, checking every query against a list of known advertising, tracking, and malicious domains. If a device tries to reach an ad server, a telemetry endpoint, or a known malware domain, Pi-hole returns a blank response instead of the real IP address. The request is silently dropped. The ad never loads. The tracker never fires. The malware never connects.

This happens at the network level, which means it works on devices where you cannot install a traditional ad blocker — smart TVs, gaming consoles, IoT sensors, smart speakers, baby monitors, and security cameras. If it connects to your Wi-Fi and makes DNS queries, Pi-hole can filter it.

The average household network makes thousands of DNS queries per hour. In typical deployments, Pi-hole blocks 15-30% of them. That is not a marginal improvement. It is a fundamental shift in how much of your network traffic is actually serving you versus serving advertisers and data brokers.

What Pi-hole Costs

Pi-hole is free and open-source software. There are no subscriptions, no premium tiers, and no per-device fees. The only cost is the hardware to run it on, and even that is minimal.

Lowest cost option: Raspberry Pi Zero 2 W ($15) — Enough to run Pi-hole for a small to medium home network (up to about 30 devices). Low power consumption (under 1 watt at idle). Requires a microSD card, a micro-USB power supply, and a micro-USB to Ethernet adapter if you want a wired connection (Wi-Fi works but wired is more reliable for a DNS server). Total cost with accessories: roughly $30-40. [Raspberry Pi Zero 2 W on Amazon — affiliate link]

Recommended option: Raspberry Pi 5 (4GB or 8GB) — More headroom for larger networks (50+ devices), faster query resolution, and the ability to run additional services alongside Pi-hole (such as Unbound for recursive DNS, or other lightweight network tools). A complete kit with case, power supply, and microSD card typically runs $80-120. [Raspberry Pi 5 Starter Kit on Amazon — affiliate link]

No-purchase option: If you already have a Linux machine running on your network — a home server, a mini-PC, an old laptop — you can install Pi-hole on it directly. Pi-hole consumes minimal resources (roughly 50MB of RAM and negligible CPU). It runs comfortably alongside other services. [Mini-PC on Amazon — affiliate link]

Ongoing costs: zero. Pi-hole uses no paid APIs, no cloud services, and no subscriptions. Electricity for a Raspberry Pi running 24/7 is roughly $3-5 per year at average U.S. residential rates.

What You Will Need

Before you begin, gather the following:

• A Raspberry Pi (any model from Pi Zero 2 W onward) or any Linux machine that will stay powered on
• A microSD card (16GB or larger) if using a Raspberry Pi — [microSD card on Amazon — affiliate link]
• A power supply appropriate for your Pi model — [Raspberry Pi power supply on Amazon — affiliate link]
• An Ethernet cable (recommended for reliability; Wi-Fi works but adds a point of failure for your DNS) — [Ethernet cable on Amazon — affiliate link]
• Access to your router's admin interface (to change DNS settings)
• A computer on the same network to access Pi-hole's web interface

Everything else is free software that you will download during setup.

Step 1: Prepare the Raspberry Pi

If you are installing Pi-hole on an existing Linux machine, skip to Step 2.

1. Download the Raspberry Pi Imager from the official Raspberry Pi website (raspberrypi.com/software) and install it on your computer.

2. Insert your microSD card into your computer.

3. Open the Raspberry Pi Imager. Select your Pi model. For the operating system, choose Raspberry Pi OS Lite (64-bit). This is a minimal installation without a desktop environment, which is all Pi-hole needs and leaves more resources available for DNS processing.

4. Before writing the image, click the gear icon (or "Edit Settings") to configure:

• Set a hostname (something like "pihole" so you can find it on your network)
• Enable SSH (under the Services tab) so you can manage the Pi remotely without plugging in a monitor
• Set a username and strong password
• If using Wi-Fi, enter your network credentials (though Ethernet is preferred for a DNS server)

5. Write the image to the microSD card. This takes a few minutes.

6. Insert the microSD card into the Raspberry Pi, connect the Ethernet cable to your router, and connect the power supply. The Pi will boot automatically.

7. Wait 2-3 minutes for the Pi to boot, then find its IP address. You can check your router's admin interface for connected devices, or try:

ping pihole.local

from another device on your network. Note this IP address — you will need it throughout the setup.

8. SSH into the Pi from your computer:

ssh your-username@pihole.local

Enter the password you set in step 4.

9. Update the system before installing anything:

sudo apt update && sudo apt upgrade -y

Step 2: Assign a Static IP Address

Your Pi-hole server needs a static IP address. If its address changes (which happens with DHCP), every device on your network will lose DNS resolution until you reconfigure your router.

The simplest approach is to set a DHCP reservation in your router rather than configuring a static IP on the Pi itself. This way the Pi still uses DHCP, but your router always assigns it the same address.

1. Log into your router's admin interface (typically 192.168.1.1 or 192.168.0.1 in a web browser).

2. Find the DHCP or LAN settings section. Look for "DHCP Reservation," "Static Lease," or "Address Reservation."

3. Add a reservation for your Pi's MAC address, assigning it a fixed IP address. Choose an address outside your router's normal DHCP range if possible, or simply reserve the address the Pi is currently using.

4. Save the settings. Some routers require a reboot for DHCP reservations to take effect.

If your router does not support DHCP reservations (some ISP-provided gateways lack this feature), you can set a static IP directly on the Pi by editing the network configuration. The Pi-hole installer will offer to do this for you in the next step.

Step 3: Install Pi-hole

Pi-hole's installation is a single command that launches an interactive installer.

1. SSH into your Pi (if you are not already connected) and run:

curl -sSL https://install.pi-hole.net | bash

2. The installer will walk you through several configuration screens. Here are the recommended choices:

Upstream DNS provider: Choose Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). Both are privacy-respecting resolvers that do not log your queries in personally identifiable form. Avoid using your ISP's DNS server — that defeats part of the privacy purpose. If you want maximum privacy, you can later configure Unbound for fully recursive DNS resolution (covered in the Advanced section below).

Blocklists: Accept the default Steven Black list. You can add more lists after installation.

Admin web interface: Yes, install it. The web interface is how you will monitor, configure, and troubleshoot Pi-hole.

Web server (lighttpd): Yes, install it. Required for the admin interface.

Log queries: Yes. Query logging is essential for understanding what your devices are doing. You can adjust the retention period later.

Privacy mode: Choose "Show everything" for initial setup so you can see exactly what Pi-hole is blocking. You can restrict this later if multiple people access the admin interface.

3. When the installation completes, it will display your admin interface URL and a randomly generated admin password. Write both down. The URL is typically http://your-pi-ip/admin and the password is shown on screen.

4. Change the admin password to something you choose:

pihole -a -p

Enter your new password when prompted. Use a strong, unique password — this interface shows every DNS query on your network.

5. Open the admin interface in your browser to confirm it is working: http://your-pi-ip/admin. Log in with your new password. You should see the Pi-hole dashboard, which will show minimal data until you point your network's DNS at it.

Step 4: Point Your Network at Pi-hole

Pi-hole does nothing useful until your devices actually send their DNS queries to it. You have two options for this, and the right choice depends on your router.

Option A: Change DNS on your router (recommended)

This is the preferred approach because it automatically covers every device that connects to your network, including devices where you cannot change DNS settings manually (smart TVs, IoT devices, game consoles).

1. Log into your router's admin interface.

2. Find the DNS settings. This is typically under WAN settings, Internet settings, DHCP settings, or LAN settings depending on your router manufacturer. Look for fields labeled "Primary DNS" and "Secondary DNS."

3. Set the Primary DNS to your Pi-hole's IP address.

4. For the Secondary DNS, you have a choice. Setting it to a public resolver (like 1.1.1.1) means your network will still resolve DNS if Pi-hole goes down, but some devices will randomly use the secondary server and bypass Pi-hole's filtering. Setting it blank (or to the same Pi-hole IP) means all DNS goes through Pi-hole, but a Pi-hole outage will take down DNS resolution for your entire network. For most home users, setting a public secondary DNS is the safer choice. You can always remove it later once you trust Pi-hole's stability.

5. Save and apply the settings. Some routers require a reboot.

6. On each device, you may need to renew the DHCP lease to pick up the new DNS settings. The fastest way is to disconnect and reconnect from Wi-Fi, or restart the device. Alternatively, wait — leases renew automatically, typically within a few hours.

Option B: Change DNS on individual devices

If your router does not allow DNS customization (common with some ISP-provided gateways), you can point individual devices at Pi-hole manually through their network settings. This works but requires configuration on every device and does not cover devices where DNS settings are not accessible (most IoT devices).

On each device, change the DNS server to your Pi-hole's IP address in the Wi-Fi or Ethernet settings. The exact path varies by operating system but is typically found under Wi-Fi settings, then the specific network, then advanced or IP settings.

If your ISP gateway forces its own DNS and does not allow changes, consider replacing it with your own modem and router. Using your own equipment gives you full control over DNS, firewall rules, and network configuration. It also eliminates the monthly rental fee most ISPs charge for their gateways.

Step 5: Verify Pi-hole Is Working

After pointing your DNS at Pi-hole, verify that it is actually intercepting and filtering queries.

1. Open the Pi-hole admin dashboard (http://your-pi-ip/admin). Within a few minutes of changing your DNS settings, you should see the query count rising and the "Queries Blocked" percentage increasing. A typical home network blocks 15-30% of queries.

2. Test ad blocking by visiting a website that normally shows ads. If the ads are gone or replaced with blank spaces, Pi-hole is working.

3. Test from a specific device by running a DNS lookup for a known ad domain:

nslookup ads.doubleclick.net

If Pi-hole is working, this should return 0.0.0.0 instead of a real IP address.

4. Check the Pi-hole dashboard's "Query Log" to see individual queries from your devices. You will likely be surprised by how many queries your smart TV, phone, and IoT devices make to advertising and telemetry domains even when you are not actively using them.

Step 6: Harden Your Pi-hole Installation

Pi-hole is now functional, but a few additional steps improve its security and reliability.

6.1 Secure the Admin Interface

The Pi-hole admin interface runs on HTTP by default (no encryption). On your local network this is generally acceptable, but if you want to access it remotely or if you share your network with untrusted devices, consider placing it behind an SSH tunnel:

ssh -L 8080:localhost:80 your-username@pihole.local

Then access the interface at http://localhost:8080/admin on your computer.

6.2 Enable the Host Firewall

Lock down the Pi to accept only the traffic it needs:

sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Port 22 is SSH. Port 53 is DNS (both TCP and UDP). Ports 80 and 443 are for the admin web interface. Everything else is blocked.

6.3 Keep Pi-hole Updated

Pi-hole updates regularly to fix bugs, improve performance, and update the block engine. Update with:

pihole -up

Also keep the underlying operating system updated:

sudo apt update && sudo apt upgrade -y

Run both commands at least monthly.

6.4 Set Up Automatic Gravity Updates

Pi-hole's blocklists (called "gravity") update weekly by default. You can trigger a manual update at any time:

pihole -g

Check the admin interface under Tools, then Update Gravity, to see when the last update ran.

Advanced: Unbound for Recursive DNS (Maximum Privacy)

By default, Pi-hole forwards your DNS queries to an upstream resolver like Cloudflare or Quad9. This means that resolver can see every domain you visit. For most users, these privacy-respecting resolvers are adequate. But if you want to eliminate the third-party resolver entirely, you can run Unbound alongside Pi-hole.

Unbound is a recursive DNS resolver. Instead of asking Cloudflare "what is the IP for example.com?", Unbound traces the query through the DNS hierarchy itself — asking the root servers, then the TLD servers, then the authoritative servers directly. No single third party sees your complete query history.

1. Install Unbound:

sudo apt install -y unbound

2. Download the root hints file (the addresses of the DNS root servers):

sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

3. Create the Unbound configuration file for Pi-hole integration:

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Add the following configuration:

server:
    verbosity: 0
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1
    so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8

4. Restart Unbound:

sudo systemctl restart unbound

5. Test that Unbound resolves correctly:

dig example.com @127.0.0.1 -p 5335

You should get a valid response with an IP address for example.com.

6. In the Pi-hole admin interface, go to Settings, then DNS. Remove all upstream DNS servers (uncheck Cloudflare, Google, etc.). In the Custom DNS field, enter 127.0.0.1#5335 and save.

Pi-hole will now send all queries to your local Unbound instance, which resolves them directly against the authoritative DNS servers. No third-party resolver sees your traffic.

Adding Pi-hole to Your AI Infrastructure Stack

If you are running local AI services on your home network — such as OpenClaw with Home Assistant, a zero-cost Ollama + n8n + AnythingLLM stack, or MCP servers for AI tool integration — Pi-hole adds a valuable security layer.

Local AI tools download models, install plugins, and make API calls. Some of these connections reach telemetry endpoints, analytics services, or unknown third-party domains that you did not explicitly authorize. Pi-hole blocks these at the DNS level before they reach your AI stack, without requiring any configuration on the AI tools themselves.

More importantly, Pi-hole's query log gives you complete visibility into what your AI infrastructure is doing on the network. If an OpenClaw skill starts making unexpected DNS queries to unfamiliar domains, you will see it in the Pi-hole dashboard immediately. This is passive monitoring that costs nothing and catches supply chain compromises that would otherwise be invisible.

For best results, place your AI server and your Pi-hole on the same isolated network segment and configure the AI server to use Pi-hole as its sole DNS resolver. Our network security guide for local AI deployments covers the full isolation architecture in detail.

Troubleshooting Common Issues

Some websites break after enabling Pi-hole

Certain websites and services rely on domains that appear on blocklists — particularly login systems, CDNs, and payment processors. If a site stops working, check the Pi-hole query log for recently blocked domains (they appear in red). You can whitelist a specific domain through the admin interface under Whitelist. Only whitelist the specific domain that was blocked, not the entire site.

Smart TV apps stop working

Streaming apps on smart TVs often use their own ad domains that are also on blocklists. The fix is the same: check the query log, identify the blocked domain, and whitelist it if it is required for the app to function. Some smart TV manufacturers (notably Samsung and LG) hardcode DNS servers, bypassing Pi-hole entirely. If your smart TV ignores your network's DNS settings, you can create a firewall rule on your router that redirects all outbound DNS traffic (port 53) to your Pi-hole's IP address.

DNS resolution stops completely

If you lose all DNS resolution, the Pi-hole server has likely gone offline or become unreachable. Check that the Pi is powered on and connected to the network. If you set a secondary DNS in your router settings (Step 4), your network should fall back to the public resolver automatically. If not, temporarily change your DNS back to a public resolver (1.1.1.1 or 8.8.8.8) in your router settings while you troubleshoot the Pi.

High query volume from a single device

If you see one device generating thousands of queries per hour, it may be a sign of malware, aggressive telemetry, or a misconfigured app. Use the Pi-hole dashboard's "Top Clients" view to identify the device, then investigate what is running on it. This is one of Pi-hole's most valuable features — it makes otherwise invisible network behavior visible.

Ongoing Maintenance

Weekly: Check the Pi-hole dashboard briefly for anomalies — sudden spikes in queries or blocked percentage, unfamiliar domains in the top queries list, or devices making unusual numbers of requests.

Monthly: Run pihole -up to update Pi-hole. Run sudo apt update && sudo apt upgrade -y to update the OS. Review your whitelist and remove any entries you added for testing but no longer need.

Quarterly: Review your blocklists and consider adding community-maintained lists for specific categories (malware, telemetry, social media tracking) through the admin interface under Adlists. Update the Unbound root hints file if you are running recursive DNS.

Frequently Asked Questions

Does Pi-hole slow down my internet?

No. In most cases, Pi-hole makes your browsing faster. DNS resolution on a local Raspberry Pi typically takes 1-5 milliseconds, compared to 10-50 milliseconds for a query to a remote DNS server. Blocked queries return instantly (0 milliseconds) since Pi-hole does not need to reach any external server. Additionally, by blocking ads and trackers, Pi-hole reduces the total amount of data your browser downloads, which makes pages load faster on the content you actually want to see.

Can Pi-hole block YouTube ads?

Pi-hole has limited effectiveness against YouTube ads specifically. YouTube serves ads from the same domains as regular video content (googlevideo.com), so blocking the ad domain would also block the videos. This is a well-known limitation of DNS-level blocking. Browser-based ad blockers (like uBlock Origin) are more effective for YouTube because they can filter at the page content level rather than the DNS level. Pi-hole and browser ad blockers complement each other — use both.

What happens if my Raspberry Pi loses power?

If the Pi-hole server goes offline, DNS queries from your devices will either fail (if Pi-hole is your only DNS server) or fall back to your secondary DNS server (if you configured one in Step 4). Your internet connection itself is not affected — only DNS resolution. The fix is simple: restore power to the Pi. All settings and blocklists are stored on the SD card and survive a power cycle. For critical setups, consider a small UPS (uninterruptible power supply) for the Pi.

Can I run Pi-hole on the same device as my other home server software?

Yes. Pi-hole uses minimal resources — roughly 50MB of RAM and negligible CPU during normal operation. It runs comfortably alongside Home Assistant, Ollama, n8n, or any other service on a shared mini-PC or Raspberry Pi 5. The only potential conflict is port 80 (the web interface). If another service already uses port 80, you can change Pi-hole's web interface port during installation or afterward in the lighttpd configuration.

Is Pi-hole legal?

Yes. Pi-hole filters DNS queries on your own private network. You are not modifying anyone else's traffic or bypassing any access controls. It is functionally identical to choosing not to load content in your browser, which you are always free to do. Some websites may detect that ads are blocked and ask you to disable your ad blocker — Pi-hole cannot be "disabled" on a per-site basis the way a browser extension can, but you can whitelist specific domains if needed.

How is Pi-hole different from a browser ad blocker like uBlock Origin?

A browser ad blocker only works inside that specific browser on that specific device. Pi-hole works at the network level, covering every device and every application — including mobile apps, smart TVs, IoT devices, and games that a browser extension cannot reach. The tradeoff is that Pi-hole cannot filter content within a page (like YouTube ads served from the same domain as videos), while browser extensions can. The best setup is both: Pi-hole for network-wide DNS filtering, plus uBlock Origin in your browsers for page-level content filtering.

Can my ISP see that I am using Pi-hole?

Your ISP can see that your DNS queries go to a non-ISP resolver (if you use Cloudflare or Quad9 as your upstream), but they cannot see the content of those queries if you enable DNS-over-HTTPS or DNS-over-TLS. If you run Unbound for recursive DNS (covered in the Advanced section above), your ISP can see the individual queries to authoritative servers but not the full browsing pattern that a single upstream resolver would see. For maximum ISP privacy, combine Pi-hole with a VPN on your router — this encrypts all traffic, not just DNS.