Pi-hole: Network-Wide Ad Blocking and DNS Management

Date: 2025-11-24 Tags: Networking, Privacy, DNS, Self-Hosting Author: Wissam Ztaoui

Introduction

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. By acting as your network’s Domain Name System (DNS) server, it blocks requests to known tracking and advertising domains at the network level. This guide covers deploying Pi-hole via Docker and configuring it for maximum privacy using Unbound.

1. Deployment via Docker Compose

Using Docker ensures isolation and easy updates. Below is a production-ready docker-compose.yml configuration.

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'Europe/Paris'
      WEBPASSWORD: 'securepassword123' # Change this
      FTLCONF_LOCAL_IPV4: '192.168.1.10' # Your Host IP
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN # Required for DHCP features
    restart: unless-stopped

Installation Steps

1. Create a directory for Pi-hole.
2. Save the above YAML to docker-compose.yml.
3. Run the container:

   docker-compose up -d

2. Configuration

Accessing the Admin Interface

Navigate to http://<YOUR_SERVER_IP>/admin and log in with the password defined in your compose file.

Updating Blocklists

Pi-hole comes with a default blocklist. To enhance protection, add reputable lists (e.g., from Firebog) under Group Management > Adlists.

Regex Blocking

For advanced filtering, use Regular Expressions.

• Example: Block all TikTok domains:

  ^(.+\.)?tiktok\.com$

3. Recursive DNS with Unbound

By default, Pi-hole forwards allowed DNS requests to an upstream provider (Google, Cloudflare). For true privacy, you can run your own recursive DNS resolver using Unbound. This contacts root servers directly, bypassing third-party logging.

Adding Unbound to Docker Compose

  unbound:
    image: mvance/unbound:latest
    container_name: unbound
    ports:
      - "5335:53/udp"
      - "5335:53/tcp"
    restart: unless-stopped

Configuring Pi-hole

In the Pi-hole Admin Interface, go to Settings > DNS.

1. Uncheck all upstream DNS providers.
2. Check Custom 1 (IPv4) and enter: 172.20.0.X#5335 (Use the internal Docker IP of the Unbound container or map it correctly).

4. DHCP Server

If your router does not allow changing DNS settings, you can use Pi-hole as your DHCP server.

1. Disable DHCP on your router.
2. Enable DHCP in Pi-hole (Settings > DHCP).
3. Restart your devices to renew their leases.

Conclusion

Pi-hole is a critical component of a privacy-focused home lab. It reduces bandwidth usage, improves page load times, and protects user privacy across the entire network infrastructure.