How to Block Ads and Trackers at the Network Level With Pi-hole
Learn how to block ads and trackers at the network level with Pi-hole — a powerful DNS sinkhole that protects every device on your home network.
If you are tired of ads following you around the internet, popups hijacking your browser, and invisible trackers logging your every click, you are not alone. Most people reach for a browser extension like uBlock Origin and call it a day. That works fine for one device, one browser. But what about your smart TV, your phone, your kids' tablets, your smart fridge? Browser extensions cannot help you there.
That is where Pi-hole comes in.
Pi-hole is a DNS-based ad blocker that works at the network level, meaning it filters ads and trackers for every single device on your home network — without installing anything on those devices. It sits between your router and the internet, intercepts DNS queries, and silently drops the ones pointing to known ad servers and trackers before they ever reach your screen.
It runs on a Raspberry Pi (hence the name), a spare laptop, a virtual machine, or even a Docker container. It is free, open-source, and once you set it up, it runs quietly in the background doing its job around the clock.
This guide walks you through exactly how Pi-hole works, how to install it, how to configure it properly, and how to squeeze the most out of it for both privacy protection and performance. No fluff — just a clear, step-by-step path from zero to a fully functional network-wide ad blocker.
What Is Pi-hole and How Does It Work?
Pi-hole is a DNS sinkhole. To understand why that matters, you need to understand what DNS does.
Every time you visit a website, your device does not actually know where that site lives on the internet. It asks a DNS server to translate the domain name (like ads.doubleclick.net) into an IP address. Normally, your router sends those queries upstream to your ISP's DNS server, which dutifully looks everything up.
Pi-hole intercepts those DNS queries first. It compares each requested domain against a blocklist of known ad servers, tracking domains, and malware hosts. If the domain is on the list, Pi-hole returns a dummy response (basically saying "that address does not exist") and the ad or tracker never loads. If the domain is clean, the query passes through normally.
The result is network-level ad blocking that works passively across your entire network. Your devices do not know anything is happening. The ads simply never show up.
What Pi-hole Blocks
- Display ads from ad networks like Google Ads, DoubleClick, and others
- Tracking pixels and analytics scripts (Google Analytics, Facebook Pixel, etc.)
- Telemetry and data collection from apps and operating systems
- Malware and phishing domains
- Cryptocurrency mining scripts
What Pi-hole Cannot Block
Pi-hole is not magic. It cannot block first-party ads — ads served from the same domain as the content you are actually visiting. YouTube ads, for example, are served from Google's own servers and will not be blocked by Pi-hole alone. For those, you still need a browser extension.
What You Need to Get Started
Before you install Pi-hole, you need a device to run it on. Here are your main options:
1. Raspberry Pi — The classic setup. A Raspberry Pi 4 or even a Pi Zero 2W works perfectly. This is the most popular option because it is cheap, low-power, and runs 24/7 without complaint.
2. An old PC or laptop — Any old machine running Linux will do. Ubuntu, Debian, and Fedora are all supported.
3. A Virtual Machine — If you run a home server with Proxmox, VirtualBox, or VMware, you can spin up a lightweight Debian VM just for Pi-hole.
4. Docker — Pi-hole has an official Docker image that makes deployment extremely straightforward if you already use Docker.
For this guide, we will focus on the Raspberry Pi setup, which is the most common, but the Pi-hole installation steps are nearly identical across all platforms.
Hardware and Software Requirements
- Raspberry Pi (any model, but Pi 3 or 4 recommended)
- A microSD card (8GB minimum)
- Raspberry Pi OS Lite installed (headless setup works great)
- Your home network's router credentials
- A static IP address for the Pi
Step 1: Set Up Your Raspberry Pi
Download Raspberry Pi Imager from the official Raspberry Pi website and flash Raspberry Pi OS Lite to your microSD card. During setup, enable SSH so you can connect remotely without needing a monitor or keyboard.
Once your Pi boots up, SSH into it:
ssh pi@192.168.x.x
Before installing anything, update your system:
sudo apt update && sudo apt upgrade -y
Now assign your Raspberry Pi a static IP address. This is important. If Pi-hole's IP changes, your whole network loses DNS and you will be scrambling to fix it.
You can set a static IP either in the Pi's network configuration or, more reliably, in your router's DHCP settings by reserving an IP for the Pi's MAC address. The router method is cleaner.
Step 2: Install Pi-hole
Pi-hole has a one-line installer. Run this in your terminal:
curl -sSL https://install.pi-hole.net | bash
The installer walks you through a text-based setup wizard. Here is what to pay attention to:
Choosing an Upstream DNS Provider
Pi-hole needs an upstream DNS server to forward legitimate queries to. During installation, it will ask you to choose one. Your options include:
- Cloudflare (1.1.1.1) — Fast and privacy-focused
- Google (8.8.8.8) — Very fast, but Google logs your queries
- Quad9 (9.9.9.9) — Blocks malicious domains, good privacy policy
- OpenDNS — Good for families, offers content filtering
For most people, Cloudflare or Quad9 is the best choice for privacy and speed. You can also run Unbound as a local recursive DNS resolver, which we will cover later — this is the most private option.
Default Blocklists
The installer will ask if you want to install default blocklists. Say yes. These default lists block millions of known ad and tracking domains out of the box.
Admin Web Interface
Pi-hole includes a web dashboard. You will be given an admin password at the end of installation. Write it down. You can access the dashboard at http://pi.hole/admin or http://[your-pi's-IP]/admin.
Step 3: Configure Your Router to Use Pi-hole
Installing Pi-hole is only half the job. You need to tell your network to actually use it.
Method 1: Change DNS in Your Router (Recommended)
Log into your router's admin panel. Find the DNS settings — usually under LAN settings or DHCP server settings. Replace the primary DNS with your Pi's static IP address. Clear the secondary DNS, or set it to the same IP. This pushes Pi-hole as the DNS server to every device on your network automatically.
Method 2: Set DNS Per Device
If you cannot or do not want to change your router settings, you can manually set the DNS server on individual devices to point to Pi-hole. This works but is tedious and does not cover smart home devices.
A Note on DoH (DNS over HTTPS)
Some browsers and apps use DNS over HTTPS (DoH) to bypass your network's DNS settings entirely. Firefox does this by default. If you want Pi-hole to catch everything, you should disable DoH in your browsers. In Firefox, go to Settings > Privacy & Security > DNS over HTTPS and turn it off, or set it to "Default Protection" so it uses your system DNS.
Step 4: Add Blocklists to Pi-hole
The default blocklists are solid, but you can dramatically improve your ad and tracker blocking by adding more. Pi-hole uses Adlists — URLs that point to community-maintained lists of bad domains.
To add a blocklist:
- Go to your Pi-hole admin dashboard
- Click Adlists in the left menu
- Paste the URL of a blocklist and click Add
Some well-respected blocklists to add:
- Steven Black's Hosts — A comprehensive combined list that includes ads, trackers, fake news, gambling, porn, and more (you can use just the base list)
- oisd.nl — One of the most curated, low-false-positive lists available
- EasyList and EasyPrivacy — Standard browser extension lists, also available in hosts format
After adding lists, go to Tools > Update Gravity in the dashboard to rebuild Pi-hole's database. This is the step that actually loads all the new domains into the blocking engine.
Step 5: Use the Pi-hole Dashboard to Monitor and Tune
The Pi-hole web interface gives you a real-time view of everything happening on your network. This is where the real power becomes obvious.
What You Can See
- Total queries in the last 24 hours
- Percentage of queries blocked
- Top blocked domains — tells you which ad networks are most aggressive on your network
- Top clients — shows which devices are making the most DNS requests
- Query log — a detailed, real-time log of every DNS query
Whitelisting Domains
Sometimes Pi-hole blocks something it should not — a legitimate service that happens to share infrastructure with an ad network. This is called a false positive. When something breaks on your network, check the query log and look for blocked domains related to the problem.
To whitelist a domain, go to Whitelist and add it there. Pi-hole will stop blocking it immediately.
Blacklisting Specific Domains
You can also manually blacklist domains that are not on any public list. Go to Blacklist and add whatever you want blocked. This is useful for blocking specific services, social media, or anything you want gone from your network.
Step 6 (Optional): Run Unbound for Full DNS Privacy
If you want to go even further with privacy protection, consider setting up Unbound as a local recursive DNS resolver alongside Pi-hole.
Here is the problem with upstream DNS providers: even if you trust Cloudflare or Quad9, you are still sending all your DNS queries to a third-party server. That server can see every domain you visit, build a profile, and in some jurisdictions be compelled to share that data.
Unbound eliminates this by resolving DNS queries directly — starting at the root DNS servers and working down the chain without ever sending your queries to a third-party resolver.
To set it up:
sudo apt install unbound -y
Then configure Pi-hole to use 127.0.0.1#5335 as its upstream DNS (the local Unbound instance). This keeps every single DNS query on your own hardware, under your control. It is the gold standard for home network privacy.
Maintaining Pi-hole Long-Term
Pi-hole is low-maintenance, but a few habits will keep it running well:
- Update gravity regularly — Once a week is plenty. Your blocklists get stale otherwise.
- Keep Pi-hole updated — Run
pihole -upfrom the command line to update to the latest version. - Monitor false positives — The first few weeks after setup, occasionally check if anything on your network is broken. Nine times out of ten, a broken app or website is caused by an overly aggressive blocklist entry.
- Back up your configuration — Use Teleporter in the Pi-hole dashboard (Settings > Teleporter) to export your settings. If your SD card dies, you will want that backup.
Pi-hole vs. Other Ad Blocking Methods
| Method | Coverage | Devices Covered | Setup Difficulty |
|---|---|---|---|
| Browser Extension | Browser only | One browser | Very easy |
| VPN with ad blocking | All traffic | One device | Easy |
| Pi-hole (network-level) | DNS queries | All devices | Moderate |
| pfSense + pfBlockerNG | All traffic | All devices | Hard |
Pi-hole hits the sweet spot between coverage and complexity. It is not as granular as a browser extension for cosmetic filtering, but it covers your entire home network — every phone, tablet, TV, game console, and IoT device — without any software on those devices.
Common Issues and How to Fix Them
DNS is not resolving: Check that your router is actually using Pi-hole's IP as the DNS server. Run nslookup google.com [pi-hole-ip] from any device to test.
Everything is being blocked: You may have an overly aggressive blocklist. Temporarily disable Pi-hole (there is a Disable button in the dashboard) to test, then identify the culprit list.
Pi-hole dashboard shows no queries: Your devices are not using Pi-hole as DNS. Go back and check your router settings.
Pi-hole keeps going offline: Check your SD card health. Pi-holes running 24/7 on cheap SD cards can develop card corruption over time. Consider running Pi-hole on an SSD or USB drive instead.
Conclusion
Pi-hole is one of the most practical tools you can add to your home network. By acting as a DNS sinkhole, it silently blocks ads, trackers, telemetry, and malicious domains for every device in your home — without any software installed on those devices. Setting it up takes a couple of hours, and once it is running, it largely takes care of itself. From choosing the right hardware and upstream DNS provider to fine-tuning your blocklists, customizing your whitelist, and optionally going fully private with Unbound, Pi-hole gives you real, meaningful control over what your network communicates with — and what it does not.
