Pi-hole Setup Guide on Raspberry Pi

Introduction

This comprehensive guide will take you step-by-step through the process of setting up Pi-hole on a Raspberry Pi, turning it into a network-wide ad blocker and DNS server. By using Raspberry Pi OS (64-bit), configuring a static IP address, and incorporating tools like Unbound and additional adlists, you’ll enhance the privacy and ad-blocking capabilities of your home network. In addition to improving your online privacy, Pi-hole can also potentially boost network speed by reducing DNS query time and blocking unwanted ad traffic. Whether you’re new to Raspberry Pi or familiar with network setups, this guide will provide you with the knowledge and steps needed to successfully deploy Pi-hole in your environment.

Prerequisites

• Raspberry Pi (most models will work)
• Raspberry Pi OS (we’ll be using 64-bit)
• SD Card (OS will be installed on it)
• SSH or Raspberry Pi Connect (optional but recommended)
• Network access and basic networking knowledge

---

Step 1: Prepare the Raspberry Pi OS

1. Download and install Raspberry Pi Imager
   • Choose Raspberry Pi OS (64-bit) as the operating system.
2. In Raspberry Pi Imager options, configure the following:
   • Set a hostname for your Raspberry Pi.
   • Enable SSH and set a username and password.
   • Set your locale settings (timezone, language, etc.).
3. Write the image to the SD card, then insert it into your Raspberry Pi.
4. Power on the Raspberry Pi:
   • Log in via SSH or use Raspberry Pi Connect (official software) to access the console.

---

Step 2: Update and Upgrade the Raspberry Pi

After logging into the Pi’s console, run the following commands to update the package list and upgrade the system:

sudoapt update && sudo apt upgrade -y

---

Step 3: Configure a Static IP Address

For Pi-hole to work properly as a DNS server, the Raspberry Pi must have a static IP address.

3.1 Find Your Network Information

Before configuring a static IP, you’ll need to gather some information about your network:

• Gateway IP (Router’s IP): This is typically your router’s IP address, such as 192.168.1.1.
  • On Windows, open Command Prompt and run ipconfig. Look for the Default Gateway.
  • On macOS/Linux, run ifconfig or ip route | grep default in the terminal.
• Subnet: The subnet mask is usually 255.255.255.0 or /24.

3.2 Edit the dhcpcd.conf File

Now that you have your network details, configure the static IP address.

1. Open the dhcpcd.conf file for editing: sudo nano /etc/dhcpcd.conf
2. Scroll to the # Example static IP configuration section.
3. Add or modify it as follows, using your network information:
   • interface eth0 static ip_address=192.168.1.144/24
     • Replace with your desired static IP.
   • static routers=192.168.1.1
     • Replace with your router’s IP (gateway).
   • static domain_name_servers=192.168.1.1 1.1.1.1
     • First, your router’s IP; second, a public DNS server like 1.1.1.1.
4. Save the file (CTRL+X, Y, Enter).

3.3 Reboot the Raspberry Pi

To apply the new network settings, reboot the Raspberry Pi:

sudo reboot

Once rebooted, ensure that the Raspberry Pi only has one static IPv4 address by running:

ip addr

You should only see the static IP (192.168.1.144 in this case) under the eth0 interface.

---

Troubleshooting: If Static IP Keeps Changing to Dynamic

If your Raspberry Pi keeps receiving a dynamic IP instead of holding the static IP:

1. Double-check the static IP configuration in /etc/dhcpcd.conf and ensure that the configuration for the eth0 interface is correct.
2. If the static IP still doesn’t hold:
   • Try adding the following line at the top of your dhcpcd.conf file to explicitly deny dynamic IP assignment on the Ethernet interface:
     • denyinterfaces eth0
3. If these steps don’t work, or if your Raspberry Pi keeps getting reassigned a dynamic IP from the router, set up a DHCP reservation on your router.

Set Up a DHCP Reservation on Your Router (Alternative to dhcpcd.conf static IP):

1. Log into your router’s web interface (usually found at 192.168.1.1 or 192.168.0.1).
2. Navigate to the DHCP Reservation or LAN Setup section.
3. Find the Raspberry Pi in the list of connected devices.
4. Set a DHCP reservation (also called static lease) for the Raspberry Pi’s MAC address, assigning it the desired IP (e.g., 192.168.1.144).
5. Save the changes and reboot your router and Raspberry Pi.

---

Important Note About VPNs and Pi-hole DNS

If you use a VPN on any of your devices, understand that the Pi-hole DNS may be overridden by the VPN provider’s DNS settings. When a device is connected to a VPN, the DNS queries may be routed through the VPN’s DNS server rather than the Pi-hole. This means Pi-hole’s functionality will not apply to that device while it’s connected to a VPN with that configuration.

If you want Pi-hole to work while connected to a VPN, you’ll need to configure your VPN to use Pi-hole as the DNS server, or disable the VPN DNS override.

---

Step 4: Install Pi-hole

Now that your Raspberry Pi is using the static IP address (whether configured via dhcpcd.conf or via DHCP reservation), install Pi-hole by running the following command:

curl -sSL https://install.pi-hole.net | bash

During the installation process, you’ll be prompted to make the following configuration choices in this order:

1. Choose the upstream DNS provider: Select Cloudflare.
2. Blocklist: When prompted, accept StevenBlack’s Unified Hosts List as your blocklist.
3. Install the admin web interface: Choose Yes when asked to install the admin web interface for easy management.
4. Install the web server for the admin interface: Choose Yes to install the web server that will host the Pi-hole web interface.
5. Enable query logging: Select Yes to enable query logging, which will allow you to view all DNS queries handled by Pi-hole.
6. Select a privacy mode for FTL (Pi-hole’s internal resolver): Choose “Show everything”.

---

Step 5: Finish Pi-hole Installation and Note Credentials

At the end of the installation process, Pi-hole will provide a summary, including:

• The IP address where Pi-hole is installed (your static IP).
• The login credentials for the Pi-hole web interface (default password).

It is highly recommended that you change the default admin password for the Pi-hole dashboard. You can change it by running this command:

sudo pihole -a -p

You will be prompted to enter a new password or leave it blank to remove the password entirely.

---

Step 6: Configure Your Router to Use Pi-hole

To make Pi-hole your network’s primary DNS server, you need to configure your router’s DNS settings. Here’s how:

1. Log into your router’s web interface (usually found at 192.168.1.1 or 192.168.0.1).
2. Navigate to the DNS settings section (usually under LAN or DHCP settings).
3. Set your Primary DNS to the IP address of your Pi-hole (e.g., 192.168.1.144).
4. Set a Secondary DNS server in case Pi-hole goes offline. You can use a reliable public DNS server as your secondary:
   • Cloudflare DNS: 1.1.1.1
   • Google DNS: 8.8.8.8
   • OpenDNS: 208.67.222.222
5. Save the settings and reboot your router if necessary.

By setting the Primary DNS to your Pi-hole and the Secondary DNS to a public DNS server, you ensure that your network will fall back to the public DNS server if Pi-hole goes offline.

---

Step 7: Access the Pi-hole Dashboard

You can now access the Pi-hole web interface by navigating to:

http://192.168.1.144/admin

Log in with the admin password that was provided at the end of the installation or the password you set if you’ve changed it.

---

Step 8: Add Adlists from Firebog.net

To avoid blocking too many websites, you should limit the number of additional blocklists you use.

1. In the Pi-hole dashboard, navigate to Group Management > Adlists.
2. Visit Firebog.net’s list of recommended adlists.
3. Scroll through the lists and select no more than two adlists per category. Make sure to only pick URLs highlighted in green text (those are safe and reliable lists).
4. Copy the URLs of the selected adlists and add them one by one into the Adlists section in your Pi-hole dashboard.
5. Click Add after each URL and then click Update to save the adlists.

---

Step 9: Update Pi-hole Gravity

After adding the new adlists, you need to update Pi-hole’s Gravity, which fetches and compiles the blocklists:

1. Go back to the Dashboard of the Pi-hole admin interface.
2. Navigate to Tools.
3. Click on Update Gravity.

This will pull in the latest blocklists, ensuring that the Pi-hole is up to date and can block the unwanted domains listed in the new adlists.

---

Step 10: Set Pi-hole to Respond Only on Interface eth0

After updating Gravity:

1. In the Pi-hole dashboard, click on Settings.
2. Go to the DNS tab.
3. Scroll down to the Interface settings section.
4. Select Respond only on interface eth0.
   • This ensures Pi-hole will only respond to DNS queries on the Ethernet connection (eth0) and not on any other interfaces (such as Wi-Fi).
5. Click Save to apply the changes.

---

Step 11: Verify Queries in the Pi-hole Dashboard

As long as you’ve properly set up the DNS settings in your router, you should start seeing DNS queries going through your Pi-hole in the Dashboard section of the Pi-hole admin interface.

If you don’t see queries right away, or things aren’t working as expected, you may need to:

1. Reboot your router.
2. Reboot your Raspberry Pi.

This will ensure that all devices on your network are directed to the Pi-hole for DNS queries.

---

Manually Override DNS for Windows PC

Windows is known to hold onto old DNS configurations as well as bugs prioritizing secondary servers, it’s just safer and more consistent to hardcode your preferred DNS server into your network settings. You can do this through your network IPv4 properties. Use the IP address of your Raspberry Pi as the primary DNS and set your secondary DNS to whichever public one you would like just as a backup.

---

Step 12: Install Unbound

Unbound is a recursive DNS resolver that will work alongside Pi-hole to handle DNS queries locally rather than relying on third-party upstream DNS providers. To install Unbound, follow these steps:

1. Install Unbound by running the following command:bashCopy codesudo apt install unbound -y
2. Create a new Unbound configuration file: You’ll need to edit a configuration file to set up Unbound properly for use with Pi-hole. Run: sudo nano -w /etc/unbound/unbound.conf.d/pi-hole.conf
3. Copy the following configuration into the file you just opened:
   • server: # If no logfile is specified, syslog is used
   • # logfile: "/var/log/unbound/unbound.log"
   • verbosity: 0
   • interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes
   • # May be set to yes if you have IPv6 connectivity
   • do-ip6: no
   • prefer-ip6: no
   • harden-glue: yes
   • harden-dnssec-stripped: yes
   • use-caps-for-id: no
   • edns-buffer-size: 1232
   • prefetch: yes
   • num-threads: 1
   • so-rcvbuf: 1m
   • private-address: 192.168.0.0/16
   • private-address: 169.254.0.0/16
   • private-address: 172.16.0.0/12
   • private-address: 10.0.0.0/8
   • private-address: fd00::/8
   • private-address: fe80::/10
4. Restart the Unbound service: Once you’ve saved the configuration, restart the Unbound service to apply the changes: sudo service unbound restart
5. Save and exit:
   • After pasting the text, press CTRL+X to exit.
   • Press Y to confirm saving the changes.
   • Press ENTER to confirm the file name and save.
6. Check Unbound status: To verify that Unbound is running properly, check its status with:
   • sudo service unbound status

---

Step 13: Using Unbound with Pi-hole

Now that Unbound is installed and running, you need to configure Pi-hole to use Unbound as its DNS resolver instead of the public DNS provider (like Cloudflare) that you set during the installation process.

Follow these steps:

1. Log into the Pi-hole Admin Interface:
   • Open your web browser and navigate to the Pi-hole admin page: http://192.168.1.144/admin
   • Log in with your Pi-hole admin password.
2. Navigate to Settings > DNS:
   • Once logged in, go to the Settings page, then click on the DNS tab.
3. Uncheck existing DNS providers:
   • In the Upstream DNS Servers section, uncheck the boxes next to Cloudflare, or whichever DNS provider you selected during the initial Pi-hole setup.
4. Add Unbound as a custom DNS resolver:
   • Scroll down to the Custom 1 (IPv4) field under Custom DNS.
   • Enter the following value: 127.0.0.1#5335 This tells Pi-hole to forward DNS queries to Unbound, which is running on the same device (localhost) on port 5335.
5. Save your changes:
   • Scroll down and click Save to apply the new DNS configuration.

---

Conclusion

You’ve successfully installed and configured Pi-hole on your Raspberry Pi, creating a powerful network-wide ad-blocking and DNS filtering system. Along with improved privacy and ad-blocking, your network may also experience faster load times and reduced bandwidth usage, thanks to Pi-hole’s ability to block ad traffic and optimize DNS resolution. By integrating Unbound as a local recursive DNS resolver and adding customizable adlists, your network is now more efficient and streamlined. Remember to keep Pi-hole updated and consider adjustments for VPN compatibility if needed to maintain optimal performance. Enjoy both your ad-free browsing experience and the potential network speed benefits!