Pi-hole: Network-Wide Ad Blocking for Your Entire Home
Block ads and trackers on every device in your home with Pi-hole. Complete Docker setup guide with blocklists, whitelisting, and performance optimization.
Posted by
Related reading
Private Cloud vs Public Cloud: When to Self-Host and When Not To
Understand when self-hosting makes sense and when public cloud is better. A practical guide to choosing between private cloud homelab and AWS/GCP/Azure services.
Homelab Documentation: Wiki.js vs BookStack for Self-Hosted Wikis
Document your homelab setup with self-hosted wikis. Compare Wiki.js and BookStack for creating searchable documentation of your infrastructure and procedures.
Docker Security Scanning: Trivy and Dockle for Safe Containers
Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.

Ads Are Everywhere - Until They're Not
Browser ad blockers are great, but they only work in browsers. What about your smart TV, phone apps, or IoT devices? Pi-hole blocks ads and trackers at the network level, protecting every device in your home without installing anything on them.
The result? Faster page loads, reduced bandwidth usage, and a significant privacy boost for your entire household.
How Pi-hole Works
Pi-hole acts as a DNS server for your network. When a device tries to load an ad or tracker, it asks Pi-hole for the domain's IP address. Pi-hole checks its blocklists and returns a null response for blocked domains, preventing the content from ever loading.
- Works on all devices - phones, tablets, smart TVs, IoT devices
- No client software needed
- Blocks ads in apps, not just browsers
- Reduces bandwidth and speeds up browsing
- Detailed statistics on what's being blocked
Docker Compose Setup
Here's a complete docker-compose.yml for Pi-hole:
version: "3.8"
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
environment:
TZ: 'America/New_York'
WEBPASSWORD: '${PIHOLE_PASSWORD}'
PIHOLE_DNS_: '1.1.1.1;1.0.0.1'
DNSSEC: 'true'
QUERY_LOGGING: 'true'
volumes:
- ./etc-pihole:/etc/pihole
- ./etc-dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
restart: unless-stoppedCreate a .env file with your password:
PIHOLE_PASSWORD=your_secure_password
Resolving Port 53 Conflicts
On many Linux systems, systemd-resolved occupies port 53. You'll need to disable it:
# Check if port 53 is in use sudo lsof -i :53 # If systemd-resolved is using it: sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved # Update resolv.conf sudo rm /etc/resolv.conf echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
Configure Your Router
For Pi-hole to protect all devices, configure your router to use Pi-hole as the DNS server:
- Log into your router's admin panel
- Find DHCP or DNS settings
- Set the primary DNS to your Pi-hole server's IP address
- Remove or set secondary DNS to Pi-hole as well
- Save and restart the router
Devices will pick up the new DNS settings when they renew their DHCP lease, or you can restart them manually.
Recommended Blocklists
Pi-hole comes with a default blocklist, but you can add more for better coverage:
# Popular blocklist sources (add via Admin > Group Management > Adlists) # Steven Black's Unified Hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts # Firebog Ticked Lists (safe, no false positives) https://v.firebog.net/hosts/lists.php?type=tick # OISD Full (comprehensive, well-maintained) https://big.oisd.nl/ # Developer Dan's Ads & Tracking https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
After adding lists, run pihole -g or use the web interface to update gravity.
Whitelisting Essential Domains
Some blocklists are aggressive and might break legitimate services. Common domains to whitelist:
# Access via Admin > Whitelist # Common false positives: # Microsoft login.live.com outlook.office365.com # Apple captive.apple.com gsp-ssl.ls.apple.com # Spotify spclient.wg.spotify.com # General www.googleadservices.com # (if you need Google Shopping)
Adding Unbound for Complete Privacy
For maximum privacy, add Unbound as a recursive DNS resolver. This means your DNS queries never go to external providers:
services:
pihole:
# ... previous config ...
environment:
PIHOLE_DNS_: '172.20.0.2#5335'
networks:
pihole_net:
ipv4_address: 172.20.0.3
unbound:
image: mvance/unbound:latest
container_name: unbound
volumes:
- ./unbound:/opt/unbound/etc/unbound
networks:
pihole_net:
ipv4_address: 172.20.0.2
restart: unless-stopped
networks:
pihole_net:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24Monitoring Your Network
Pi-hole's dashboard shows fascinating statistics about your network:
- Total queries and percentage blocked
- Top permitted and blocked domains
- Top clients (devices) by query count
- Query log with detailed information
- Long-term statistics and trends
Most users find that 20-40% of their network's DNS queries are blocked. That's a lot of ads and trackers that never reach your devices!
Your Ad-Free Network
With Pi-hole running, every device on your network enjoys an ad-free, tracker-free experience. Smart TVs stop phoning home, apps load faster without ad networks, and your family's privacy improves dramatically.
Pi-hole is one of the highest-impact services you can run in a homelab - low resource usage, high benefit for everyone in your home.
