There are roughly thirty Pi-hole tutorials on the first page of Google for “set up pi-hole.” Most of them are accurate but incomplete. They tell you how to install Pi-hole. They do not tell you how to set it up so that it actually works for your household, survives a router reboot, recovers from your kid unplugging the power cable, and does not leak your DNS to your ISP when something fails.
This guide is the version that includes the parts the other tutorials skip. It is targeted at the Raspberry Pi 5 because that is the current model, but everything except a few specifics applies to a Pi 4, Pi Zero 2 W, or any small Linux SBC.
By the end you will have a Pi-hole running, blocking ads at the network level for every device on your home wifi, with sensible defaults that do not break common sites, with a backup of your config, and with monitoring that warns you if it goes down.
What you need
A Raspberry Pi 5 (4 GB or 8 GB model, either works for Pi-hole alone). About $60 to $80 depending on the variant.
A microSD card, at least 32 GB. SanDisk Extreme or Samsung Pro Endurance are reliable choices, around $15.
A USB-C power supply rated for the Pi 5. The official Raspberry Pi 5 power supply (5 V, 5 A, 27 W) is what the Pi 5 actually wants. Cheaper power supplies work but can cause stability issues under load. About $12.
An ethernet cable. Pi-hole works over wifi but ethernet is more reliable, and you want this device to be reliable.
Optional but recommended: a small heatsink case for the Pi 5. The Pi 5 runs warmer than older models and benefits from passive cooling. About $15.
Total hardware cost: roughly $100 to $120.
You also need: a free static or static-ish IP available on your home network for the Pi to live at, and admin access to your home router so you can change DNS settings.
Step 1, prepare the SD card
Download Raspberry Pi Imager from raspberrypi.com/software. Install on your laptop.
Insert the microSD card via a USB SD card reader. In Raspberry Pi Imager:
- Choose Device: Raspberry Pi 5
- Choose OS: Raspberry Pi OS Lite (64-bit). Avoid the desktop version for a server use case.
- Choose Storage: your SD card.
Click the gear icon for advanced settings before flashing:
- Set hostname: pi-hole.local (or whatever you prefer)
- Enable SSH: yes, with public key authentication
- Set username and password
- Configure wifi: leave blank if using ethernet (recommended)
- Set locale: your timezone and keyboard layout
Click Save, then Write. Wait 5 to 10 minutes for the flash and verify steps to complete.
Step 2, first boot
Eject the SD card from your laptop, insert into the Pi, plug in the ethernet cable, plug in the power. The green LED should blink for a minute or two as the Pi boots.
Find the Pi’s IP address. The easiest method: log into your router’s admin panel, find the DHCP leases list, look for the device with hostname pi-hole.local. It will have an IP like 192.168.1.42.
SSH from your laptop:
ssh [email protected]
If using public key auth as recommended, this should work immediately. If you set a password, you will be prompted for it.
Update the system before doing anything else:
sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove -y
sudo reboot
Wait a minute, then SSH back in.
Step 3, set a static IP
This is critical. Pi-hole’s whole job is being the DNS server for your network. If its IP changes (because of DHCP renewal), every device on your network suddenly has no DNS and the internet appears to be broken.
Two ways to do this. Easier method: in your router’s admin panel, find the Pi’s DHCP entry, and convert it to a “DHCP reservation” or “static lease.” This binds the Pi’s MAC address to its current IP forever, while still using DHCP for the negotiation. The exact menu varies by router, but every modern router supports this.
Harder but more independent method: configure the Pi itself with a static IP via /etc/dhcpcd.conf or NetworkManager. Skip this unless your router does not support DHCP reservations.
After the change, reboot the Pi and SSH back in to confirm the IP did not change.
Step 4, install Pi-hole
The official install script:
curl -sSL https://install.pi-hole.net | bash
This launches an interactive installer. Notes on the prompts:
- Network interface: select eth0 if using ethernet (recommended).
- Upstream DNS provider: choose Quad9 (filtered) or Cloudflare. Avoid Google. The Custom option lets you specify NextDNS, ControlD, or your own. For now, use Quad9 to get going; you can change later.
- Block lists: install the default StevenBlack list. You can add more later.
- Web admin interface: install yes.
- Web server (lighttpd): install yes.
- Log queries: yes (you can disable later if you want maximum privacy).
- Privacy mode for FTL: 0 = Show everything (start here, adjust if needed).
The installer takes 5 to 10 minutes. At the end it prints the admin URL and the random admin password. Note both.
Step 5, point your network at Pi-hole
This is the moment when Pi-hole becomes the DNS server for your network.
Log into your router admin panel. Find the DNS settings (usually under “WAN,” “Internet,” or “DHCP” depending on router). Set:
- Primary DNS: 192.168.1.42 (your Pi’s IP)
- Secondary DNS: leave blank, or set to 1.1.1.1 (Cloudflare) as a fallback
Critical detail about secondary DNS: if you set a non-Pi-hole secondary DNS, your devices may use it instead of Pi-hole when the network is loaded, defeating the ad blocking. Best practice is to leave secondary DNS blank, accepting that if Pi-hole goes down, internet appears broken until you fix it. The alternative (running two Pi-holes for redundancy) is overkill for most households.
Save router settings. The change usually takes effect on existing devices within minutes (when their current DNS lease expires) or you can manually disconnect and reconnect.
Step 6, verify it is working
On any device connected to your network:
nslookup doubleclick.net
You should see Pi-hole’s IP returned (because doubleclick.net is on the default ad blocklist). If you see a real IP, Pi-hole is not in the path.
Or visit pi.hole/admin in a browser. The dashboard should show recent queries from your devices.
Browse a few websites that you know have ads (a major news site, a free game site). The ads should be visibly absent or, in some cases, the spaces where ads used to be will show empty boxes.
Step 7, the parts other tutorials skip
A working Pi-hole is the easy part. Making it survive real life requires a few more steps.
Block list management. The default StevenBlack list is good. The Pi-hole community maintains a curated list at firebog.net. Add a few more lists from there:
- StevenBlack (already installed)
- Adaway
- Disconnect.me trackers
- OISD basic
Avoid the temptation to install every list. False positives compound. Four well-curated lists are better than fifty aggressive lists that break your banking site.
In the admin web interface: Adlists, paste the URL, Add, then Tools, Update Gravity to refresh.
Conditional forwarding. By default, Pi-hole’s logs show your devices by IP only. To see device names, enable conditional forwarding (Settings, DNS, Advanced DNS settings). This sends local hostname queries back to your router for resolution.
Backup. Pi-hole has a built-in teleporter feature for backing up your config (Settings, Teleporter, Backup). Download the backup file to a safe location every few months. Without this, if your SD card dies, you will rebuild from scratch.
External monitoring. Set up an UptimeRobot account (free), add a check that pings your Pi’s IP every 5 minutes. If Pi-hole goes down (SD card failure, power loss, anything), you get an email within 5 minutes instead of finding out an hour later when nothing on your network resolves DNS.
UPS, optional but recommended. Pi-holes typically die during power outages and bring your network down with them. A small UPS for the Pi (around $40) keeps it running through brief outages.
DNSSEC. Enable DNSSEC validation in Settings, DNS. This adds cryptographic verification of DNS responses, blocking some attack vectors. Default off; turn it on.
Step 8, troubleshooting common problems
Some devices ignore the router’s DNS setting. Apple devices, some IoT devices, and some smart TVs hard-code DNS to Google (8.8.8.8) or Cloudflare (1.1.1.1) and bypass your local DNS configuration. To fix this, you can either configure DNS at the per-device level on those devices (annoying), or add a firewall rule on your router to block outbound DNS to anything except your Pi-hole (more reliable but harder to set up).
Some sites break with Pi-hole enabled. The CDN or analytics service powering the site is on a blocklist. Use the Query Log to find the blocked domain, then add it to your allowlist (Domains, Whitelist).
Pi-hole web interface unreachable. SSH to the Pi and run sudo systemctl status pihole-FTL and sudo systemctl status lighttpd. Restart whichever is failing.
Network slow or inconsistent. Check the Pi’s CPU usage in the admin dashboard. If it is consistently above 50 percent, you might be on too many block lists with too many devices. Reduce list count.
Step 9, advanced setup, optional
Pi-hole as VPN exit. Combined with Wireguard or Tailscale, your Pi can act as a privacy DNS for your phone when you are away from home, blocking ads on cellular too. The PiVPN project automates this; it adds about 30 minutes of setup on top of Pi-hole.
Multiple Pi-holes for redundancy. For households where DNS uptime is critical, running two Pi-holes and using a tool like Gravity Sync or Orbital Sync to keep them in sync is the answer. This is more complex than most households need.
Local hostname resolution. Pi-hole can act as your local DNS for internal devices (homeassistant.local, plex.local, etc.). Configure under Local DNS Records.
What this stack gives you
Network-level ad and tracker blocking for every device on your home network, including smart TVs and IoT devices that have no other way to block ads. Approximate impact: 15 to 30 percent fewer requests to ad networks, faster page loads, less data going to tracking services.
A small Linux server you can SSH into and use for other things. Pi-holes typically use less than 5 percent of the Pi’s CPU. Adding Tailscale, a small Adguard Home setup, a personal RSS reader, or other lightweight services on the same Pi works fine.
A useful diagnostic tool. The query log shows what your devices are actually doing on the network. Most users learn surprising things about their household traffic in the first month.
What this stack does not give you
Encryption of your DNS queries to your upstream provider. Pi-hole sends queries to whatever upstream you configured, in plaintext by default. To add encryption, configure the upstream as DoH or DoT via Cloudflared as a sidecar, or run Unbound on the same Pi as a recursive resolver. We will write a separate guide for this configuration.
Protection when you are off your home network. Pi-hole only works for devices on your home wifi. Phone on cellular: not protected. Laptop at a coffee shop: not protected. For mobile protection, you need either a VPN that points DNS at your Pi-hole (via Tailscale), or NextDNS / similar hosted DNS configured per-device.
Anti-malware protection. Pi-hole blocks ads and trackers, not active malware delivery. Layer with other tools (browser-level uBlock Origin, OS-level antivirus if you use Windows) for full coverage.
A working setup that stays working without occasional attention. Pi-hole needs maintenance: monthly block list updates, occasional troubleshooting, the rare power cycle. Plan for 30 minutes per quarter of operational time after initial setup.
Pi-hole official site | Raspberry Pi Imager
Related: Encrypted DNS friendly guide, 13 things I wish someone had told me before self-hosting, VPS specs guide