The Pi-hole admin dashboard doesn’t just show you what’s being blocked; it reveals the hidden conversations your devices are having with the internet.
Let’s say you have a smart TV, a couple of phones, a laptop, and a smart speaker. Without Pi-hole, they all talk to your router, which talks to your ISP’s DNS server, which then resolves domain names. With Pi-hole, they talk to Pi-hole, which talks to your chosen upstream DNS server (like Cloudflare or Google) and decides whether to block or allow the request.
Here’s what it looks like in action. Imagine you’ve just set up Pi-hole and are looking at the dashboard’s "Query Log."
You see a flurry of requests for connectivitycheck.gstatic.com. Your Android phone is checking if it can reach Google’s servers. Then, apple.com and icloud.com requests pop up – your iPhone is doing its thing. A few netflix.com requests indicate your smart TV is waking up.
The real power comes from understanding why these requests happen and how Pi-hole intercepts them.
The Pi-hole is a DNS sinkhole. When a device on your network asks for www.example.com, that request first hits the Pi-hole. Pi-hole checks its blocklists. If www.example.com is on a blocklist (because it’s a known ad server or a malicious domain), Pi-hole simply replies, "I don’t know what that is" (by returning a blank or non-routable IP address). The ad or malicious content never loads. If it’s not on a blocklist, Pi-hole forwards the request to an upstream DNS server (like 1.1.1.1) and returns the real IP address to your device.
The dashboard visualizes this. The "Total queries" number climbs rapidly. The "Queries Blocked" percentage shows your ad-blocking effectiveness. The "Top Clients" section tells you which device is making all those requests. You might be surprised to see your smart TV or a seemingly idle tablet is a huge chatterbox.
The "Query Log" is your forensic tool. Each entry shows the timestamp, the client’s IP address, the domain requested, and whether it was blocked or forwarded. This is how you discover new domains to block or identify devices that are sending an unusual amount of traffic.
To get to this point, you typically configure your router’s DHCP settings to hand out your Pi-hole’s IP address as the only DNS server. Alternatively, you can manually configure DNS settings on each individual device, but that’s a maintenance nightmare.
The "Settings" page is where you control the core behavior. The "DNS" tab lets you choose your upstream providers. You can select from pre-configured options like Cloudflare, Google, OpenDNS, or enter custom ones. You can also enable "Conditional Forwarding," which tells Pi-hole to ask your router for local hostnames (like my-printer.local) so they appear by name in the logs instead of just an IP.
The "Blocklists" tab is your arsenal. Pi-hole comes with some default lists, but you can add more from sources like firebog.net. These lists are just text files containing domain names. Pi-hole downloads and merges them. Updating these lists is crucial for staying effective. You can force an update from the command line with pihole -g.
Most users don’t realize that Pi-hole doesn’t just block based on domain name. It can also block based on IP address. If a malicious IP is known to host multiple harmful domains, adding that IP to the blocklist can prevent access to any domain originating from it. This is handled by the gravity.sh script, which compiles all your lists into an efficient format for blocking.
The "Network" tab is a newer addition that offers a visual representation of your network and which devices are communicating with the Pi-hole, providing a different perspective than the query log.
You can also set up "Whitelisting" for specific domains you want to allow, even if they are on a blocklist. This is common for legitimate services that might be flagged by overly aggressive lists.
The "Teleporter" feature is your backup and migration tool. It allows you to export your entire configuration – blocklists, whitelists, blacklists, settings – into a single file, which you can then import to restore your Pi-hole or set up a new one.
The next rabbit hole you’ll likely fall down is understanding how to leverage Pi-hole’s DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) capabilities to encrypt your DNS queries between the Pi-hole and your upstream provider.