Articles

Pi-hole on Ubuntu/Debian: Install and Configure (2026)

April 18, 2026 4 min read

Pi-hole, when installed, doesn’t just block ads; it fundamentally changes how your network resolves domain names, acting as a local DNS resolver that forwards requests to upstream servers.

Here’s Pi-hole in action, serving DNS requests for a typical home network. Imagine a device on your network (like a laptop) wants to visit example.com.

  1. The laptop sends a DNS query for example.com to its configured DNS server, which you’ve set to your Pi-hole’s IP address (e.g., 192.168.1.5).
  2. Pi-hole receives the query. It first checks its local ad-blocking lists. If example.com (or a subdomain like ads.example.com) is on a blocklist, Pi-hole immediately returns a null IP address (0.0.0.0) to the laptop, and the ad never loads.
  3. If example.com is not blocked, Pi-hole checks its DNS cache. If it’s already resolved this domain recently, it returns the cached IP address to the laptop.
  4. If it’s not blocked and not cached, Pi-hole forwards the query to one of its configured upstream DNS servers (e.g., Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8).
  5. The upstream server resolves example.com and returns the IP address to Pi-hole.
  6. Pi-hole adds this IP address to its cache and then returns it to the laptop.
  7. The laptop then uses this IP address to fetch the content of example.com directly from the web server.

This process happens for every device on your network that is configured to use Pi-hole for DNS.

The Problem Pi-hole Solves

At its core, Pi-hole solves two primary problems: ad-blocking at the network level and providing network-wide DNS insights.

  • Network-Wide Ad Blocking: Instead of installing ad-blocking software on every single device (which is impossible for smart TVs, game consoles, or IoT devices), Pi-hole acts as a central ad-blocker. By changing your router’s DHCP settings to hand out Pi-hole’s IP as the DNS server, all devices on your network automatically use it.
  • DNS Insights & Control: Pi-hole provides a web interface that shows you exactly which domains are being queried by your devices. This is invaluable for understanding network traffic, identifying potential malware communication, or even just seeing which apps are phoning home the most. You can also create custom blocklists or allowlists for fine-grained control.

Internal Mechanics: The Core Components

  1. dnsmasq (or unbound): This is the workhorse. Pi-hole typically uses a modified version of dnsmasq (though unbound is an increasingly popular alternative for enhanced privacy and recursive resolution). It handles DNS queries, caching, and forwarding.
  2. Blocklists: These are plain text files containing domain names that Pi-hole should block. Pi-hole downloads and merges many community-maintained lists.
  3. Gravity Sync (pihole -g): This command downloads the latest versions of all your blocklists, merges them into a single database that dnsmasq can use, and updates the dnsmasq configuration.
  4. Web Interface (lighttpd): This provides the dashboard for monitoring, configuring, and managing your Pi-hole instance.
  5. Conditional Forwarding: A key feature where Pi-hole can forward queries for your local network domains (e.g., myrouter.local) to your router, ensuring local hostnames resolve correctly.

Configuration Levers

  • Upstream DNS Servers: You choose where Pi-hole forwards non-blocked queries. Options range from public DNS providers like Cloudflare (1.1.1.1, 1.0.0.1) and Google (8.8.8.8, 8.8.4.4) to privacy-focused ones like Quad9 (9.9.9.9) or even your own recursive resolver if you set one up (like unbound). You can select multiple and Pi-hole will use them in a round-robin fashion.
  • Blocklists: You can add or remove URL sources for blocklists. More lists mean more blocking but can slightly increase the time it takes for Gravity to update.
  • Whitelisting/Blacklisting: Manually add specific domains to always allow or always block, overriding the downloaded lists.
  • DHCP Server: Pi-hole can act as your network’s DHCP server, automatically assigning IP addresses and telling devices to use Pi-hole for DNS. This is the easiest way to get all devices on your network using Pi-hole.
  • Conditional Forwarding: Configure Pi-hole to forward queries for your local domain (e.g., lan, local) to your router’s IP address (e.g., 192.168.1.1).

When you configure Pi-hole to use upstream DNS servers that support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), such as Cloudflare or Google, the DNS queries from your Pi-hole to those upstream servers are encrypted. This means your ISP cannot see the domain names you are requesting, only that you are communicating with the IP address of the DoH/DoT provider. This is distinct from the encryption (or lack thereof) of the actual web traffic (HTTP vs. HTTPS) between your device and the destination website.

The next thing you’ll likely encounter is managing query logging and understanding the "Top Clients" and "Top Blocked" sections of the dashboard, which are crucial for network troubleshooting and optimization.

Want structured learning?

Take the full Pihole course →