Pi-hole’s wildcard DNS feature lets you block entire subdomains using patterns, not just individual entries.
Here’s Pi-hole blocking ads.example.com and sub.ads.example.com with a single wildcard rule.
# On your Pi-hole host, run this to add a wildcard for all subdomains of example.com
sudo pihole --wildcard add example.com
This creates a 0.0.0.0 (or NXDOMAIN if configured) record for *.example.com in Pi-hole’s gravity database. When a DNS query for sub.ads.example.com arrives, Pi-hole checks its gravity list. It finds a match for *.example.com and immediately returns the blocked IP address without forwarding the query to upstream DNS servers. This is incredibly efficient for blocking entire domains that frequently use subdomains for tracking or advertising.
The core problem Pi-hole’s wildcards solve is the sheer volume of unique subdomains used by advertisers and trackers. Manually blocking each one is an endless, frustrating game of whack-a-mole. Wildcards provide a scalable, pattern-based solution. Instead of adding a.ads.example.com, b.ads.example.com, c.ads.example.com, you add a single wildcard *.ads.example.com.
Internally, Pi-hole stores these wildcards in its gravity database, which is essentially a large, optimized list of domain-to-IP mappings. When a DNS query comes in, Pi-hole performs a lookup against this database. For wildcards, it checks for patterns that match the requested domain. The * in *.example.com acts as a true wildcard, matching any sequence of characters, including empty strings, before the . in the domain name. So, mail.example.com, www.example.com, and even example.com itself (if *.example.com is the only entry for example.com in gravity) can be matched by *.example.com.
The primary lever you control is the pattern itself. You can add very specific wildcards like *.doubleclick.net or more general ones like *.tracker.com. Pi-hole’s pihole --wildcard add command is your primary tool. To remove them, use pihole --wildcard remove example.com. The gravity command (pihole -g) is essential after adding or removing wildcards to update the internal database Pi-hole uses for lookups.
The most surprising thing about Pi-hole wildcards is how they interact with the standard DNS resolution process. When a wildcard match occurs, Pi-hole does not perform a reverse lookup or query upstream DNS servers. The resolution stops dead at the Pi-hole device itself, returning the configured blocked IP (typically 0.0.0.0 or NXDOMAIN). This means that even if a domain technically resolves to a valid IP address on the internet, Pi-hole can still block it by simply returning a non-routable or non-existent address, effectively making the domain unreachable from your network.
This behavior is distinct from simply blocking a known IP address, which might change or be shared by legitimate services. Wildcards target the domain name itself, providing a more robust blocking mechanism against domains that rely on dynamic or numerous subdomains.
The next step after mastering wildcards is understanding how to leverage Pi-hole’s regex blocking for more complex pattern matching scenarios that go beyond simple subdomain wildcards.