This project is suitable for:
and has been
This project documents my Setup for Pi-hole
- at home
- and in the cloud to be used with WireGuard
for me and the whole family and gives some food for thought.
You would rightly be disappointed if I wouldn't show you my hacks and tweaks with an explanation of why I did this and which goals I wanted to achieve and whether I did a good or a bad job.
Now have a look at my Pi-hole(s):

- Prerequisites
- Why Pi-hole?
- Why WireGuard?
- Setup and Installation
- Some words regarding choosing a DNS upstream resolver
- Blocklists and consolidation / deduplication
- General Infos regarding your Pi-hole and network setup
- Some tools for Pi-hole
- Tweaks
- Usage at home
- Usage in foreign networks ("free" WiFi / Hotspots and mobile data (4G/5G))
- Maintenance
You should have at least some basic knowledge about Linux and Docker. Which linux distro you are using is not relevant. Use a linux distro of your choice! I'm using Ubuntu and openSUSE, which are basically totally different regarding package management: Ubuntu is Debian-based, openSUSE is RPM-based.
- It started that I wanted no or at least less advertisments, because it's annoying and because it disrupts the flow of reading, it uses not a little bandwidth but more than you think (for what you don't want or what is of no interest to you when surfing on a website, for example news pages) and it slows down the loading of much websites due to loading lots of ads and images and videos. If you don't download all this unneccessary stuff, you save on your mobile plan and profit from faster page loading 👍
- Then I wanted more Privacy, which means no or at least less Tracking, which means no or at least less Surveillance!
- I'm a dad of three kids and I don't want them consuming too much Social Media or sometimes no Social Media at all! With Pi-hole it's totally easy to block Facebook or Instagram for example.
- Because my family runs all their computers with Windows they really needed more and additional Security than only an anti-virus scanner or defender and no Malware by adding another level of protection. 🦠 Did you know that it pays off more for attackers to inject advertising networks than a single or some website by Malvertising? Because they maximize their reach by hacking only one single advertising network instead of many, many websites.
- And finally when they get older: Youth protection becomes a big issue! 🔞
🥅 The MAIN GOAL for me is to block ads, tracker, malware, ... (everything that harms PRIVACY or DATA INTEGRITY or is just ANNOYING us)
🥅 And the SECONDARY GOAL is to block stuff, that is USED WAY TOO MUCH BY THE KIDS... or what is NOT SUITABLE for this age group.
💡 Conclusion: Pi-hole can save you from "too curious" corporates (Facebook, Google, Amazon, Apple, Microsoft - just to name some) and can save young people from adult content. 💡
WireGuard **tunnels all traffic from my mobile device(s) when leaving my home** to use my Pi-hole that isn't exposed on the internet because I **don't want to run a public DNS resolver** by forwarding ports from WAN interface to my computer where Pi-hole is running.
💡 Conclusion: WireGuard can save you from "too curious" ISPs at home, mobile providers or (free) VPN providers - but now you still have to trust your cloudserver provider! This is still not 100 percent safe from state authorities or from intelligence services! 💡
This german Howto about "Avoiding Internet-censorship and stay anonym" gives some interesting details and thoughts.
Finally the combination of Pi-hole and WireGuard (also known as WireHole - but I like both projects being separated for reasons of nicer and easier updates which I will explain later) gives you the ability to access your private Pi-hole on all your devices at any place/network any time 👍
ℹ️ More Information (in german only) can be found here.
My motivation to run everything for this project in Docker containers has been the following:
- I didn't want to install some additional packages on my openSUSE desktop at home which already runs 24x7 (because it's a fan- and noiseless and power-saving manufactured desktop computer from Cirrus7 - end of my kind of personal "advertising" 😉.
- It would have been no matter to "bloat" an Ubuntu LTS server that I've intended for this project. But why should I run two different setups?
- Last but not least: I had already some experience with Docker containers due to some other projects already running on my Ubuntu LTS server…
💡 I can really recommend Docker, because it's so super easy! 💡
So I used and followed the "Quick Start" to install and start Pi-hole on my machines (at home and on my cloudserver).
To get the advantages and the same "surf and shelter experience" when not being at home/in my home WiFi I thought about a VPN to my Pi-hole. Because I already had an Ubuntu LTS server running at Hetzner with an 1 Gbit/s connection instead of 50 Mbit/s Upload at home, I installed and followed the "Usage" to install and start my personal WireGuard VPN server 😄 There's a 20 TByte volume for outgoing traffic free of charge, which really should be enough for many WireGuard users and covering all current existing mobile plans (usually some GByte).
BTW: I use docker-compose
and not native docker
because I use it already for other projects (Nextcloud).
Keep in mind to set Permit all origins in Web-GUI ("Settings" > "DNS") for your Pi-hole at home so that all clients can use it!
Keep in mind to set Allow only local requests for your Pi-hole on your cloudserver if you won't become a public DNS resolver! 💣
Remember why we choose running a local DNS resolver:
- to gain more privacy!
- and potentielly or hopefully to get DNS queries answered faster than with the provider's DNS resolver (Vodafone's DNS resolver is very lousy) or some privacy-disrespecting DNS resolvers like the ones from Google ( and
Go to "Settings" > "DNS" in Pi-hole's Web-GUI:
- unmark all without "DNSSEC"
- forget Google, Cloudflare - they disrespect your privacy!
- forget Quad9 - they have severe performance issues and latency can be up to 1 sec (if there is a response at all)
- only DNS.WATCH remains - but they don't support ECS which "allows better use of DNS-based load balancing to select a service address near the client" which speeds up many service for you by getting connected to a nearer target to you! And they also have a much more severe performance issues than Quad9 (if there is a response at all)!
- So, for me's DNS resolvers are working best regarding latency (20ms for and 40ms for and (IPv4)
2a07:a8c0::75:86b2 and 2a07:a8c1::75:86b2 (IPv6)
- But also AdGuard is doing a great job with their pre-filtering DNS resolvers. Since monitoring "filtering" and "non-filtering" DNS resolvers and adding the "filtering" ones them to my Pi-hole's
they beat from scratch/within a week in a head-to-head race: 20ms for and 20ms for and (IPv4)
2a10:50c0::ad1:ff and 2a10:50c0::ad2:ff (IPv6)
If you're wondering why raw performance on differ so much from my results and are "much better":
"All DNS providers are tested every minute from 200+ locations around the world"
- which means under optimal conditions
- which means "datacenters" with high-speed-connectivity and low latency.
My project is measuring very close to an end user via WiFi and via Vodafone ISP (coax/cable). So these results are what you also can expect on your home internet connection regardless which ISP (Telekom, Vodafone, 1-und-1, …) and which technology (DSL, Coax/Cable, Fiber or even mobile (4G/5G)).
💡 You can check this out before installing Pi-hole with my little project dnspingtest_rrd. You may have want to have a look at real data from my home. For one-time-checks you could also use:
docker run --rm --name=dnstrace redsift/dnstrace --color -n 10 -c 10 --server --recurse
There's already at least one single blocklist shipped with Pi-hole: But that didn't fit my needings (see "goals" above). So I constantly and repeatedly check and add/remove blocklists on an irregular base.
Currently I'm using these blocklist (Web-GUI: "Group management" > "Adlist" - you may want to assign a group to some blocklists to be able to block some domains only for some devices) in column "address" (this is an extract from real output from pihole_adlist_tool
which I will introduce later). These list sum up to more than 4 mio domains/hosts. For better reading I rearranged the rows by groups:
id enabled total_domains domains_covered hits_covered unique_domains_covered address
-- ------- ------------- --------------- ------------ ---------------------- --------------------------------------------------------------------------------------------------------
# default
1 1 189924 1253 125255 105
# additional blocklists:
11 0 11395 262 46693
13 1 2196
19 1 23782 102 19612 1
20 1 26562 1 1 1
21 1 196085 6 64 4
23 1 190229 5 70 5
27 1 2499 3 23 1
28 1 2134 6 70 6
33 1 4185 3 90 3
34 1 476667 11 3502 4
35 1 283757
37 1 441936
43 1 91462 70 1209 5
59 1 347 13 868
60 1 347 13 868
62 1 1679
63 1 431080 1516 142449 451
64 1 171731 86 15259 53
67 1 539365 41 14947 13
74 1 2571 2 13
82 0 201416
84 1 916 47 4657 20
86 0 2325
87 1 3757 263 14157 6;hostformat=hosts
89 1 291106
# adult and NSFW:
42 1 414048 790 57435 211
71 1 23
72 1 19670 36 429 8
73 1 369
77 1 30786 52 473 13
80 1 56711 23 240 6
81 1 5629 3 8 1
88 1 341009
# tracking on mobiles:
30 1 767 173 66383 12
68 1 80 32 40481
83 1 234 66 223348 55
# smart TVs:
5 0 209
32 1 20 5 264 4
# tracking in minecraft:
69 1 6
# tracking on tiktok:
85 1 184 6 13029 2
Some infos about
Contrary to it's name, FULL does NOT include NSFW The NSFW list can be used as stand-alone, or alongside basic or full
What is the difference between the full and basic list? -->
The Basic list is a smaller, less comprehensive variant of the full list, which focussus mainly on Ads, (Mobile) App Ads
The Full list blocks: Ads, (Mobile) App Ads, Phishing, Malvertising, Malware, Spyware, Ransomware, CryptoJacking, Scam ... Telemetry/Analytics/Tracking (Where not needed for proper functionality)
I'm using only static IP adresses in my home-network because this is essential for the "Client group management" (Web-GUI: "Group management" > "Clients"). It's essential to turn off "private wifi address" on iOS and the pendant on android. Otherwise you won't be able to identify your clients and you won't be able to use static IP addresses! (IP addresses are easier to manage and to "remember" than MAC addresses. As Apple writes on their support site "private Wi-Fi addresses (can) … improve privacy …". For "network administrator" Apple continues to write "use an MDM-defined network profile to turn off Private Address for enrolled devices that join their Wi-Fi network".
After you have once identified your "known clients" by IP address or MAC addres you are now able to assign groups of blocklists to your clients. Assume you have an Adlist group "social" and don't want your kids to consume social media, then you might assign group "social" additional to "default" to your kids device(s).
If you are experiencing false positives for some domains,
- you can open an issue at the blocklist owner's repository on GitHub/GitLab/…
- and you can (temporarilly) whitelist it in "Group Management" > "Domains". There you can also blocklist some domains or even top-level-domains with an regular expression.
I'm blocklisting(\.cn$|\.ru$|\.su$|\.vn$|\.top$)
because currently I don't know a reason why to surf to these top-level-domains (despite I can't read mandarin, russian or vietnamese 😉).
I'm also blocking:
which blocks all punycode domains because they're often/mostly used for
for tracking by Facebook on non-facebook sites (none of my many blocklist does block this!
is already blocked by some blocklists. Check this out bydocker exec -it pihole pihole -q
). Some more details can be found here in the german "Kuketz-Forum".(\.casino$|\.bet$|\.poker$)
because I don't like online-gambling(^|.+\.|.+)app-measurement\.com(.+|$)
is one of my absolute "top blocked domains". This domain is already in many blocklists, but due to some developer's error there are also many invalid queries for '' which I want to block with this reg-ex. This domain is widely used by many, many smartphone apps because they use a shitty SDK and would be absolutely tracking-free by the developers of the app if they wouldn't use this SDK 😞
PADD provides in-depth information about your Pi-hole.
I can also be used as a systemd-service on tty11 in addition to pihole-live-output.service
on tty10 that can easily be implemented:
My cloudserver:
📝 Just add these lines in your /etc/systemd/system/pihole-padd.service
and do a systemctl daemon-reload
and a systemctl start pihole-padd.service
# PADD - A more advanced version of the chronometer provided with Pihole.
Description=PADD - A more advanced version of the chronometer provided with Pihole.
After=docker.service dhcpd.service pihole.service
ExecStart=/usr/bin/sh -c "/usr/bin/docker exec --tty pihole /etc/pihole/ > /dev/tty11 < /dev/tty11"
ExecStop=/usr/bin/sh -c "/usr/bin/clear > /dev/tty11 < /dev/tty11"
📝 Do the same procedure for /etc/systemd/system/pihole-live-output.service
# Pi-hole: View the live output of the Pi-hole log
Description=View the live output of the Pi-hole log.
After=docker.service dhcpd.service pihole.service
ExecStart=/usr/bin/sh -c "/usr/bin/docker exec -it pihole pihole -t > /dev/tty10 < /dev/tty10"
ExecStop=/usr/bin/sh -c "/usr/bin/clear > /dev/tty10 < /dev/tty10"
Now you can switch to your tty10 and tty11 console to view Pi-hole's query log or to displays stats about your piHole 👍
🚧 Here I documented how to run
with your docker container. 🚧
A tool to analyse how your pihole adlists cover you browsing behavior.
Monitoring of average response times of DNS resolvers in RRD databases and simple HTML pages with PNG graphs.
Use this if you want to find out which DNS resolver will be the fastest and most reliable for you. I run it closest to a user experience via WiFi because most devices today are connected via WiFi and not via LAN. Think of smartphones and tablets! After some time (a day, a week; what you expect as "reliable") there's some data on a 5 minute base available and by interpreting the generated charts you should have more than just a clue which DNS resolvers from the ones you monitored are the fastest and most reliable for your internet connection at home 👍
You might be also interested in my DNS-Ping Monitoring with real data from my home or my cloudservers at Hetzner: Nuremberg, Germany, Falkenstein, Germany and Helsinki, Finnland.
If you find your "top" lists on the dashboard of the Web-GUI not suitable for the information you really need, you might exclude some top domains / top adverters and/or top clients in "Settings" > "API / Web Interface". For example I exclude these domains because they are much to generic or are queried very, very often by my linux machine's cronjobs and therefore useless to know:
And pi.hole
itself does a lot of DNS queries as a client with types DS and DNSKEY which are technically absolutely neccessary for DNSSEC; but this information (how much queries) is absolutely worthless for me 😜
I've added these lines in my etc-pihole/pihole-FTL.conf
. Read the comments/links to understand:
# ---
# ---
# Should Pi-hole always replies with NXDOMAIN to A and AAAA queries
# of to disable Firefox automatic DNS-over-HTTP?
# This is following the recommendation on
# ---
# ---
# Should Pi-hole always replies with NXDOMAIN to A and AAAA queries of
# and to disable Apple's iCloud Private Relay
# to prevent Apple devices from bypassing Pi-hole?
# This is following the recommendation on
# due to
# Control FTL's query rate-limiting. Rate-limited queries are answered with a REFUSED reply and not further processed by FTL.
# …
# Rate-limiting may be disabled altogether by setting RATE_LIMIT=0/0
# this results in the same behavior as before FTL v5.7.
# FTL's internal TTL to be handed out for blocked queries.
# This settings allows users to select a value different from the dnsmasq config option local-ttl.
# This seems useful in context of locally used hostnames that are known to stay constant over long times
# Note that large values may render whitelisting ineffective due to client-side caching of blocked queries.
# This option is deprecated and may be removed in future versions, please use BLOCK_IPV4 and LOCAL_IPV4 instead.
# LOCAL_IPV4= (unset by default, PR #1293)
# BLOCK_IPV4= (unset by default, PR #1293)
You may also raise min-cache-ttl
in your etc-dnsmasq.d/05-pihole-custom-ttl.conf
so that all your devices don't need to query your Pi-hole quite often (every minute), but only every hour:
In conjunction with BLOCK_TTL=300
(blocked domains will be cached on client side for 5 minutes instead of 2 seconds!) this drasically reduces the amount of queries and of the blocked-domain-ratio!
In my case this reduced daily queries from around usually 80.000/100.000 to 40.000/50.000 and block-ratio dropped from 30-40% down to 15-20%
I'm running a daily cronjob to gather these stats with
59 23 * * * echo -e $(date +\%Y-\%m-\%d) $(docker exec --tty pihole /etc/pihole/ -j) >> ~/logs/pihole-padd.log
With these tweaks I'm usually getting a cache hit ratio of 50% (see screenshot on top of this page: "Upstream servers", the blue cake slice is "cached")) and more with a very low latency for most DNS queries with an average of slightly below 20ms (on a weekly basis and if there are no internet outages).
"This method leverages SafeSearch VIP to force all users on your network to use SafeSearch on Google Search while still allowing a secure connection via HTTPS. The VIP in SafeSearch VIP refers to a Virtual IP, which is an IP address that can be routed internally to multiple Google servers. We will serve SafeSearch results for all requests that we receive on this VIP, which includes Google search, image search, and video search.
It works for all browsers on your device and only users who are administrators on the device can undo this change."
Map google domains to
Just add these hostnames/domains to your "Local DNS" / "DNS Records":
Other search engines use "moderate search" by default, but "safe search" can be turned off at any time). I didn't find any offer like this for Bing, DuckDuckGo and others.
Just change DNS resolver in DHCP options of your router so that all devices in your home network use your Pi-hole. For example:
💣 If you're a Vodafone Customer and if you're only using the provided Vodafone Station you will not be able to do this! VF Station has no option to change DNS resolvers, so go and buy a router that you own and that you can configure as you want and build up a router cascade. 💣
Go and download WireGuard app for your device:
- Windows Installer
- Android play store
- F-Droid
- iOS
- For MacOS or Linux installation see download link
After you've set up your WireGuard server with one or the desired amount of peers you can show your WireGuard tunnel config as QR-code:
docker exec -it wireguard /app/show-peer <peer-name>
On your mobile device you can simply scan this QR-code and you're finished. Edit your config to enable "on-demand tunneling" for "mobile data" and all WiFi except your WiFi at home which is already protected by your Pi-hole at home.
On your computer you have to copy and paste the following output from your WireGuard server into your WireGuard app:
docker exec -it wireguard cat /config/peer_<peer-name>/peer_<peer_name>.conf
I use some scripts for regular and automated updates:
cd ~/dev/docker-pi-hole && {
git stash; git pull; git stash pop -q
docker-compose pull --no-parallel 2>&1 | grep "is up to date" || \
{ docker-compose stop && docker-compose up -d; }
docker pull | grep "is up to date" || \
docker stop wireguard
docker rm wireguard
# peer names are only supported alphanumeric:
# -e ALLOWEDIPS=, `#optional` \
docker run -d \
--name=wireguard \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Berlin \
-e SERVERPORT=12345 \
-e PEERS=1 `#optional` \
-e PEERDNS=auto `#optional` \
-e INTERNAL_SUBNET= `#optional` \
-p 12345:12345/udp \
-v ~/temp/etc-wireguard:/config \
-v /lib/modules:/lib/modules \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
With these cronjobs for daily WireGuard updates and weekly Pi-hole updates:
10 5 * * * ~/bin/ &> ~/logs/
15 7 * * 1 ~/bin/ &> ~/logs/
Have fun and stay safe! 💚