Pihole - Advanced Use Cases

Greg Heffner Sept 2nd, 2025

In previous blogs I explained how pihole is a network wide ad-blocker and how I use it at home with cloudflare as my upstream DNS server to compliment my network traffic/security. Pi-Hole July 2024 I highly recommend reading that article first, if this is your first encounter with Pihole.

In this blog Im going to expand and talk through how I updated some "advanced" DNS features and why I feel like they are important for you as well.

When someone gets on the internet and loads a webpage there are a few things that happen that most people are unaware of before they even see paint on the screen. When a URL is put in a browser the computer has to take that URL and convert it to a IP address as this is the way traffic has to travel across the internet. In order to convert the URL to an IP address your Domain Name Server (DNS) queries either a cached entry already saved on the device or it will query other external DNS servers to get the IP and send it back to your device to be able to find and load the page.

Why should you care? Whenever a device asks for a IP address, for example, that info is stored in a log, and that log can be saved and sometimes is sold to other people. Whats of value here? If someone has a list of all the sites you go to, and when you browse them, and how often to go, would that be of value to say.... retail stores? Think of the value of knowing when you shop or when you pay bills or geographic locations of retail stores you may be visiting. Someone could force you to see ads for companies they prefer or could manipulate the pages you visit to go to competitors.

FTC Staff Report Finds Many Internet Service Providers Collect Troves of Personal Data, Users Have Few Options to Restrict Use

Unbound -

Unbound, when used with pihole, is a piece of software that can resolve DNS queries by directly contacting root, TLD, and authoritative name servers, rather than relying on third-party DNS services like ISP nameservers. How does this work, you say? Well directly from the webpage it has the following:

1. Your client asks the Pi-hole `Who is pi-hole.net`?
2. Your Pi-hole will check its cache and reply if the answer is already known.
3. Your Pi-hole will check the blocking lists and reply if the domain is blocked.
4. Since neither 2. nor 3. is true in our example, the Pi-hole delegates the request to the (local)
5. Your recursive server will send a query to the DNS root servers: "Who is handling `.net`?"
6. The root server answers with a referral to the TLD servers for `.net`.
7. Your recursive server will send a query to one of the TLD DNS servers for `.net`: "Who is handling `pi-hole.net`?"
8. The TLD server answers with a referral to the authoritative name servers for `pi-hole.net`.
9. Your recursive server will send a query to the authoritative name servers: "What is the IP of `pi-hole.net`?"
10. The authoritative server will answer with the IP address of the domain `pi-hole.net`.
11. Your recursive server will send the reply to your Pi-hole which will, in turn, reply to your client and tell it the answer to its request.
12. Lastly, your Pi-hole will save the answer in its cache to be able to respond faster if _any_ of your clients queries the same domain again.

So how does this help? Well, first none of the above steps include asking your ISP or some other company what the address is to a place you want to visit. Secondly once you figure out the IP you save it for future use. Third not the initial nor any of the subsequent requests are logged or stored on 3rd party devices to be sold or traded. Unbound, to say it another way, will go out and query the internet from the TLD Top Level Domains stationed around the World, all the way to the local cache on your device until it finds a IP address. You are in control of your data and your requests.

There has to be negatives right? Yeah there are. Some of them include slower response times when trying to query IP addresses. This is because you arent hitting major servers that have huge caches and logs. Another negative would be if the unbound service stops running you could stop resolving IP addresses if you had no other upstream servers configured. One way to keep yourself safe from having DNS related outages is having a secondary DNS server configured but remember to choose one you trust of youre not hosting it yourself with unbound or a secondary DNS server hosted at home. Introducing 1.1.1.1 for Families Check here for some DNS servers I would recommend.

If you would like more information about unbound check out this youtube video: Unbound DNS Explained

Blocklists -

Allowing unrestricted internet access could be a problem if someone does not know the difference between clicking a good link and a bad link. Shoot, even people who are professionals in tech industry get tricked into clicking things they shouldnt. Pihole has the abilty for us to import lists of addresses that are either untrusted or are known to host ads and then whenever a device asks the Pihole to convert their URL to an IP if the URL is in this list, it could block it for us. People all around the World have contributed to some of these lists and Ill go over some of the most popular repos.

• Steven Black host list
  • Combines multiple reputable sources into one list.
  • Blocks ads, trackers, malware, and fake news domains.
  • Frequently updated and widely trusted.
• Hagezi DNS Blocklists
  • Comprehensive, targeting ads, tracking, and malicious domains.
  • Maintained for use with DNS-based blockers like Pi-hole.
  • Offers granular control and regular updates.
• someonewhocares.org hosts file
  • Focuses on blocking known ad servers, trackers, and malicious sites.
  • Simple, effective, and easy to integrate.
  • Maintained by a privacy advocate and used by many for years.

What does this do for you? Well depending on your setup and the ists you subscribe to, you could be able to block ads from webpages when you are browsing the internet, and you could also proactively block untrusted webpages. Could there be problems? Yes. The webpage you visit may be listed in these host lists. If it is, it wont load. The is the #1 issue people have. Depending on the list you subscribe to it could be very restrictive. If you find yourself unable to load a page you can add it to the allowlist which would override the blocks and allow you to load it. Be careful with this. If youre having to allow pages more often then not, you may have subscribed to a blocklist thats too intrusive for what youre doing.

With these two updates to your pihole you can be a little safer with your internet traffic and habits. Dont forget to point all your devices to your Pihole for DNS if you havent already!

If you would like more info about blocklists check out this video Block EVERY Online Ad with THIS - Pi-Hole on Raspberry Pi.

From Copilot -

Pi-hole is like a smart gatekeeper for your internet, blocking ads and bad websites before they even reach your screen. When paired with Unbound, it finds website addresses on its own without asking big companies—keeping your browsing private and secure. By using blocklists, it also helps protect you from sneaky or dangerous sites, making your internet experience cleaner and safer.