Most privacy minded people do a decent job locking down their computers, phones, and other devices. I hope you’re reading this article on a secure browser (like Firefox with UBlockOrigin) over an encrypted VPN connection. If you are, congrats on being a reasonably savvy internet user! But what about the other people on your network? Are your family members and guests as privacy-minded? It’s rare to find a household where every single person shares the same level of dedication to staying safe online. Wouldn’t it be nice if you could extend some level of protection to the people sharing your home network, without being intrusive about how their phones and laptops are set up? Let’s talk about Pi-Hole.
Pi-Hole is a free and open-source application that blocks ads and internet trackers. It is maintained by volunteer developers who maintain and update the code in their spare time, and rely largely on donations to pay the bills. But they have apparently started accepting corporate sponsorship, based on my most recent visit to pi-hole.net. I haven’t seen anything that spells out what [if anything] sponsorship gets companies beyond a banner on the website, but I will update this article if it seems like sponsorship compromises security or privacy.) Pi-Hole can run on any Linux-based operating system. Using a Raspberry Pi is the classic approach, but you can use any physical or virtual device running Ubuntu, Debian, Fedora, etc. I’ve been a Pi-Hole user for four years, and have found it to offer (mostly) stress-free protection for my home network.
Pi-Hole is different from run-of-the-mill ad blockers in two key ways. The first is that Pi-Hole operates at the network level, rather than running on individual devices. This means every device connected to the network benefits–including devices like smart TVs that might otherwise be hard to install ad blockers on. The second is that Pi-Hole “sinkholes” attempts to connect to ad or tracking sites via the Domain Name System, rather than blocking the connection like a firewall.
A quick primer on the Domain Name System (commonly referred to as DNS). The internet relies on IP addresses (ie 123.45.678.999) as the official address for each website and internet-connected device. But people can’t be expected to remember all those numbers, so we use Uniform Resource Locators (like https://www.survivalblog.com) instead. When you type a URL into your browser, your computer sends a request for the associated IP address. Your router passes the request on to a DNS name server. The name server is like a phone book that tells your computer the IP address associated with a URL. Your computer then sends an HTTP request to that IP address, and the website loads.
While loading the website, your computer will receive instructions to reach out to additional resources to fill the page. Often this is to load ads. Sometimes it’s to reach “services” like Google Analytics. Pi-Hole maintains a library of bad requests like those, and if your network requests one, that request will be “sinkholed” by routing it to a non-resolveable IP like 0.0.0.0. You can manually add or remove IPs from the blacklist. (For example, I’ve exempted SurvivalBlog.com from ad sinkholing because I want JWR to get the revenue from my visits.) Since setting Pi-Hole up, I’ve noticed my web pages load faster and with blank spaces where ads would normally appear. Pi-Hole also has a snazzy dashboard with trends and stats, including the top blocked connections.
Setting up Pi-Hole is pretty simple. I’ll briefly walk you through the setup process. For this example, let’s assume you’re setting up Pi-Hole on a Raspberry Pi that’s connected to your home network. Entering the command “curl -sSL https://install.pi-hole.net | bash” will start the automated installation process. Follow the prompts until the install on your device is complete. Your Pi will receive a static (permanent) IP in the process. Write it down; you’ll need it later.
During the setup process, you’ll be asked to pick an upstream DNS provider. The Pi-Hole is not a true DNS name server–it merely compares DNS requests to a list of bad requests. The bad requests are sent to an unresolveable IP address, while the requests that aren’t on the alert list are forwarded out of your network to a DNS name server to be resolved. You’ll be provided a list of DNS providers to choose from during the setup process. OpenDNS is a decent option. More advanced users like to set up their Pi-Holes to use Unbound DNS (long story short, this makes you your own DNS provider). There are further privacy-enhancing advantages to doing this. There are many YouTube videos showing how to configure your Pi-Hole to use Unbound DNS, if you’d like to go down that route.
Next comes the most technically demanding step of the setup–getting your router to use Pi-Hole as your network’s Domain Name Service. You’ll need to log into your router (usually typing an IP like 192.168.1.1 into your browser will take you to the router logon page) and navigate to the DNS settings. This is often found as part of the Dynamic Host Configuration Protocol (DHCP) settings. Most routers have settings for primary and alternate DNS. You may be able to get your router to accept your Pi-Hole’s IP address for both, although this means if your Pi-Hole goes down you won’t be able to use the internet. Some users have two Pi-Holes, one as primary DNS and one as a backup (for if the primary is updating or otherwise unavailable). A riskier but simpler solution is to use your Pi-Hole as the primary DNS and whatever the router’s default is as alternate. This will cause most (but not all) of your network’s DNS requests to be serviced by the Pi-Hole.
That’s it for setting up the Pi-Hole.. It is pretty simple if you’re already familiar with Raspberry Pi. You can verify it’s working by entering your Pi-Hole’s IP into a browser and logging into the dashboard to see what’s being sinkholed. I’m more of a visual learner–if you prefer images to words, there are many detailed YouTube videos you can reference to help get started with Pi-Hole.
There are a few limitations to Pi-Hole. It requires manual updates, which are pretty simple (log in and give the update command). Several users have devised scripts that will cause Pi-Hole to automatically update. These are easily found in Pi-Hole online communities (like pi-hole.net forums) if you’d like to try them. There are different schools of thought on automatic updates in the IT security world. Many people are adamantly against them. I generally think the added protection against emerging threats (especially if you don’t want to be “hands-on” the Pi-Hole all the time) makes automatic updates worthwhile.
One drawback of the DNS sinkhole approach is that a guest to your network may have DNS information cached in his device (computers and smartphones can temporarily save DNS information for recently visited sites, for faster loading). In this case, a network user who recently visited a website while off your network could bypass the Pi-Hole when his device refers to its local DNS cache rather than asking the Pi-Hole where to go.
By far the most commonly cited issue with Pi-Hole is “the mad wife.” I’ve experienced this a few times over the years. No blocking or sinkhole application is perfect, and you may find that Pi-Hole unexpectedly interferes with loading some websites. This will–of course–occur while you are at work or running errands. There are ways to modify your Pi-Hole so you can remotely administer it while you’re away from home, but from a security perspective I don’t recommend doing that. Also, as mentioned, if the Pi-Hole goes down without a backup option, you won’t have a way for your network devices to pass DNS requests. After a recent trip, we discovered we could access our router, but the router couldn’t access the internet. It took me a few minutes to remember that I turned off the power strip that my primary and backup Pi-Holes are attached to before we left. That was an easy fix, and I now keep them on separate circuits for better redundancy.
Overall, I’ve found the Pi-Hole to be an effective and frugal way of providing network-level ad blocking and enhanced privacy. I’ve learned a lot about how companies eavesdrop on internet users by watching my Pi-Hole dashboard’s logs of blackholed connections. I’ve discovered the names of companies I had never heard of, but who are major players in the online ad and tracking world. The internet can seem like a scary place once you start pulling back the curtain a bit, but like everything else in the prepper world, knowledge is better than ignorance.
Hopefully, this review was helpful and not too deep into the tech weeds. If you have any questions, there are many helpful people on the Pi-Hole forums and on YouTube. I’m also willing to write a follow-up if there is enough interest in this topic, or in internet security in general. If you install your own Pi-Hole, I hope you experience the same sense of satisfaction I get watching thousands of requests to connect to Google Analytics be cast into a virtual abyss. Stay safe online, friends.