Some notes on a privacy-minded Pi-Hole deployment

But why?

There is already a thousand how-to’s on the Web about deploying Pi-Hole as a DNS resolver, and I don’t feel like writing yet one more that will be deprecated for some reason in a few months because some parameter has changed somewhere.

Rather, this article gives pointer to either other posts I’ve found interesting while setting mine up.

Finding Ad lists

When deploying Pi-Hole 5.2.1, I found out one of the built-in lists did not exist anymore.

In his article, Olivier Butterbach gives a link to, which is exactly what I needed. From the list, I selected:

That may seem very few granted the insane amount of lists referred, but it turned out any form of ad disappeared from my machines after enabling just these, even with uBlock turned off. I’ll revise this if persistent ads show up.

Be warned that only lists where the Pi-Hole logo appears will be compatible with, well, Pi-Hole (duh).

Auto-refresh of the lists

Don’t forget to add a cron job for the pihole -g command to keep your ad lists up to date.

Use a local unbound instead of public resolvers

This howto makes a very valid point about why you should directly query the DNS root servers with DNSSEC instead of using the public resolvers like Google or Quad9, even with DNS-over-TLS.

If you’re worried about privacy, I do recommend to follow the proposed step (and did myself). That may sound strange since I also have a tutorial about using DNS-over-TLS with OpenDNS and Google, but I use this in another context (A VPS that runs some public service and for which privacy is not a concern).

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.