Install TailScale for remote access and connect devices.
Enable DNS through TailScale; permit origins in Pi-hole.
Verify ads blocked locally and remotely (including mobile test).
Takeaways
Keep the Pi-hole device with a static IP to stay reachable.
Customize block lists to tailor ad-blocking for your needs.
TailScale enables seamless remote ad-blocking across devices.
Do not expose Pi-hole directly to the internet; use a secure, private setup.
Always test across networks (home, hotspot) to confirm effective blocking.
SUMMARY
This tutorial shows how to set up network-wide ad blocking with Pi-hole on a Raspberry Pi Zero 2 W, then extend it to work away from home using Tailscale. The main problem it solves is ads (and tracking domains) across all devices without relying on browser extensions, even on mobile data. The primary tools are Pi-hole (DNS sinkhole/ad blocker) and Tailscale (encrypted mesh VPN + tailnet-wide DNS override). (docs.pi-hole.net)
DETAILED STEP-BY-STEP BREAKDOWN
Prerequisites (hardware/software)
Hardware
Raspberry Pi Zero 2 W
microSD card
micro-USB power cable / power supply
Software
Raspberry Pi Imager (official imaging tool) (Raspberry Pi)
Raspberry Pi OS Lite (64-bit) — transcript recommends “legacy 64-bit light / Bookworm”
Ability to SSH from your computer to the Pi (Terminal/Command Prompt)
Step 1 — Flash Raspberry Pi OS to the microSD (Raspberry Pi Imager)
Download and install Raspberry Pi Imager. (Raspberry Pi)
In Imager:
Choose device: Pi Zero 2 W
Choose OS: Raspberry Pi OS Lite (64-bit) (as recommended in video)
Choose storage: your microSD card
Edit settings:
Set hostname (example: pihole)
Set username/password
Configure Wi-Fi SSID/password
Set Wireless LAN country (important for Wi-Fi)
Set time zone
Enable SSH
Click Write and wait until it finishes.
Common mistakes
Forgetting to enable SSH → you’ll need a monitor/keyboard to recover.
Wrong Wi-Fi country → Wi-Fi may not work reliably.
Step 2 — Boot the Pi and connect via SSH
Insert the microSD into the Pi and power it on.
Wait a few minutes for first boot.
SSH in:
ssh <username>@<hostname>.local
Common mistakes
hostname.local depends on mDNS; if it fails, SSH to the Pi’s LAN IP instead.
Step 3 — Install Pi-hole
Open Pi-hole documentation and run the official one-step installer: (docs.pi-hole.net)
curl -sSL https://install.pi-hole.net | bash
Follow installer prompts.
Common mistakes
No curl installed on some minimal images (install it if needed).
Running the installer without reviewing what you’re executing (“pipe to bash” is convenient but you should understand the risk). (docs.pi-hole.net)
Step 4 — Set a static IP (DHCP reservation on your router)
Pi-hole needs a stable LAN address so all clients can reliably use it as DNS.
In your router/app admin UI:
Find DHCP reservation / IP reservation
Reserve a fixed IP for the Pi (example shown: 192.168.1.37)
Continue the Pi-hole installer after reservation is set.
Common mistakes
Letting the Pi keep a dynamic DHCP address → DNS breaks later when the IP changes.
Step 5 — Complete Pi-hole setup options
During install:
Choose an upstream DNS provider (video picks Cloudflare)
Enable default blocklist
Enable query logging (helps verify ad blocking + troubleshooting)
Step 6 — Make Pi-hole the DNS server for your home network
In router/app settings, locate DNS server / nameserver fields (often in DHCP settings).
Set DNS server to the Pi’s static IP (e.g., 192.168.1.37).
Save/apply changes.
Common mistakes
Setting DNS on only one device instead of the router (then other devices won’t benefit).
Forgetting to renew DHCP leases on clients (some devices keep old DNS until reconnect/reboot).
Step 7 — Access Pi-hole Admin UI and optionally add more blocklists
Open:
http://<pi-ip>/admin
Log in using the temporary password shown at the end of install.
Add extra blocklists (video: paste URL into blocklist section and add).
Common mistakes
Visiting http://<pi-ip> and forgetting /admin.
Step 8 — Install Tailscale on the Pi and join your tailnet
Install Tailscale using the official Linux/Raspberry Pi method (video copies a command from Tailscale downloads page).
Bring it up:
sudo tailscale up
Authenticate using the provided URL and confirm the Pi appears in the admin console.
Step 9 — Configure tailnet-wide DNS in Tailscale to force Pi-hole usage
In Tailscale Admin Console:
Copy the Pi’s Tailscale IP from the Machines page.
Go to DNS settings:
Add nameserver → Custom
Paste the Pi’s Tailscale IP
Save
Enable Override DNS servers (forces tailnet devices to use your Pi-hole as DNS). (Tailscale)
Common mistakes
Using the Pi’s LAN IP instead of its Tailscale IP for tailnet DNS.
Not enabling Override DNS servers → some devices continue using their existing DNS.
Step 10 — Allow Pi-hole to answer DNS queries arriving via Tailscale
In Pi-hole Admin:
Go to Settings → DNS
Change interface listening to Permit all origins
Save/apply
Important warning
“Permit all origins” can create an open resolver if your DNS port is reachable from the public internet. Pi-hole docs explicitly warn this is dangerous unless properly firewalled. (docs.pi-hole.net)
Step 11 — Install Tailscale on your devices and test away from home
Install Tailscale client on your laptop/phone.
Sign in to the same tailnet and connect.
Test:
Visit an ad-heavy site (video uses speedtest.net)
Switch to a phone hotspot (to simulate “away from home”)
Confirm ads are blocked and Pi-hole query logs show requests.
Tailscale DNS override behavior is documented in Tailscale knowledge base pages discussing “Override DNS servers”. (Tailscale)
PRO TIPS (3–5)
Use DHCP reservation on the router rather than manual static config on the Pi; it’s simpler and consistent.
After changing router DNS, force clients to renew leases (toggle Wi-Fi, reconnect, or reboot) to pick up new DNS quickly.
Keep Override DNS servers enabled in Tailscale so roaming devices don’t silently fall back to public DNS. (Tailscale)
If you must enable Permit all origins, ensure DNS (UDP/TCP 53) is not exposed publicly; treat it as private-only. (docs.pi-hole.net)
Watch Pi-hole’s Query Log while testing—if ads still appear, check whether the client is actually using Pi-hole DNS.
POTENTIAL LIMITATIONS / WARNINGS
Security risk (major):Permit all origins can turn Pi-hole into an open resolver if reachable from the internet; Pi-hole explicitly warns against this unless properly protected. (docs.pi-hole.net)
Network differences: Router UIs vary widely; DNS setting location and DHCP reservation steps differ by ISP hardware.
Some ads won’t be blocked: DNS blocking won’t remove ads served from the same domain as content (common with YouTube and some in-app ads).
DNS rebinding / internal service quirks: Overriding DNS can interact with certain setups; Tailscale documents DNS rebinding considerations and workarounds. (Tailscale)
mDNS reliance:hostname.local may not resolve on all networks; keep the Pi’s IP handy.
Tailscale DNS + Override DNS servers guidance (official): (Tailscale)
If you want a hardened version of this setup, the next practical step is: keep Pi-hole listening more narrowly (when possible) and enforce access via Tailscale ACLs, so only your devices can query it.