The Tech Pulse

December 4, 20257 min read
Tags
  • Pi-Hole
  • Unbound
  • Quad9
  • Ad-Blocker
  • Ad-Blocking
  • Raspberrypi
  • Cloudflare
Share

Stop the spying! Fix It with a Raspberry Pi + Pi-hole + Unbound (Complete Guide)

1. Summary

This tutorial demonstrates how to build a network-wide DNS filtering system using a Raspberry Pi 3 Model B (or newer) and Pi-hole, optionally enhanced with Unbound for fully local recursive DNS resolution.

Core Purpose

To:

  • Block ads, trackers, and telemetry across the entire home network.
  • Prevent DNS data exposure to ISPs or public DNS providers.
  • Avoid subscriptions or cloud DNS logging services.
  • Implement a self-hosted, privacy-focused DNS infrastructure.

Primary Technologies

  • Raspberry Pi
  • Raspberry Pi OS (64-bit)
  • Pi-hole
  • Unbound
  • Router DHCP configuration
  • SSH-based Linux administration

This guide provides a complete, reproducible deployment path from hardware flashing to recursive DNS resolution.

2. Detailed Step-by-Step Breakdown

Phase 0: Hardware Requirements

Required:

  • Raspberry Pi 3B or newer
  • 8GB+ microSD card
  • Ethernet cable (recommended over Wi-Fi)
  • Computer (Windows/macOS/Linux) for flashing
  • Admin access to router

Phase 1: Flash Raspberry Pi OS

1. Install Raspberry Pi Imager

Download from: raspberrypi.com

Install and launch.

2. Configure Image

Inside Imager:

  • Device → Select your Raspberry Pi model
  • OS → Select Raspberry Pi OS (64-bit)
  • Storage → Select microSD card

3. OS Customization Settings

Click Customize:

  • Hostname: pihole1
  • Timezone: your region
  • Keyboard layout
  • Username: e.g., netserve
  • Password: (record this)

Wi-Fi: Skip (using Ethernet)

Remote Access:

  • Enable SSH
  • Password authentication

Raspberry Pi Connect: Disable

Click Write → wait for write + verify (~10 minutes total)

Phase 2: First Boot + SSH Access

Insert SD card → Connect Ethernet → Power on.

Wait 2 minutes.

Find Pi’s IP Address

  • Check router client list

  • OR ping hostname:

    ping pihole1

Record IP (e.g., 192.168.1.50)

Phase 3: SSH Into Pi

On Windows:

Win + R
cmd

Connect:

ssh [email protected]

Enter password.

Phase 4: Update System

Run:

sudo apt update
sudo apt upgrade -y

Phase 5: Set Static IP (CRITICAL)

Preferred Method: Router DHCP Reservation

  • Log into router
  • Locate DHCP settings
  • Convert Pi’s lease into reservation OR
  • Create new reservation mapping MAC → current IP

Why: If IP changes, DNS fails.

Alternative: Edit /etc/dhcpcd.conf (not covered in tutorial)

Phase 6: Install Pi-hole

Run official installer:

curl -sSL https://install.pi-hole.net | bash

Installer selections:

  • Static IP warning → Confirm

  • Upstream DNS → Select:

    • Quad9 (Filtered, DNSSEC) (recommended)
    • OR Google (if using Unbound later)

  • Blocklist → Enable Steven Black’s unified host list

  • Logging → No

  • Privacy mode → Level 0 (Show everything)

Set Admin Password

sudo pihole -a -p

Set password manually.

Test DNS from Pi

dig @192.168.1.50 www.google.com

If successful → DNS operational.

Reboot:

sudo shutdown -r now

Phase 7: Configure Router to Use Pi-hole

In router settings:

  1. Go to LAN / DHCP settings
  2. Set Primary DNS → Pi-hole IP
  3. Leave Secondary DNS empty
  4. Save + Apply

⚠ Important: If secondary DNS is set, clients may bypass filtering.

Renew DHCP on one client or reboot device.

Verify from Client

nslookup amazon.com

Check Pi-hole web UI:

http://192.168.1.50/admin

Look at Query Log.

If queries appear → Filtering active network-wide.

Optional Phase 8: Install Unbound (Full Local Recursive DNS)

This removes dependency on third-party DNS providers.

Step 1: Install Unbound

sudo apt update
sudo apt install -y unbound

Step 2: Download Root Hints

sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root

Step 3: Create Unbound Config

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Paste configuration from worksheet (standard Pi-hole recommended config).

Save:

CTRL + X
Y
Enter

Step 4: Enable + Start

sudo systemctl enable unbound
sudo systemctl restart unbound
sudo systemctl status unbound --no-pager

Step 5: Test Unbound

dig @127.0.0.1 -p 5335 cloudflare.com +dnssec +multi

Should resolve successfully.

Step 6: Point Pi-hole to Unbound

In Pi-hole Web UI:

Settings → DNS

  • Uncheck public upstream providers

  • Custom IPv4:

    127.0.0.1#5335

Save.

Test from Client

nslookup example.com

Verify in Query Log that upstream = 127.0.0.1

3. Key Technical Details

Network Flow (Final Architecture)

Client → Router → Pi-hole → Unbound → Root Servers

Ports Used

  • Pi-hole DNS: 53
  • Unbound recursive listener: 5335
  • Admin UI: 80

Critical Files

  • /etc/unbound/unbound.conf.d/pi-hole.conf
  • /var/lib/unbound/root.hints

Critical Commands

  • sudo apt update
  • sudo apt upgrade -y
  • sudo pihole -a -p
  • sudo systemctl enable unbound
  • dig
  • nslookup

4. Pro Tips

  • Use wired Ethernet for reliability.

  • Never configure secondary DNS unless it’s a second Pi-hole.

  • Back up configuration regularly via:

    • Pi-hole → Teleporter → Export Settings

  • Run updates monthly:

    sudo apt update && sudo apt upgrade -y
pihole -up

  • For redundancy:

    • Deploy a second Pi-hole.
    • Sync using Gravity Sync.

  • Monitor logs periodically for unusual DNS activity.

5. Potential Limitations / Warnings

1. Single Point of Failure

If Pi goes offline → no DNS resolution.

Solution: Deploy dual Pi-hole setup.

2. Router Behavior

Routers do NOT failover sequentially. They query all DNS servers simultaneously.

3. Encrypted DNS Bypass

Some devices use:

  • DoH (DNS over HTTPS)
  • DoT (DNS over TLS)

These can bypass Pi-hole.

Mitigation:

  • Block known DoH endpoints.
  • Use firewall rules.

4. Maintenance Required

  • Update OS
  • Update Pi-hole
  • Refresh root hints

5. IoT Hardcoded DNS

Some IoT devices hardcode DNS servers. You may need firewall redirection rules.

6. Recommended Follow-Up Resources

  • Official Pi-hole Documentation
  • Official Unbound Documentation
  • Router manufacturer admin guides
  • Gravity Sync GitHub repository
  • DNSSEC technical references (IETF)

7. Suggested Books (5)

1. DNS and BIND — Cricket Liu & Paul Albitz

A deep technical reference for DNS architecture, recursive resolution, caching behavior, and DNSSEC. Essential for understanding what Unbound is doing under the hood and how DNS resolution chains function.

2. How Linux Works (3rd Edition) — Brian Ward

Provides a strong foundation in Linux process management, networking, systemd services, and configuration files—critical for managing Raspberry Pi OS, SSH, and system services like Unbound.

3. Linux Command Line and Shell Scripting Bible — Richard Blum & Christine Bresnahan

Covers command-line operations, package management, service control, networking tools (dig, nslookup), and automation—directly relevant to maintaining Pi-hole infrastructure.

4. Practical Packet Analysis — Chris Sanders

Teaches how DNS traffic flows across networks and how to analyze it with tools like Wireshark. Extremely useful for debugging DNS failures or verifying Pi-hole filtering behavior.

5. The Practice of System and Network Administration — Thomas A. Limoncelli et al.

Explains reliability, redundancy, backups, monitoring, and high-availability patterns—valuable when expanding to dual Pi-hole deployments and production-style network services.

You now have a fully self-hosted DNS filtering and recursive resolution system. This is not just ad blocking — it’s a foundational network service deployment.

Get New Posts

Follow on your preferred channel for new articles, notes, and experiments.

Related Posts