Pi-hole was created in 2014 by Jacob Salmela and a handful of contributors as a Raspberry Pi side project that intercepted DNS queries and refused to resolve ad domains. Twelve years and several million installations later, it remains the most widely used self-hosted ad blocker, runs on hardware that costs less than 50 USD, and produces meaningful, measurable reductions in ad traffic and analytics calls across every device on a home network. The 2026 version is a polished, mature piece of software with a clean web dashboard, strong API support, and a sensible default configuration. Setting one up takes about 30 minutes, and once it is running it tends to keep running for years. This guide walks through hardware choice, setup, the configuration habits that prevent the common failure modes, and what daily and monthly maintenance look like.
What Pi-hole actually does
Every time a device on your network wants to load a webpage, watch a video, or open an app, it first asks a DNS server for the IP address of each domain it needs. A typical news article triggers DNS lookups for 30 to 100 domains: the main site, three or four ad networks, half a dozen analytics services, social-media widgets, video players, font CDNs, and so on.
Pi-hole sits between the devices and the upstream DNS server. When a device asks for the IP of doubleclick.net, googleanalytics.com, or any of the roughly 100,000 to 1 million domains on the active blocklists, Pi-hole returns no address. The device cannot connect, the ad never loads, and the bandwidth is saved.
The blocking is invisible to the user. Pages just load faster and with less clutter. Trackers do not get to record visits. Smart TVs and IoT devices that phone home to analytics endpoints simply cannot reach them.
Hardware: pick something that runs unattended
The single rule for Pi-hole hardware is that it must run reliably and 24/7. The whole network depends on it: if Pi-hole goes down, DNS goes down, and the entire house notices within seconds.
Practical options in 2026, ranked by typical pick:
| Hardware | Price | Strengths | Weaknesses |
|---|---|---|---|
| Raspberry Pi 4 (2 GB) + SSD case | $70-90 | Cheap, low power, plenty fast | Needs SSD adapter for reliability |
| Raspberry Pi 5 (4 GB) | $80-100 | Faster, native PCIe SSD support | Slightly higher idle power |
| Mini PC (Beelink, Minisforum, GMKtec) | $150-250 | Fast, runs other services too | Higher power draw (8-15W) |
| Docker container on existing NAS | $0 (existing hardware) | No new device, easy backup | Tied to NAS lifecycle |
| Proxmox LXC container | $0 (existing hardware) | Lightweight, snapshottable | Requires Proxmox host |
The most common 2026 setup is a Raspberry Pi 5 with a USB SSD case or a small fanless mini PC. SD cards on a Pi can work but they tend to wear out within 12 to 36 months under Pi-hole’s continuous query logging, which is the single most common cause of a dead Pi-hole.
The 30-minute install
The setup process for a Raspberry Pi:
- Flash Raspberry Pi OS Lite (64-bit) to an SSD using Raspberry Pi Imager
- In the imager’s advanced settings, pre-configure the hostname, SSH key, and WiFi (or plan to use Ethernet)
- Boot the Pi, SSH in
- Set a static IP on the Pi (essential, the router needs a known address to point DNS at)
- Run the Pi-hole install:
curl -sSL https://install.pi-hole.net | bash - Accept defaults except for the upstream DNS provider (Cloudflare 1.1.1.1 and Quad9 are reasonable picks)
- Note the admin password it prints at the end
- Open the web UI at http://pi-hole.local/admin
Then point the router at the Pi:
- Log into the router admin
- Find DNS settings (usually under WAN or LAN)
- Set primary DNS to the Pi’s static IP, leave secondary blank or set to another Pi-hole if you have a backup
- Save and renew DHCP leases
After 5 to 10 minutes, every device on the network will pick up the new DNS server. The web dashboard immediately starts showing queries and blocks.
Blocklist choices that matter
Pi-hole ships with one default blocklist that is decent but not aggressive. The standard upgrade path in 2026 is to add the OISD (https://oisd.nl) full list, which is curated, well-maintained, and avoids the common breakage that overly aggressive lists cause.
A reasonable starting set:
- Pi-hole default (Steven Black hosts file)
- OISD Full
- HaGeZi Pro mini (smaller, focused on the worst offenders)
Avoid stacking five or six lists. More lists do not block more ads; they mostly add overlap and make troubleshooting harder. Three carefully chosen lists cover 99 percent of what any home network needs.
The DoH problem and how to handle it
The single most common reason Pi-hole appears to not work in 2026 is DNS-over-HTTPS bypassing it. Firefox, Chrome, and Edge all default to DoH, which routes DNS queries directly to Cloudflare or another provider, ignoring whatever the router says.
Fixes:
- Disable DoH in each browser (Settings, search for “DNS over HTTPS”)
- Add the DoH blocklist on the Pi-hole side (OISD includes most known DoH endpoints, blocking them forces browsers to fall back to the system resolver)
- Some routers (OpenWrt, OPNsense, Unifi) can block known DoH server IPs at the firewall
After this fix, browser queries flow through Pi-hole again, and the block rate visibly jumps.
Maintenance: less than you think
After the first week of tuning, Pi-hole maintenance is light.
Weekly: glance at the dashboard for unusual query counts. A device that suddenly makes 100,000 queries an hour is broken or compromised.
Monthly: check for Pi-hole updates (pihole -up). Updates are usually small and safe.
Quarterly: review the allowlist for anything no longer needed. Review the top blocked domains for surprises.
Annually: back up the configuration through the web UI. If using an SD card on a Pi, plan to replace it every 24 to 36 months.
The most common failure modes are an SD card wearing out, a power outage corrupting the file system on a Pi, and DNS update propagation issues. All three are mitigated by running Pi-hole on a fanless mini PC with an SSD, putting the device on a small UPS, and configuring a secondary DNS server (a second Pi-hole or a public resolver like 1.1.1.1) so the network stays usable while Pi-hole is being fixed.
What this pairs with
Pi-hole gets most of its value when every device on the network is forced through it. That includes IoT devices, which is much easier with a properly segmented network. See our home network segmentation guide. For a broader view of DNS-level blocking options beyond Pi-hole, the DNS-level ad blockers overview compares Pi-hole, AdGuard Home, and NextDNS side by side.
Pi-hole is one of the rare pieces of software that genuinely does what it promises, costs nothing once the hardware is bought, and improves with age as community blocklists get smarter. It is not the right answer for every household, but for anyone willing to spend a Saturday morning setting it up, it is the highest-leverage privacy and ad-suppression change available in 2026.
Frequently asked questions
What hardware do I need to run Pi-hole?+
A Raspberry Pi 4 with 2 GB of RAM is the canonical answer at around 50 USD. Anything that runs Linux works: an old laptop, a mini PC, a Synology NAS via Docker, a Proxmox container on existing hardware. Pi-hole is light enough to run on hardware that would be discarded otherwise. For 24/7 reliability, prefer a device with no moving parts (fanless mini PC or Pi) and an SSD or eMMC rather than an SD card, since SD cards wear out faster under continuous logging.
Will Pi-hole break my smart home or streaming devices?+
Occasionally, yes. Some smart TVs, Roku and Fire TV devices, and a handful of streaming apps depend on tracking and analytics domains for normal function. Disney+ has historically been sensitive to ad blocking, as has Hulu's ad-supported tier. The fix is allowlisting specific domains as they come up. Plan on spending an hour over the first week tuning the allowlist, then maybe 5 minutes a month after that. Pi-hole logs every blocked query, so finding the culprit is usually obvious.
How is Pi-hole different from a browser ad blocker?+
A browser ad blocker (uBlock Origin, AdGuard) works only inside the browser, and it can block both ad domains and ad elements within the page. Pi-hole works at the network level, blocking ad and tracker domains for every device on the network, including phones, smart TVs, game consoles, and IoT gear that has no extension support. The two are complementary. Pi-hole stops the ad request before it leaves the network. uBlock cleans up anything Pi-hole could not block (mostly first-party ads on the same domain as content).
Why is Pi-hole not blocking anything for me?+
The most common reason in 2026 is DNS-over-HTTPS (DoH) in the browser. Modern Firefox, Chrome, and Edge default to DoH, which sends DNS queries directly to Cloudflare or another resolver, bypassing Pi-hole entirely. The fix is to disable DoH in each browser, or to block known DoH endpoints at the router. Pi-hole also has to be set as the DNS server in the router (not on individual devices), or devices that join the network will still use the ISP's DNS. Double-check both.
Is Pi-hole still worth it compared to NextDNS or AdGuard Home?+
Yes, if you want full local control and no third party seeing your DNS queries. NextDNS is easier (no hardware) and offers mobile coverage for free, which Pi-hole does not natively. AdGuard Home is similar in capability to Pi-hole with a more modern UI. Pick Pi-hole if you value the open-source community, the long stability track record, and complete privacy. Pick NextDNS if you want zero maintenance. Pick AdGuard Home if you want Pi-hole-equivalent power with a cleaner interface.
Jamie Rodriguez
Jamie Rodriguez writes for The Tested Hub.