PI-HOLE & ADGUARD HOME
TOTAL TIME: 45-90 MINUTES
Incl. hardware setup, Docker install and configuration. Fun project!
🎯 LEARNING OBJECTIVES:
- ✓ Underschied zwischen DNS-Filtern, Browser-Adblockern and Netzwerk-Adblockern
- ✓ Pi-hole vs AdGuard Home — which tool for which use case
- ✓ Setup auf Raspberry Pi (standalone) or als Docker-Container
- ✓ Choose your own upstream DNS (Cloudflare, Quad9, Mullvad, etc.)
- ✓ Centrally filter ads for devices on the home network
INTRODUCTION
Pi-hole and AdGuard Home sind DNS-Sinkhole — sie fungieren als DNS-Server für d Heimnetz and blockieren Anfragen an bekannte Werbe-/Tracker-Domains bevor die Verbindung viahaupt aufgebaut wird. That means:
📵 WENIGER WERBUNG
On ALL devices — smart TVs, phones, IoT devices that don't have an adblocker
🔒 WENIGER TRACKING
Tracker domains are never resolved → less data to Google/Facebook/marketing
⚡ SCHNELLER
DNS cache speeds up browsing. Blocked domains are never loaded in the first place
Pi-hole vs. AdGuard Home
| Feature | Pi-hole | AdGuard Home |
|---|---|---|
| Webinterface | Schlicht, funktional | Morn, with Statistiken |
| DoH/DoT nativ | Über separate Config | ✅ Eingebaut |
| Per-Client-Regeln | Ja, via Groups | Ja, komfortabler |
| Docker-Setup | Ja, offiziell | Ja, sehr leicht |
| Default-Blocklists | ~150k Domains | ~200k Domains + Auto-Updates |
| Philosophie | Unix tool, time-tested | All-in-one DNS proxy |
Empfehlung: For beginners → AdGuard Home (GUI, DoH built in). For tinkerers → Pi-hole (a bit more configuration, more control).
PREREQUISITES
🖥️ HARDWARE (options):
- Raspberry Pi 3/4/5 (~€40-80) — recommended, low power consumption
- Old mini PC — often free, x86 architecture
- Docker on NAS/server — Synology, Unraid, etc.
- VPS — possible, but not recommended (privacy, latency)
📋 BEFORE:
- Static IP on the home network (for the DNS server itself)
- Admin access to your router (for DNS change)
- Basic Linux knowledge — terminal usage
- Optional: Second device for testing (turn off Pi-hole and check)
SETUP VARIANTS
We show Docker-Compose (universal, runs on Pi, NAS, mini PC) and natives Pi-hole (only Raspberry Pi OS).
🐳 DOCKER (RECOMMENDED)
- ✅ Runs on any Linux distribution
- ✅ Updates via
docker pull - ✅ Easy backups (just docker-compose.yml)
- ✅ Unraid/NAS/Synology suitable
🥧 PI-HOLE NATIVE
- ✅ One installation per Pi (directly on OS)
- ❌ Raspberry Pi only
- ❌ Updates via
pihole -up - ❌ More complicated to backup
VARIANT A: ADGUARD HOME (DOCKER)
1. Prepare Docker Compose
Create a folder and create docker-compose.yml:
nano docker-compose.yml
2. Compose file
adguardhome:
image: adguard/adguardhome:latest
container_name: adguardhome
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "3000:3000/tcp" # Web UI Initial-Setup
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
environment:
- TZ=Europe/Berlin
Port 3000 only fürs erste Setup gebralsot — später ändert sich der UI-Port automatically auf 80/443 or du nutzt en Reverse Proxy.
3. Start + init
Open im Browser: http://<de-pi-ip>:3000
- First setup: create admin user, choose listener interface (0.0.0.0)
- Upstream DNS: more on that in a moment (step 5)
- After setup: comment out port 3000 in compose file and restart container
✓ Erfolgskontrolle: Web interface reachable on port 3000 (setup) or 80 (after setup), dashboard shows green "Running".
VARIANT B: PI-HOLE (DOCKER)
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "8080:80/tcp" # Web UI auf 8080 (80 oft belegt)
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: 'd-sicheres-passwort'
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
Starten:
Web interface: http://<pi-ip>:8080/admin — login with the WEBPASSWORD.
VARIANT C: PI-HOLE DIRECTLY ON RASPBERRY PI OS
If you have just freshly installd Raspberry Pi OS (Lite), it works without Docker too:
# One-click installr:
curl -sSL https://install.pi-hole.net | bash
Der Installr fragt interaktiv nach Upstream-DNS, Listen-Interface, Web server, etc. — Defaults sind sinnvoll. Note down password that is shown at the end!
Updates later:
STEP 5: CHOOSE UPSTREAM DNS
D Pi-hole/AdGuard fragt selbst andere DNS-Server nach den IPs. The Wahl beflusst Privatsphäre and Performance.
Cloudflare 1.1.1.1
Fast, no logging (24h), malware filter optional via 1.1.1.2
Quad9 9.9.9.9
Malware blocklist integrated, Swiss foandation, very privacy-friendly
Mullvad DNS
No logs, ad-free, top recommendation
NextDNS
Config via web, analytics, free up to 300k queries/month
Configuration: encrypted DoH/DoT
Plain DNS (port 53) is unencrypted — ISP can read along. DoH/DoT is mandatory.
AdGuard Home (gebaut):
# Quad9 DoT:
tls://dns.quad9.net
# Cloudflare DoH:
https://cloudflare-dns.com/dns-query
# Mullvad DoH:
https://adblock.doh.mullvad.net/dns-query
Pi-hole (manually):
PIHOLE_DNS_1=9.9.9.9#dns.quad9.net
PIHOLE_DNS_2=149.112.112.112#dns.quad9.net
# format: IP#hostname for DoT
STEP 6: CONFIGURE ROUTER
So that ALL devices on the network are filtered, tell the router: "DNS server is now the IP of the Pi-hole".
- Browser →
192.168.0.1/192.168.1.1(your router) - Login with admin credentials
- Search for "DHCP" / "LAN" / "DNS" Settings
- Enter the IP of your Pi-hole/AdGuard Home as primary DNS
- Secondary DNS: empty or also Pi-hole (for redandancy)
- Save + restart router
⚠️ IMPORTANT: FALLBACK PLAN
If you as the only DNS enter the Pi-hole and it fails → no more internet for all devices.
Solution: enter as secondary DNS e.g.e.g. 1.1.1.1 . Then fällt das Netzwerk auf Cloudflare
zurück, wenn Pi-hole down ist (allrdings ohne Ad-Blocking).
Pro tip: Pi-hole directly in the DHCP server
Even cleaner: Pi-hole/AdGuard itself as DHCP server betreiben (Router-DHCP deaktivieren). Then bekommen neue Geräte direkt den Pi-hole als DNS zugewiesen — also Geräte die DNS manually viaschreiben wollen, sind sichtbar im Dashboard.
STEP 7: EXTEND BLOCKLISTS
The default lists block ~150-200k domains. With additional lists you reach 500k+:
Pi-hole blocklists
Via web UI: Group Management → Adlists → Add
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://adaway.org/hosts.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://raw.githubusercontent.com/HenryZZ0/WindowsSpyBlocker/master/hosts
https://raw.githubusercontent.com/maravento/blackweb/master/blackweb.txt
AdGuard Home filters
Under Filters → DNS Blocklists → Add Blocklist:
https://adaway.org/hosts.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt
⚠️ DON'T OVERDO IT
Mehr Listen = mehr false positives. Manche legitime Seiten werden fälschlich geblockt. Nutze anfangs 3-5 Listen, teste 1 Woche, dann ggf. e weitere. Mehr als 10 Listen wird meist kontraproduktiv.
Whitelist for false positives
Site blocked that you need? Find the domain in the query log, then ander Whitelist
add. Pi-hole: Settings → Whitelist. AdGuard: Filters → Custom Filter Rules →
@@||example.com^.
PRO TIPS
📊 Per-client rules
Smart-TV soll KEINEN Filter haben (manche TV-Apps bralsoen Tracking-Server), but Kinder-Tablet soll STRENG gefiltert werden? Pi-hole Groups / AdGuard Client-Settings.
Pi-hole: Group Management → Groups → Add Group → assign clients → set blocklists per group.
📅 Regular updates
Blocklists age quickly. Auto-update:
0 4 * * 0 /usr/local/bin/pihole -g
# AdGuard Home: auto-update is built in (Filter → Auto-update)
📱 On the go: DNS-over-HTTPS in browser
In a café / hotel WiFi Pi-hole is useless (different network). Configure DoH directly in the browser:
- Firefox: Settings → Network → Enable DoH → "Custom" → URL from Mullvad/Cloudflare
- Chrome: Settings → Privacy → Security → "Use secure DNS"
- Android 9+: Settings → Network → Private DNS →
dns.adguard-dns.com
🔍 Conditional forwarding for local devices
Your NAS is calld nas.local — Pi-hole kennt das , würde Fehler zeigen. Solution: Conditional
Forwarding, das lokale Domains an den Router-DNS weiterleitet.
Pi-hole: Settings → DNS → "Conditional Forwarding" → 192.168.0.0/24 local.
📈 Monitoring with Grafana
Pi-hole/AdGuard have built-in stats. Who wants more: pihole-exporter or
adguard-exporter als Docker-Container, Daten in Prometheus, Dashboard in Grafana.
Übertrieben für die meisten, but nice-to-have.
FAQ / COMMON QUESTIONS
❌ A site is blocked that I need
Find the domain in the query log (web UI), then whitelist. In AdGuard: @@||example.com^ als
Custom-Filter-Rule. In Pi-hole: Whitelist. Browser-Cache leeren vergessen.
❌ YouTube ads are not blocked
YouTube serves ads from the same domain as videos (youtube.com). DNS blockers can't separate that — this is a technical limitation, not a bug. Solution: uBlock Origin im Browser (additionally zum Pi-hole).
❌ Apps on the phone no longer work (e.g. banking)
Manche Apps verlassen sich auf bestimmte Tracker-Server (e.g.e.g. für Analytics). Solution: Per-Client-Regeln — Banking-App/IP auf Whitelist. Alternativ: DoH/DoT im Handy-Browser nutzen, Apps ungefiltert lassen.
❌ DNS slow since Pi-hole active
Three causes: (1) Upstream-DNS geographisch weit — teste Quad9/Mullvad instead of Google. (2) Pi zu schwach — Pi 3 with 100+ Geräten wird eng, Pi 4 minimum. (3) Recursive DNS instead of Forward — AdGuard kann das lokal auflösen, ist schneller, but Edge-Cases.
❌ Pi-hole completely off, no internet — what now?
Router config: enter secondary DNS (e.g. 1.1.1.1). Or via SSH to the Pi: pihole
disable 5m (disables 5 min) or pihole enable again. AdGuard: docker
restart adguardhome.
❌ Is Pi-hole worth it if I already use uBlock Origin ?
Definitely yes. uBlock Origin filtert im Browser, Pi-hole filtert auf Netzwerk-Ebene. Vorteile Pi-hole: schützt also Geräte ohne Browser (Smart-TVs, IoT, Handys), Apps können Werbung "nachladen", zentrales Management für all Geräte. Atdes zusammen = max.
❌ NEED HELP?
Both communities are extremelyely helpful.