In the previous post in this guide I covered how to make a router and filtering DNS server. In this second post I’ll cover updating, preventing DNS over HTTPS, extra filter lists and forcing all DNS traffic through your filter (such as Kindles and Chromecasts).
I wrote this guide for Pi-hole v4, however Pi-hole v5 is now out, including per-client filtering. To update:
- Take a backup
- SSH into the Pi
Secure DNS is great for your external internet connection (more on this later), however it causes issues if you want to run your own DNS server. You may need to disable web browser direct DNS over HTTPS (DoH).
For Firefox this is done automatically for all devices in Pi-hole v4.4+. You can also disable this in individual browsers in network settings (at the bottom of the general section in preferences).
If you really need to use Chrome, you should disable the async DNS resolver experiment. But maybe this is a good time to try Firefox (again), it’s fast and the screenshot functionality (Ctrl + Shift + s) is pretty cool.
If you are using Android 9 (Pie) or later then you may want to disable Private DNS (bottom of Network & Internet in Settings). However, unfortunately you can’t turn this off just for WiFi (or just for certain networks) on an unmodified vendor install.
You will likely want to tweak your block-lists or individual domains.
You can add extra block lists (Settings > Blocklists) e.g.
hosts.oisd.nl, or disable ones that are not available over HTTPS.
The lists are automatically downloaded and updated once a week, early on sunday morning.
A domain you may wish to add to the Blacklist is
This blocks the breaking news popup on the BBC News website (for all browsers on your network).
You may also want to block certain sites to
The benefit of the Pi-hole being set up as a router is that you can force all DNS requests through your local resolver, even if devices think they are talking to an external DNS server. For example, you can blocks ads when watching catchup TV on a Google Chromecast.
To do this we need to add a couple more routing rules (for both TCP and UDP). This transparently redirects all traffic destined for a DNS server (port 53) to the local resolver.
sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT sudo iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
Check that you can see new devices in your Pi-hole admin console Network overview and that your internet connection is still working fine, then save the rules so that they survive a reboot.
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
In future posts I’ll cover improving the security and privacy of connections leaving your network.