Systems status: [ OK ]
  • [ OK ]proxy
  • [ OK ]mailserver
  • [ OK ]sunrise
  • [ OK ]
2 min read

DNS sinkhole with Pi-hole

DNS-based ad blocker that blocks ads at the network level, meaning it blocks ads from all devices connected to your network.

DNS sinkhole with Pi-hole

Ad blockers in the browser solve part of the problem, but they miss the bigger picture. TVs, game consoles, IoT devices, and even mobile apps still phone home to ad and tracking domains. That’s why running an ad blocker at the network layer is a game-changer. Pi-hole does exactly that by acting as a DNS sinkhole: it intercepts DNS queries, matches them against blocklists, and returns 0.0.0.0 for anything you don’t want reaching your devices.

In my setup, I run Pi-hole as the authoritative DNS for my VLANs:

  • Work VLAN → points to Pi-hole directly.
  • IoT VLAN → blocked from LAN, but still forced through Pi-hole for DNS resolution.
  • Guest VLAN → also forced through Pi-hole to avoid freeloaders spamming the upstream DNS.

This way, even devices I don’t control (like TVs or guests’ phones) benefit from ad blocking.

The second piece of the puzzle is WireGuard. Instead of relying on browser VPN extensions, I wanted a way to route all my mobile traffic through my home network, where Pi-hole is already filtering. WireGuard is fast, secure, and doesn’t drain the battery like older VPNs (OpenVPN, IPSec).

Here’s a minimal WireGuard config for the client side:

[Interface]
Address = 10.10.10.2/24
PrivateKey = (client private key)
DNS = 10.10.10.1

[Peer]
PublicKey = (server public key)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <home-public-ip>:51820
PersistentKeepalive = 25

And the server (wg0.conf):

[Interface]
Address = 10.10.10.1/24
PrivateKey = (server private key)
ListenPort = 51820

[Peer]
PublicKey = (client public key)
AllowedIPs = 10.10.10.2/32

When I’m on public Wi-Fi, I just toggle WireGuard on my phone. Traffic is tunneled back home, DNS queries hit Pi-hole, and ads disappear everywhere. The browsing experience is faster, and I get a layer of encryption over networks I don’t trust.

Trade-offs and tips

  • Pi-hole is only as good as its blocklists. Keep them updated, and consider adding your own domains for noisy IoT gear.
  • WireGuard is simple to configure, but remember to rotate keys if you rebuild your server.
  • Decide between full-tunnel (route everything through home) vs split-tunnel (only DNS + select routes). Full tunnel gives more privacy; split tunnel saves bandwidth.

Together, Pi-hole and WireGuard make the network feel “clean.” Ads are gone not just on the browser, but across every device you own — and you can take that same privacy with you wherever you go.