🎯 What We'll Build
This guide shows you how to set up Pi-hole and Unbound to stop ISP snooping and monitoring of your web browsing habits while protecting your network from malware, phishing, and other digital threats.
🛡️ Why DNS Filtering Matters
Every time you visit a website, your device performs a DNS (Domain Name System) lookup to convert human-readable domain names (like "ukpoliticsdecoded.uk") into IP addresses. By default, these requests go to your ISP's DNS servers, giving them a complete log of your browsing activity.
The Privacy & Security Problem
- ISP Surveillance: Your internet provider logs every website you visit
- Government Monitoring: ISPs are required to retain browsing data for law enforcement
- Data Monetization: Your browsing habits are sold to advertisers and data brokers
- Malware Delivery: Malicious domains can infect your devices with ransomware and spyware
- Phishing Attacks: Fake websites steal login credentials and financial information
- Ad Tracking: Invasive advertising networks profile your behavior across sites
The Self-Hosted Solution
"When you control your own DNS infrastructure, you control your digital privacy. No ISP logging, no corporate surveillance, and proactive protection against digital threats."Digital Privacy Fundamentals
🕵️ The ISP Surveillance Problem
What ISPs Know About You
- Every website you visit (complete browsing history)
- When you visit sites (detailed timing patterns)
- How often you visit specific domains
- Your interests based on site categories
- Your sleep patterns and daily routines
- Political affiliations and news consumption
Self-Hosted DNS Benefits
- Complete privacy from ISP logging
- Faster DNS resolution with local caching
- Network-wide ad and tracker blocking
- Malware and phishing protection
- Customizable filtering for family safety
- No external dependencies or service outages
Legal Surveillance Requirements
📚 UK Data Retention Laws
Under the Investigatory Powers Act 2016, UK ISPs must retain internet connection records (including DNS queries) for 12 months and provide access to law enforcement agencies. Self-hosted DNS removes you from this surveillance infrastructure.
🎯 Understanding Threat Categories
Quality blocklists categorize threats to provide targeted protection. We'll use the comprehensive Tempest Solutions blocklists, which update every 24 hours with less than 0.01% false positive rate.
Essential Threat Categories
🎣 Phishing Domains
What they are: Fake websites designed to steal login credentials, personal information, or financial details by impersonating legitimate services.
Why block them: Protects against identity theft, account takeovers, and financial fraud. Essential for family safety and business security.
Examples: Fake banking sites, counterfeit shopping platforms, fraudulent government portals
🦠 Malware Domains
What they are: Websites that distribute malicious software including ransomware, spyware, trojans, and other harmful programs.
Why block them: Prevents device infections that can encrypt your files for ransom, steal sensitive data, or turn your devices into botnets.
Examples: Drive-by download sites, malicious software repositories, infected ad networks
🏦 Banking Trojan Domains
What they are: Specialized malware domains that target online banking and financial transactions, designed to steal banking credentials and hijack financial sessions.
Why block them: Protects your financial accounts from sophisticated attacks that can drain bank accounts and steal credit card information.
Examples: Banking credential harvesters, transaction interceptors, financial session hijackers
🎛️ Command & Control (C2) Server Domains
What they are: Control infrastructure used by cybercriminals to command infected devices (botnets) and coordinate cyber attacks.
Why block them: Prevents infected devices on your network from receiving malicious commands and stops data exfiltration to criminal servers.
Examples: Botnet command servers, data exfiltration endpoints, remote access tool controllers
Additional Protection Categories
Recommended Additional Blocklists
- Advertising Networks: Block invasive tracking and improve page load speeds
- Telemetry Domains: Prevent operating system and software data collection
- Cryptocurrency Mining: Stop unauthorized browser-based cryptocurrency mining
- Adult Content: Family-friendly filtering for households with children
- Social Media Tracking: Block cross-site tracking by social platforms
🔧 Pi-hole + Unbound: The Complete Solution
Why This Combination?
Pi-hole Features
- Network-wide ad and tracker blocking
- Web-based admin interface
- Detailed query logging and statistics
- Customizable blocklists and whitelists
- Client-specific filtering rules
- Easy blocklist management
Unbound Features
- Recursive DNS resolution (no third-party dependencies)
- DNSSEC validation for authenticity
- Local DNS caching for speed
- Privacy-focused design
- Protection against DNS manipulation
- Reduced external DNS queries
How They Work Together
"Pi-hole handles the filtering and blocking, while Unbound provides completely private DNS resolution. Together, they create a fortress around your network's DNS traffic."Network Security Best Practices
The Process:
- Device requests DNS lookup for a domain
- Pi-hole checks if domain is on blocklist
- If blocked, Pi-hole returns a null response
- If allowed, Pi-hole forwards query to Unbound
- Unbound performs recursive DNS resolution
- Result is cached locally and returned to device
💻 Hardware Requirements
Suitable Hardware Options
🥇 Raspberry Pi 4 (Recommended)
Specs: 4GB RAM, MicroSD card (32GB+), Power supply
Cost: £60-80 | Power: ~5W | Best for: Dedicated DNS server
🥈 Old Laptop/Desktop
Specs: 2GB+ RAM, 20GB+ storage, Ethernet connection
Cost: Free (repurpose) | Power: 20-50W | Best for: High-traffic networks
🥉 Virtual Machine
Specs: 1GB RAM, 10GB storage, bridged networking
Cost: Free (existing hardware) | Best for: Testing and learning
⚡ Mini PC/NUC
Specs: Intel NUC or similar, 4GB+ RAM, SSD storage
Cost: £150-300 | Power: 10-15W | Best for: Always-on home server
Performance Considerations
📊 Sizing Guidelines
- Small household (1-5 devices): Raspberry Pi 3B+ or better
- Medium household (5-15 devices): Raspberry Pi 4 with 4GB RAM
- Large household (15+ devices): Dedicated mini PC or laptop
- Business/heavy use: x86 hardware with 8GB+ RAM
🚀 Installation Guide
Step 1: Prepare Your System
For Raspberry Pi
- Download and flash Raspberry Pi OS Lite to MicroSD card
- Enable SSH by creating empty "ssh" file in boot partition
- Boot Pi and connect via SSH (default: pi@raspberrypi.local)
- Update system:
sudo apt update && sudo apt upgrade -y - Set static IP address in router or system configuration
For Ubuntu/Debian Systems
- Install minimal Ubuntu Server or Debian
- Configure static IP address
- Update system:
sudo apt update && sudo apt upgrade -y - Install curl:
sudo apt install curl -y
Step 2: Install Pi-hole
⚠️ Important Security Note
Always review installation scripts before running them. The Pi-hole installer is open source and well-audited, but it's good practice to understand what you're installing.
Automated Installation
# Download and run Pi-hole installer
curl -sSL https://install.pi-hole.net | bashInstallation Options:
- Choose your network interface (usually eth0 or wlan0)
- Select upstream DNS provider (we'll change this to Unbound later)
- Choose default blocklists (StevenBlack's list is good to start)
- Install web admin interface (recommended)
- Install web server (lighttpd)
- Log queries for statistics (recommended)
Step 3: Install and Configure Unbound
Install Unbound
# Install Unbound DNS resolver
sudo apt install unbound -yConfigure Unbound
# Create Unbound configuration
sudo nano /etc/unbound/unbound.conf.d/pi-hole.confConfiguration content:
server:
# Port and interface configuration
port: 5335
interface: 127.0.0.1
# Privacy and security settings
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
# Performance settings
num-threads: 1
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache settings
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
# Privacy settings
unwanted-reply-threshold: 10000
do-not-query-localhost: no
# DNSSEC validation
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Hide DNS server info
hide-identity: yes
hide-version: yes
# Harden against DNS manipulation
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
# Use 0x20-encoded random bits in query
use-caps-for-id: no
# Reduce EDNS reassembly buffer size
edns-buffer-size: 1232
# Perform prefetching
prefetch: yes
# Access control
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allowStart Unbound Service
# Start and enable Unbound
sudo systemctl start unbound
sudo systemctl enable unbound
# Test Unbound is working
dig @127.0.0.1 -p 5335 google.com⚙️ Configuration & Setup
Configure Pi-hole to Use Unbound
Update Pi-hole DNS Settings
- Access Pi-hole admin panel:
http://[pi-hole-ip]/admin - Go to Settings → DNS
- Uncheck all upstream DNS servers
- Add custom DNS:
127.0.0.1#5335 - Enable "Never forward non-FQDNs"
- Enable "Never forward reverse lookups for private IP ranges"
- Save settings
Network Configuration
Router Configuration (Recommended)
Set your Pi-hole's IP address as the primary DNS server in your router's DHCP settings. This automatically configures all devices on your network.
Device-Specific Configuration
For more control, configure individual devices to use your Pi-hole as their DNS server. Useful for testing or mixed environments.
Testing Your Setup
Verification Commands
# Test Pi-hole is blocking ads
nslookup doubleclick.net [pi-hole-ip]
# Test Unbound is resolving
dig @127.0.0.1 -p 5335 google.com
# Check Pi-hole query log
tail -f /var/log/pihole.log📋 Blocklist Management
Adding Tempest Solutions Blocklists
✅ Recommended: Tempest Solutions Blocklists
High-quality, frequently updated blocklists with excellent categorization and minimal false positives (<0.01% false positive rate).
Essential Security Blocklists
Add these URLs to Pi-hole Settings → Blocklists:
# Phishing domains
https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/phishing_domains.txt
# Malware domains
https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/malware_domains.txt
# Banking trojan domains
https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/banking_trojan_domains.txt
# Command & Control servers
https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/c2_domains.txtAdditional Protection Blocklists
# Comprehensive ad blocking
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
# Privacy and tracking protection
https://someonewhocares.org/hosts/zero/hosts
# Cryptocurrency mining protection
https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/crypto_mining.txt
# Adult content filtering (optional)
https://raw.githubusercontent.com/blocklistproject/Lists/master/porn.txtBlocklist Management Best Practices
Regular Maintenance Tasks
- Weekly: Review blocked queries for false positives
- Monthly: Update gravity database manually if auto-update fails
- Quarterly: Review and audit active blocklists
- As needed: Whitelist legitimate domains that get blocked
📊 Monitoring & Maintenance
Pi-hole Web Interface
Dashboard Metrics
- Total queries processed
- Percentage of blocked queries
- Top blocked domains
- Top clients by query volume
- Query types and protocols
- Blocklist effectiveness statistics
Query Log Analysis
- Real-time query monitoring
- Client-specific filtering
- Domain reputation lookup
- Response time analytics
- Blocked query categorization
- Historical trend analysis
System Health Monitoring
Essential Health Checks
# Check Pi-hole status
pihole status
# Check Unbound status
sudo systemctl status unbound
# Monitor system resources
htop
# Check DNS resolution speed
dig @127.0.0.1 google.com | grep "Query time"
# View recent blocked queries
pihole tailAutomated Maintenance
Setup Automatic Updates
# Create update script
sudo nano /opt/pihole-update.sh
#!/bin/bash
# Update Pi-hole gravity database
pihole -g
# Update system packages
apt update && apt upgrade -y
# Restart services if needed
systemctl restart unbound
systemctl restart pihole-FTL
# Make executable
sudo chmod +x /opt/pihole-update.sh
# Add to crontab (daily 3 AM)
echo "0 3 * * * /opt/pihole-update.sh" | sudo crontab -🔬 Advanced Features
Conditional Forwarding
Local Network Resolution
Configure Pi-hole to resolve local hostnames by forwarding queries for your local domain to your router.
- Settings → DNS → Advanced DNS settings
- Enable "Use Conditional Forwarding"
- Set local network details (192.168.1.0/24, router IP)
- Local domain name (e.g., "home.local")
Group Management
Client-Specific Filtering
Create different filtering policies for different devices or users:
- Kids Group: Strict filtering with adult content blocking
- Work Group: Social media and entertainment blocking during work hours
- IoT Group: Minimal filtering for smart home devices
- Admin Group: Bypass filtering for troubleshooting
DHCP Server Setup
Replace Router DHCP (Optional)
Let Pi-hole handle DHCP to ensure all devices use your DNS server:
- Disable DHCP on your router
- Enable DHCP in Pi-hole Settings → DHCP
- Configure IP range and lease time
- Set static IP reservations for important devices
Backup and Recovery
Configuration Backup
# Backup Pi-hole configuration
pihole -a -t
# Backup Unbound configuration
sudo cp /etc/unbound/unbound.conf.d/pi-hole.conf ~/unbound-backup.conf
# Create automated backup script
#!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p /home/pi/backups
pihole -a -t /home/pi/backups/pihole-backup-$DATE.tar.gz
cp /etc/unbound/unbound.conf.d/pi-hole.conf /home/pi/backups/unbound-$DATE.confPerformance Optimization
Cache Tuning
Adjust Unbound cache sizes based on your network's query volume and available RAM.
Log Rotation
Configure log rotation to prevent disk space issues on small devices like Raspberry Pi.
Query Optimization
Enable prefetching and optimize recursion settings for faster DNS resolution.