Pi-hole: How to block all ads on every device in your network (and integrate with your Windows Active Directory)

piholelogo

Pi-hole is my newest and current obsession. When I first read about it, I initially thought “Yeah, I’m sure it works, but probably not as well as everybody says it does.”

Well, my assumption was bad. And I felt bad.

Essentially, Pi-hole blocks all ad traffic on every device in your network that’s using it as it’s DNS server. You then assign it as every device’s primary DNS by either DHCP, statically, or using it as a forwarder for your current DNS server(s). So any device that might not be able to install an ad-blocking browser extension (like a lot of smartphones, smart TVs, small media devices, game consoles, etc.) will also not show any ads. Also, from what I’ve seen, it’s better at blocking ads than most browser extensions (and doesn’t allow companies to purchase ads that’ll still be shown)! 

10
The admin web UI of my Pi-hole server not long after first installing it

Here are some of the great benefits of Pi-hole according to their site:

“Block Over 100,000 Ad-serving Domains
Known ad-serving domains are pulled from third party sources and compiled into one list.

Block Advertisements On Any Device
Network-level blocking allows any device to block ads, regardless of hardware or OS.

Improve Overall Network Performance
Since ads are blocked before they are downloaded, your network will perform better.

Reduce Cellular Data Usage
Pair your Pi-hole with a VPN for on-the-go ad-blocking and save on data costs.”

Pi-hole is usually shown as software that you install on your Raspberry Pi, but it can easily be installed in a virtual machine. I installed mine in a minimal Debian 8.6 VM with no issues and will concentrate this tutorial on doing the same (though you can follow the same directions to install on a Raspberry Pi). Also, if you’re like me and run Windows Active Directory at home, I’ll show you how to configure your domain controller to use Pi-hole as a forwarder. That way you can still use all of your local addresses and don’t have to worry about reconfiguring all of your devices to use Pi-hole as it’s DNS server.

Installing Pi-hole on Debian 8.6

(instructions should be the same for the Raspberry Pi or any Debian-based OS)

1. If you’re installing on a fresh install of Debian 8.6 (you can skip to Step #3 if not), let’s just make things easier for us down the road and install sudo and add our user account to the sudo list.

su
apt-get install sudo
add username sudo

2. I initially had trouble installing Pi-hole on the fresh Debian 8.6 image since I didn’t have curl or lighttpd installed. So let’s install them.

apt-get install curl lighttpd

3. Let’s install Pi-hole! We’ll use curl for the install. Best practices are that you always inspect the script before installing, so if you’d like to do the same, you can go here to do so. The following also assumes you’re still root (use su to login as root if you’re not).

curl -L https://install.pi-hole.net | bash

You’ll then see the same prompts as shown below. Unless you’re doing something really fancy, you’re fine to just hit Ok and Yes to go through them.

This slideshow requires JavaScript.

That was it for the install! If successful, your screen should look similar to mine below.

finished

Optional: One additional step I did was use the Anti-Adblock Killer List with Pi-hole, which detects and kills any of those annoying anti-adblockers some websites have implemented. To do the same, do the following.

nano /etc/pihole/adlists.default

Use the arrow key to scroll down to where it says #https://raw.githubusercontent.com/reek/anti-adblock-killer/master/anti-adblock-killer-filters.txt (under Untested Lists), and uncomment it by removing the hashtag. It should look like mine below.

11

Hit Ctrl+X, then Y, then Enter to quit and save.

4. You should now be able to view the beautifully simple web interface by going to http://IP_of_PI-HOLE/admin.

10

From here, you can view some great statistics like how many ads you’ve blocked today, the percentage of traffic that’s been blocked, who are the top advertisers, and more. You can also add/remove addresses into the Pi-hole’s white and black lists.

5. Finally, you’re going to want to make sure every device is using the Pi-hole as it’s DNS server (unless you’re using Active Directory, in which you can just skip this to the next tutorial). You can do this by either statically assigning every device in your network to use your Pi-hole’s IP address as it’s primary DNS server, or you can configure what’s handing out your DHCP leases to have the Pi-hole’s IP as the primary DNS server (most likely your router). Editing the DHCP scope to use Pi-hole as the DNS server will depend on whats your DHCP server, so please make sure to look up the model and how to edit the DHCP scope.

For example, if you’re using an Ubiquiti EdgeRouter Lite as your router and DHCP server, then you’d simply log into the ERL’s admin web interface, go to Services, click on the Actions dropdown menu next to your LAN, and “View Details”. From there, change the IP for DNS 1 to the IP address of your Pi-hole and click Save. My ERL below shows where you should be.

edgerouterdhcp

Once your devices are using the Pi-hole as it’s primary DNS server, then you’re good to go!

If you’re using Active Directory at home, then you obviously want to keep using your domain controller as your DNS server. So instead we’ll configure your domain controller to use the Pi-hole as it’s primary forwarder in it’s DNS settings. Here’s how to do that so we can block all ads WITHOUT changing the DNS server(s) configuration on each of your devices in your Active Directory environment.

Using the Pi-hole in a Windows Active Directory environment

(in a homelab environment)

1. Remote into your Domain Controller and open up the DNS Manager.

8

2. Right-click your DNS server, select Properties, and then click the Forwarders tab.

3. From the Forwarders tab, click Edit, and then add your Pi-hole’s IP address into that screen. Make sure your Pi-hole is the top Forwarder by selecting it and clicking Up (do not delete your current forwarder). This will make sure that your DC uses the Pi-hole as it’s forwarder for DNS, but will failover to the second DNS server in case your Pi-hole ever goes down. It should look similar to mine below. Click OK when finished.

dnsforwarders

4. Once you’ve verified that the Pi-hole is the top DNS server in the Forwarders tab, you’re good to click OK.

9

5. Once you’re back in the DNS Manager, right-click your DNS server and select Clear Cache. Now, restart the DNS service by right-clicking the server again, go to All Tasks, and select Restart.

Unless you have any additional domain controllers (follow the same steps above on the others if you do), then Pi-hole should now be blocking all devices in your domain that’s using your DC as their primary DNS server!

If you still want to use a browser extension, I’d highly suggest using uBlock Origin, but I personally don’t anymore. Pi-hole seems to be doing an amazing job of blocking every ad on every device that I’ve tested so far on it’s own. Thank you to the awesome community of developers that created Pi-hole and who continue to improve this awesome piece of software.

Pi-hole: How to block all ads on every device in your network (and integrate with your Windows Active Directory)