Docs / Networking / How to Set Up a DNS Sinkhole with Pi-hole

How to Set Up a DNS Sinkhole with Pi-hole

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 26 views · 2 min read

How to Set Up a DNS Sinkhole with Pi-hole

Pi-hole is a network-wide DNS sinkhole that blocks ads, trackers, and malicious domains at the DNS level. Running Pi-hole on a Breeze instance provides centralized DNS filtering for your entire network, improving privacy, security, and browsing speed.

Prerequisites

Before installing Pi-hole on your Breeze, ensure you have:

  • A Breeze running a supported Linux distribution (Ubuntu, Debian, CentOS, or Fedora)
  • A static IP address configured
  • Root or sudo access
  • Port 53 (DNS) available — check with sudo lsof -i :53

If systemd-resolved is using port 53, disable its stub listener:

sudo sed -i 's/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Installing Pi-hole

Use the official automated installer:

curl -sSL https://install.pi-hole.net | sudo bash

The installer walks you through selecting an upstream DNS provider, choosing blocklists, and configuring the web interface. Note the admin password displayed at the end of installation.

Post-Installation Configuration

Access the web admin dashboard at http://your-breeze-ip/admin. From here you can:

  • Add custom blocklists under Adlists
  • Whitelist domains that are incorrectly blocked
  • View real-time query logs and statistics
  • Configure conditional forwarding for local DNS

Change the admin password from the command line if needed:

pihole -a -p YourNewSecurePassword

Adding Blocklists

Expand your blocking coverage by adding curated blocklists. Navigate to Adlists in the web interface and add URLs such as:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://dbl.oisd.nl/

After adding lists, update the gravity database:

pihole -g

Configuring Clients

Point your devices or DHCP server to use the Breeze running Pi-hole as their DNS server. For network-wide coverage, configure your router to distribute the Pi-hole IP as the primary DNS server via DHCP.

DNS Over HTTPS (DoH)

For encrypted DNS queries upstream, install cloudflared as a DoH proxy:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
sudo cloudflared service install
sudo systemctl enable --now cloudflared

Then configure Pi-hole to use 127.0.0.1#5053 as its upstream DNS, where cloudflared listens.

Maintenance

Keep Pi-hole updated with:

pihole -up

Monitor blocking statistics through the dashboard. Typical networks see 15-30% of DNS queries blocked. Review the query log periodically to whitelist any legitimate domains that may have been inadvertently blocked, and update your gravity database weekly to stay current with the latest threat intelligence.

Was this article helpful?

Related Articles