Pi-hole and Unbound: Your Guide to a 100% Ad-Free Network (2025)

In the modern digital age, our homes are more connected than ever. Laptops, smartphones, smart TVs, and even refrigerators are constantly communicating with the internet. But this convenience comes at a cost: a relentless barrage of advertisements and invasive trackers that monitor our every click, slow down our connections, and compromise our privacy.

Browser-based ad blockers are a decent first step, but they’re a flimsy fence protecting a single window. What you really need is a fortress.

Which is where Pi-hole and Unbound comes in. This guide will show you how to build that fortress. We’re going to set up a network-wide ad and tracker blocker using a Raspberry Pi, the powerful Pi-hole software, and our own private, recursive DNS resolver with Unbound. Once we’re done, every single device on your home network will be protected, with no client-side software required. It’s time to take back control of your internet.

What is Pi-hole? The Network’s Gatekeeper

At its core, Pi-hole is a DNS sinkhole. Think of the Domain Name System (DNS) as the internet’s phonebook. When you type kextcache.com into your browser, your device asks a DNS server, “What’s the IP address for this domain?” The server responds with the address, and your browser connects.

Pi-hole cleverly inserts itself into this process. You configure your entire network to use Pi-hole as its phonebook. When a device tries to connect to a known ad or tracker domain (e.g., analytics.doubleclick.com), Pi-hole sees the request, checks it against its massive blocklists, and instead of providing the real IP address, it responds with a black hole. The request goes nowhere, the ad never loads, and the tracker never tracks.

The beauty of this approach is its scope. It doesn’t just work in your browser; it works for in-app ads on your phone, ads on your smart TV, and on any other device connected to your network.

Best Raspberry Pi for Pi-hole in 2025

Why Add Unbound? Forging Your Own Keys to the Kingdom

By default, Pi-hole still needs to ask someone else for the IP addresses of domains that aren’t on its blocklists. These are called upstream DNS providers, and popular choices include Google (8.8.8.8) and Cloudflare (1.1.1.1).

While these services are fast and reliable, using them means you’re still sending all your DNS queries—a history of nearly every website you visit—to a third-party corporation. For the privacy-conscious, this is trading one master for another.

This is where Unbound comes in. Unbound is a validating, recursive, and caching DNS resolver. In simple terms, you run it yourself. Instead of forwarding your queries to Google, Unbound goes out and finds the answers itself. It queries the authoritative root DNS servers directly and traces the path to the domain you want to visit.

Pairing Pi-hole with Unbound offers the ultimate combination:

• Ad & Tracker Blocking: Pi-hole drops all the unwanted requests.
• Ultimate Privacy: Unbound handles the legitimate requests, ensuring no single third-party entity sees your entire browsing history.
• Improved Performance: Unbound caches the results, so subsequent requests for the same domain are resolved almost instantly from your own local network.

Prerequisites: Gathering Your Supplies

Before we begin, you’ll need a few things:

• Hardware:
  • A Raspberry Pi: A Raspberry Pi 3B+ or 4 is recommended for the best performance, but even a Pi Zero W can work.
  • A quality MicroSD Card (16GB or larger is plenty).
  • A reliable power supply for your Pi model.
  • An Ethernet cable (a wired connection is highly recommended for a DNS server’s stability).
• Software:
  • Raspberry Pi Imager
  • An SSH client (Terminal on macOS/Linux, PuTTY on Windows).

Step 1: Prepare the Raspberry Pi

First, we need a clean, updated operating system.

1. Flash Raspberry Pi OS: Use the Raspberry Pi Imager to flash the latest version of “Raspberry Pi OS Lite (64-bit)” to your SD card. Before writing, click the gear icon to pre-configure a hostname, enable SSH, set a username/password, and configure your Wi-Fi if you must use it.
2. Boot and Connect: Insert the SD card into your Pi, connect the Ethernet cable, and power it on.
3. Find its IP and SSH: Find the Pi’s IP address from your router’s admin page. Now, connect to it via SSH:

   ssh your_username@your_pi_ip_address

4. Set a Static IP: A DNS server must have a predictable address. We’ll set a static IP. Open the DHCP client config file:

   sudo nano /etc/dhcpcd.conf

   Scroll to the bottom and add the following block, replacing the values with your own network’s information. Use the IP address you want your Pi to have, your router’s IP as the gateway, and your router’s IP (for now) as the DNS server.

   interface eth0
   static ip_address=192.168.1.10/24
   static routers=192.168.1.1
   static domain_name_servers=192.168.1.1

   Press Ctrl+X, then Y, then Enter to save and exit. Reboot the Pi with sudo reboot.

Step 2: Install Pi-hole

With our Pi configured, it’s time to install the main software. Pi-hole’s famous one-step installer makes this easy.

1. Run the Installer: SSH back into your Pi at its new static IP address and run the following command:

   curl -sSL [https://install.pi-hole.net](https://install.pi-hole.net) | bash

2. Follow the Wizard: An on-screen wizard will guide you through the setup.
   • Acknowledge the static IP warning (we already did this).
   • Select eth0 as the interface.
   • Choose any upstream DNS provider for now (we’ll replace this with Unbound later).
   • Accept the default blocklist.
   • Install the web admin interface and query logging.
3. Installation Complete: The final screen will show you the URL to access the admin dashboard and your randomly generated admin password. Save this password!

At this point, you have a functional Pi-hole. You could stop here, but we want ultimate privacy, so let’s install Unbound.

Step 3: Install and Configure Unbound

Now we set up our personal recursive DNS resolver.

1. Install Unbound:

   sudo apt update
   sudo apt install unbound -y

2. Download the Root Hints File: This file tells Unbound where to find the internet’s root servers.

   wget -O root.hints [https://www.internic.net/domain/named.root](https://www.internic.net/domain/named.root)
   sudo mv root.hints /var/lib/unbound/

3. Create Unbound Configuration: We’ll create a new configuration file specifically for Pi-hole.

   sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

   Paste the following configuration into the file. This tells Unbound to listen only for requests from the local machine (Pi-hole) on port 5335, and enables various privacy and performance enhancements.

   server:
       # If no logfile is specified, syslog is used
       logfile: "/var/log/unbound/unbound.log"
       verbosity: 0
   
       port: 5335
       do-ip4: yes
       do-udp: yes
       do-tcp: yes
   
       # May be set to yes if you have IPv6 connectivity
       do-ip6: no
   
       # You want to leave this to no unless you have *native* IPv6.
       # Use this only when you are sure it is what you want.
       prefer-ip6: no
   
       # Use this only when you are sure it is what you want.
       harden-glue: yes
       harden-dnssec-stripped: yes
   
       use-caps-for-id: yes
   
       edns-buffer-size: 1232
   
       # Rotates RRSet order in response (resolver side DNS load balancing)
       rrset-roundrobin: yes
   
       # Time to live minimum for cache entries in seconds
       cache-min-ttl: 3600
       # Time to live maximum for cache entries in seconds
       cache-max-ttl: 86400
   
       prefetch: yes
       num-threads: 1
       so-rcvbuf: 1m
   
       # Ensure kernel buffer is large enough to not lose messages in traffic spikes
       so-rcvbuf: 1m
   
       private-address: 192.168.0.0/16
       private-address: 169.254.0.0/16
       private-address: 172.16.0.0/12
       private-address: 10.0.0.0/8
       private-address: fd00::/8
       private-address: fe80::/10
   
       # Set the path to the root hints file
       root-hints: "/var/lib/unbound/root.hints"
   

   Press Ctrl+X, Y, and Enter to save.

4. Restart and Test: Restart the Unbound service and test it to make sure it can resolve domains.

   sudo service unbound restart
   dig kextcache.com @127.0.0.1 -p 5335

   You should see a successful response with a status of NOERROR.

Step 4: Link Pi-hole to Unbound

This is the final step in our software setup. We need to tell Pi-hole to stop using public DNS servers and start using our own Unbound resolver.

1. Log in to your Pi-hole admin dashboard (http://your_pi_ip/admin).
2. Navigate to Settings -> DNS.
3. In the Upstream DNS Servers section on the left, uncheck every box.
4. On the right, check the box for Custom 1 (IPv4).
5. In the text box, enter 127.0.0.1#5335. This tells Pi-hole to send its queries to the Unbound service running on the same machine on port 5335.
6. Click Save at the bottom.

Your Pi-hole is now a privacy-enhancing, ad-blocking powerhouse.

Step 5: Point Your Network to the Fortress

The final step is to make your entire network use your new creation.

1. Log in to your home router’s administration page.
2. Find the DHCP or LAN settings.
3. Look for an option related to DNS Server.
4. Set the Primary (and only) DNS Server to the static IP address of your Raspberry Pi (e.g., 192.168.1.10).
5. Save the settings. Your router may need to restart.

Once your router is back online, devices on your network will automatically start using Pi-hole for all DNS requests. You may need to disconnect and reconnect devices to the network for the change to take effect immediately.

The Fruits of Your Labor

You’re done! Visit a few ad-heavy news websites. Notice anything? The lack of ads. The speed. Log in to your Pi-hole dashboard and watch the query log. You’ll see thousands of requests to nefarious domains being blocked in real-time.

You’ve successfully built a digital fortress for your home network. You’ve taken a significant step towards a faster, cleaner, and vastly more private online experience for every device and person in your home. Your castle is now secure.