DNS Sinkhole on Raspberry Pi 4
Overview
I run a DNS sinkhole on a Raspberry Pi 4 that blocks ads, trackers, and known malicious domains for every device on my network. The Pi sits on my LAN and is also reachable over my Tailscale virtual VPN, so devices get the same filtering whether they're on my home network or out on the road.
Setup
I flashed Raspberry Pi OS Lite (headless, no desktop environment) to a microSD card and did the entire setup remotely over SSH from my main machine. Key steps included:
- Assigning the Pi a static local IP so it would reliably serve as the network's DNS server.
- Installing and configuring Pi-hole as the DNS sinkhole, pointing it at upstream DNS-over-HTTPS resolvers for privacy.
- Subscribing Pi-hole to several curated blocklists covering ads, trackers, and malicious/phishing domains, and tuning them to avoid breaking legitimate services.
- Installing Tailscale on the Pi and enabling it to advertise itself as a DNS server on the tailnet, so any device joined to my Tailscale network uses the sinkhole automatically.
- Configuring my home router's DHCP to hand out the Pi's IP as the primary DNS server for devices on the LAN.
- Hardening SSH access (key-based auth, disabled password login) since the Pi is reachable remotely via Tailscale.
Result
Every device on my home network, and every device I connect to my tailnet from anywhere, resolves DNS through the sinkhole. This blocks the large majority of ad and tracking requests before they ever leave the network, and flags/blocks lookups to domains known to serve malware or run phishing campaigns.
Back to Projects