What Pi-hole is, in one breath
Pi-hole is a DNS sinkhole with a small web interface. Devices on your network ask for the address of a hostname; if that hostname is on a blocklist you selected, Pi-hole returns an answer that stops the connection, often by pointing at 0.0.0.0 for IPv4 and an appropriate null route for IPv6 when configured. Browsers, phones, and a fair chunk of home IoT then never complete the ad or tracker request. The benefit is network-wide: you are not replicating the same ad-blocker profile in every browser in the house.
What it never promised
It does not remove in-app advertisements when the creative and the main content are served from the same network the app already trusts. It is not a reliable fix for the YouTube mobile app, because sponsored segments and video delivery move in ways that change on short notice, and a blunt list will either miss the problem or take the player down with it. It does not replace a firewall for lateral movement if your security cameras still answer on port 80 with the factory password. Pi-hole is a way to make your LAN quieter, not a single box that replaces every security process you have deferred.
Hardware: Raspberry Pi or anything that runs Docker
A Raspberry Pi 4 or 5, with a decent power supply and media you are willing to replace in a few years, is still a reasonable default. If you already run a small x86 mini-PC for media or a NAS, a container can mean one less wall-wart. The part that must be true is that UDP and TCP on port 53 are reachable on the LAN address you will advertise, and that you are not also running a second stub resolver you forgot is still bound to the same port. If you are on Proxmox or TrueNAS, map bind mounts for Pi-hole’s data so a container rebuild does not throw away the local DNS names you have added for printers, a file server, and that one home automation controller that expects a static hostname.
A first Docker layout you can re-home
The upstream project documents which paths hold the gravity database and the resolver config for the FTL and dnsmasq layer you are using. Use bind mounts to a directory you include in your normal backup routine; anonymous container volumes are fine for a one-hour test, and painful when you have tuned regex and local records for six months. If you are new to the stack, avoid fully automatic “always latest” image updates until you can read a release note; the FTL engine and the container image are happiest when they move together, not on an arbitrary Tuesday.
Pointing an Eir or Vodafone home hub at the Pi
Many carrier CPEs have a “DNS” field in the DHCP options and still route their own management traffic in ways you only notice when a phone still sees ads for a day after you “fixed” the settings. Reserve a static LAN address for the Pi or the Docker host, set that as the only DNS option handed to clients, then renew one device lease and confirm the resolver. If the box insists on its own stub resolver for the router itself, but it lets you point LAN clients to your service, you can live with that. If it overwrites your choice for all LAN clients, a downstream OpenWrt-style router in double-NAT is often cheaper in time than a third weekend debugging ISP proxy behaviour. BT and Irish carriers are not identical; read the model’s manual when you are stuck.
IPv6: not a party trick, but a bypass if half-finished
If the broadband handout includes global IPv6 with SLAAC, some clients will ask A and AAAA records and still learn resolvers you did not intend from router advertisements. You either line up the v6 path with Pi-hole, accept per-device help until you are ready to work with RDNSS properly, or run IPv4-only in practice until you can read a capture. A quiet v4-only home network is a valid stopgap.
DNS over HTTPS: the border gap
When Chrome or a managed iOS profile uses DNS-over-HTTPS straight to a public anycast resolver, your Pi-hole may never see the query. The calm household path is: turn off “secure DNS” in the browser when you are on a network you own, and rely on the LAN resolver instead. A stricter path is a local DoH front on the same machine as the sinkhole, so the encryption leg is short, and the policy is still a single point. A nuclear option, rarely worth the family politics, is blocking public DoH endpoints at the edge. Lists move. Teenagers and VPNs route around. Pick the level of control that matches your housemates, not a forum thread.
Alternatives in one paragraph
AdGuard Home offers a different UI and the same class of solution. Technitium DNS Server on a shared flat PC is a legitimate always-on test bed. uBlock Origin in a single browser is still the precision tool for cleaning cosmetic cruft on a page; it complements network DNS filtering instead of replacing it, because the two operate at different layers. None of that is a moral score, only mechanics you can schedule.
Lists, false positives, and the Saturday football stream
Common starter lists and malware-focused add-ons are where people begin, and where they return when a banking site, a local radio player, or a pay-per-view event stops working at 19:00 on a Saturday. Whitelist one hostname at a time; read the query log while you reproduce. A quarterly check that the container, kernel, and base OS are still in support beats signing up to a dozen new aggressive blocklists that break click-to-collect and click-to-pay flows your partner relies on. Steven Black’s host-style files and OISD are widely used; trim rather than add when behaviour gets weird. If you use unbound in recursive mode, treat it as part of the same maintenance job as the Pi-hole build.
When to pay a human for a few hours in the lab
If the word “RDNSS” made you wince, that is a signal that paid time with someone who can read a capture from your router and your Pi in the same hour is cheaper than a forum spiral. A workshop in Cork, Limerick, or a Bristol small-business IT desk will still be faster than a factory reset you regret, especially on an all-in-one CPE you were trying not to break.
If this is too much hassle, we can do it for you — get a quote.