VPS for Pi-hole DNS Ad Blocker

The traditional Pi-hole deployment runs on a Raspberry Pi on your local network, blocking ads for all devices on that LAN. This works well at home but has two limitations: it does not protect devices when they are away from the home network, and it creates a single point of failure (if the Pi reboots or loses power, DNS stops resolving for the whole network). A VPS-hosted Pi-hole solves both problems.

When Pi-hole runs on a VPS with a static IP, you configure your devices' DNS settings (or VPN split-DNS) to point at your VPS IP from anywhere. Mobile devices on cellular networks, laptops at coffee shops, and remote team members all benefit from the same ad-blocking and tracker-blocking rules as your home setup. The VPS's 99.9% uptime guarantee exceeds what any home server achieves with power cuts and ISP outages.

The tradeoff is latency. A local Pi-hole on your LAN resolves DNS in under 1 ms. A VPS in Iceland or Romania adds 20-60 ms for European users. In practice, DNS latency is not perceptible for normal browsing - the browser caches DNS for hours, so the actual DNS lookup adds no noticeable delay to page loads. The privacy and availability benefits far outweigh the latency consideration.

On your AnubizHost VPS (Debian 12 or Ubuntu 22.04 recommended), run the one-line Pi-hole installer: curl -sSL https://install.pi-hole.net | bash. The interactive installer asks for your upstream DNS provider (choose Cloudflare, Google, or any recursive resolver), network interface, and whether to install the web interface. Select all defaults for a standard installation. After completion, Pi-hole is listening on port 53 (DNS) and port 80 (admin web UI).

For enhanced privacy, install Unbound as a local recursive DNS resolver so Pi-hole does not forward queries to any upstream provider. Unbound resolves DNS directly from the authoritative name servers for each domain. Install: apt install unbound. Configure /etc/unbound/unbound.conf.d/pi-hole.conf with the listen address 127.0.0.1, port 5335, and DNSSEC validation enabled. In Pi-hole's admin panel, set the upstream DNS to 127.0.0.1#5335 (Unbound). Now your DNS chain is: device -> Pi-hole (blocks known bad domains) -> Unbound (recursive resolution without third-party DNS provider).

Access the Pi-hole admin dashboard at http://your-vps-ip/admin. The dashboard shows real-time query logs, block rates, top blocked domains, and allows you to add custom blocklists. Block rate of 20-40% is typical with default blocklists; adding community blocklists (StevenBlack, OISD) increases this to 30-50% for most users.

An open DNS resolver accessible from the public internet is immediately abused for DNS amplification DDoS attacks. This is the most critical security step for a VPS-hosted Pi-hole: lock down port 53 to authorized IPs only. Using ufw: ufw default deny incoming && ufw allow from your.home.ip.address to any port 53 && ufw allow ssh. Add each device or network that should use your Pi-hole as a DNS server by adding its IP to the allowlist.

For mobile devices that change IP addresses (cellular connections), use a WireGuard VPN tunnel to your VPS instead. Configure the WireGuard tunnel to route only DNS traffic (set DNS in the client config and AllowedIPs to just the Pi-hole IP), or route all traffic through the VPN for full protection. From inside the WireGuard tunnel, the mobile device always has a fixed tunnel IP that you can allowlist in ufw.

Change the Pi-hole web admin password immediately after installation: pihole -a -p. Enable HTTPS for the admin panel by placing an SSL certificate (from Let's Encrypt) in front of Nginx acting as a reverse proxy to Pi-hole's local port 80. Restrict the admin panel to localhost or VPN-only access - there is no reason for the admin panel to be publicly accessible.

Pi-hole ships with the default StevenBlack blocklist (~100,000 domains). Expand coverage by adding community lists in Settings > Blocklists. Recommended additions: OISD Basic (ad and tracking domains, ~100k entries), Hagezi Pro (comprehensive, ~300k entries), and No-Gambling/No-Porn lists if appropriate for your environment. After adding lists, run pihole -g (Gravity update) to download and compile them. A combined list of 500,000 domains uses approximately 100 MB of RAM in Pi-hole's compiled format.

Custom DNS entries (local DNS records) let you assign private hostnames to internal services. Under Local DNS > DNS Records, add entries like nextcloud.internal -> 10.8.0.2 for services on your VPN. Devices using your Pi-hole as DNS can then access internal services by hostname without needing to remember IP addresses. This integrates well with a WireGuard VPN where all team devices are on a shared private subnet.

For team deployment, Pi-hole supports conditional forwarding to distribute DNS across multiple upstream resolvers for different domains, and group management for applying different blocklist profiles to different device groups. Create separate groups for work devices (stricter blocking) and personal devices (standard blocking). Each group can have different blocklists enabled, giving you fine-grained control over what is blocked for each class of device connecting to your VPS Pi-hole.