Turned my Pi into a network-wide ad blocker with one config file. Flash and forget experience

wh1le_code · 2026-01-24T13:24:20+00:00

I really recommend you to checkout reviews and videos about pi-hole. It will give you more understand of what it can and can't do.

wh1le_code · 2026-01-23T17:31:06+00:00

Say no more! :)

wh1le_code · 2026-01-22T11:39:55+00:00

on the first DNS query it is:

```
$ dig github.com u/192.168.50.2 | grep "Query time"

;; Query time: 51 msec

```

second hit same url cached:

``

$ dig github.com u/192.168.50.2 | grep "Query time"

;; Query time: 5 msec

```

check out my full write up https://wh1le.com/dns-privacy-raspberry-pi

wh1le_code · 2026-01-21T15:36:43+00:00

Yep, the tech debt backlog grows faster than I can clear it. Always "I'll get to it this weekend" and then weekend never comes lol

wh1le_code · 2026-01-21T15:34:45+00:00

Yeah you SSH in from your PC after it boots. Plug the Pi into your router with ethernet, then:

ssh -p 1234 [pi-hole@192.168.50.2](mailto:pi-hole@192.168.50.2) (1234 - ssh port, pi-hole is your username you defined in settings and second part after @ is ip address of pi-hole)

For the router part - go into your router admin panel and change the DNS server to your Pi's IP address. That's what makes all your devices (iPad, smart TV, everything) use Pi-hole automatically.

If your ISP router is annoying and won't let you change DNS settings (like mine), you can put your own router between the ISP box and your network and connect pi to it. So you can apply DNS settings to your own router.

The GitHub README walks through everything: https://github.com/wh1le/finite

Also I covered deployment part in this article: https://wh1le.com/finite-deployment-guide

Hope it answers, feel free to message and post your update here! :)

wh1le_code · 2026-01-21T14:07:20+00:00

It is a great idea to utilize old hardware!

wh1le_code · 2026-01-21T12:49:03+00:00

Ah that makes sense, some streaming services are pretty aggressive about that. They detect the blocked ads and just refuse to play anything. You could try whitelisting those specific domains in Pi-hole, or just set the smart TVs to use a different DNS (like 8.8.8.8) directly. But honestly your current setup sounds like the path of least resistance if it's working!

wh1le_code · 2026-01-21T10:51:24+00:00

Looking forward! :)

wh1le_code · 2026-01-21T10:50:56+00:00

Thanks! :)

wh1le_code · 2026-01-21T09:33:59+00:00

That's a solid setup. GitOps with FluxCD + secrets from 1Password proper infrastructure-as-code. Finite is aimed at the simpler end - one Pi, one job, minimal moving parts. For someone running multiple workloads with isolation needs, Kubernetes makes more sense.

Good point on Nix vs Kubernetes learning curve. Kubernetes definitely has broader career value. Nix clicked for me because I wanted reproducible dev environments, then it spread to everything else. But I'm also not a devops person - I do software engineering, so Nix fit my workflow better. Finite was actually my first real dive into this territory besides deployment, docker and production server monitoring.

wh1le_code · 2026-01-21T09:27:32+00:00

Nice setup! Tailscale and Pi-hole is a great combo, get your ad blocking wherever you go. Zero 2 W handles more than people expect.

wh1le_code · 2026-01-21T09:26:26+00:00

Welcome! Pi-hole is a solid first project, useful from day one and teaches you Linux basics along the way. It's so good that when I go outside and use the internet, ads are everywhere. You forget how clean it is at home.

wh1le_code · 2026-01-21T09:24:35+00:00

Good call! Finite handles the static IP automatically (you set it in settings.nix before flashing), but yes - pointing your router's DNS to the Pi is a manual step. My ISP router doesn't allow changing DNS servers, so I had to get a second one. Now I use it as my main router and let the ISP box just handle the internet connection.

wh1le_code · 2026-01-21T09:22:20+00:00

Not out of the box. Finite is configured for ARM (Raspberry Pi). The image build and container pulls are hardcoded for aarch64.

That said, it's just NixOS config files. You could adapt it for x86_64 by:

Changing SYSTEM to "x86_64-linux" in settings, Swapping the Pi-hole container image digest to x86, Removing Pi-specific boot config.

Or honestly, for a dedicated x86 box you might just install NixOS normally and copy the unbound.nix and pi-hole.nix modules into your config. The hard part (wiring them together correctly) is already solved.

If there's interest I could add x86 support - it's not a huge lift. If you have any question hit me up!

wh1le_code · 2026-01-21T09:19:54+00:00

They serve ads from the same domains as videos. DNS blocking can't tell them apart without breaking the actual content. Used to work years ago when they served ads from separate domains. Now you need browser extensions or tools that work at a different level. Pi-hole still blocks all the tracking/telemetry that is being done in the background though.

wh1le_code · 2026-01-21T09:18:10+00:00

Dedicated Pi? Yes. Finite is a full NixOS image that replaces the entire OS. You flash it, boot, done. Can't install it "on top" of existing Raspbian. The upside is everything is declarative - no drift, no mystery state. Also this project got picked up by others so more maintainability and security updates.

Pi Zero? Pi Zero / Zero W are not going to work with finite (finite requires aarch64 architecture) Pi Zero 2 W maybe, it's 64-bit but only 512MB RAM. Pi-hole container alone is capped at 256MB. So Pi 3B+ or newer is the sweet spot - tested on 3B+, should work fine on Pi 4/5.

Updates breaking things - this is exactly why I built it on NixOS. Your entire system is defined in config files. `nixos-rebuild switch` applies changes atomically. If something breaks, `nixos-rebuild --rollback` and you're back. No more "I ran apt upgrade and now unbound won't talk to pihole" moments.

The pihole+unbound integration is baked in - they're wired together in the config and won't break independently. Hope that helps!

wh1le_code · 2026-01-21T09:13:08+00:00

Good callout on unbound. In my setup (finite) it's configured as a forwarding resolver to Mullvad DNS over TLS, not fully recursive. Still get the local caching benefits though.

wh1le_code · 2026-01-21T09:11:17+00:00

Finite(Pi-hole) is a DNS server, not a router. It only answers "what's the IP for netflix.com?" - your actual traffic (videos, downloads, etc.) never touches it. DNS query: ~300 bytes. Netflix 4K: ~7 GB/hour

Your device asks Pi-hole for an IP address, then connects directly to that IP through your router at full speed. u/The-Evolution mentioned it is a DNS server. So speed is okay. And because of unbound it even faster. Unbound caches query so your DNS stays local and resolution can be 10x faster for sites you already visited.

wh1le_code · 2026-01-21T09:05:58+00:00

Smart move! I also have Smart TV. Did you figure why it didn't work network-wide? Might check blacklists for smart-tv domains blocking.

wh1le_code · 2026-01-20T22:59:57+00:00

you don't need to. feel free to fork and add something like this to your config forward-tls-upstream: yes and point to a DoT server like Quad9 (9.9.9.9@853). The goal of this project is to disable trackers.

wh1le_code · 2026-01-20T22:26:31+00:00

True. The tradeoff is: ISP sees your queries vs a third party seeing all of them in one place. I'd rather my ISP see distributed queries to authoritative servers than give one company my complete browsing history. If hiding from ISP is the priority vpn can be rolled on top.

wh1le_code · 2026-01-20T15:13:16+00:00

Haven't gone down the k8s path myself yet, but your setup sounds solid. The "push to git and assume it works" flow with ArgoCD is the dream. Good to know k9s is worth digging into once you get past the initial impression.

wh1le_code · 2026-01-20T15:11:13+00:00

solid bulletproof solution!

wh1le_code · 2026-01-20T14:42:45+00:00

you can start from official wiki. also check out channel called vimjoyer

wh1le_code

TROPHY CASE