Deploy Pi-hole on RamNode VPS | Network-Wide Ad Blocking Guide

Prerequisites & VPS Selection

With Unbound

• 2GB RAM
• 2 vCPU
• Recursive DNS

→ View Plans

Multi-Purpose

• 4GB+ RAM
• 4 vCPU
• VPN + Pi-hole

→ Premium VPS

What You'll Need

Ubuntu 22.04/24.04 or Debian 11/12
Root or sudo access
Static IP address (included with RamNode VPS)
Optional: Domain name for web interface

Initial Server Setup

Update your system and set a static IP configuration:

Update System

apt update && apt upgrade -y
apt install -y curl git

💡 Note: RamNode VPS instances come with static IPs. Ensure your IP is correctly configured before proceeding.

Check Your IP Address

ip addr show
# Note your primary IP address for later

Install Pi-hole

Run the official Pi-hole installer:

Download and Run Installer

curl -sSL https://install.pi-hole.net | bash

⚠️ Important: The installer is interactive. Follow these recommended settings:

Installation Prompts

• Upstream DNS: Choose Google, Cloudflare, or Custom (we'll configure Unbound later)
• Blocklists: Accept defaults (StevenBlack's list)
• Admin Interface: Yes - Install web admin interface
• Web Server: Yes - Install lighttpd
• Log Queries: Yes (can disable later for privacy)
• Privacy Mode: Choose based on your preference (0 = show everything)

✅ Save Your Password! The installer will display a randomly generated admin password at the end. Write it down!

Change Admin Password (Optional)

pihole -a -p

Access Web Interface

Access the Pi-hole admin dashboard:

Open your browser and navigate to:

http://YOUR_SERVER_IP/admin

Dashboard Features

• Total queries blocked
• Query logs
• Top blocked domains
• Client activity

Admin Options

• Whitelist/Blacklist
• Group management
• DHCP settings
• DNS settings

Firewall Configuration

Configure UFW to allow DNS and web traffic:

Configure Firewall

# Install UFW if not present
apt install -y ufw

# Allow SSH first!
ufw allow 22/tcp

# Allow DNS
ufw allow 53/tcp
ufw allow 53/udp

# Allow HTTP for admin interface
ufw allow 80/tcp

# Optional: Allow HTTPS if using SSL
ufw allow 443/tcp

# Enable firewall
ufw enable
ufw status

⚠️ Security Warning: Opening port 53 to the internet exposes your DNS server. Consider restricting access to specific IPs or using a VPN. See the Security section below.

Configure Your Devices

Point your devices to use Pi-hole as their DNS server:

Router (Recommended)

Set your router's DNS to your Pi-hole IP. All devices on your network will automatically use Pi-hole.

• Primary DNS: YOUR_SERVER_IP
• Secondary DNS: Leave blank or use fallback

Individual Devices

Configure DNS on each device manually:

• Windows: Network Settings → DNS
• macOS: System Preferences → Network
• iOS/Android: WiFi Settings → DNS

💡 Pro Tip: Pair Pi-hole with a VPN like WireGuard to use ad-blocking on mobile devices outside your home network.

Install Unbound (Recursive DNS)

Set up Unbound as a recursive DNS resolver for maximum privacy:

Install Unbound

apt install -y unbound

Download Root Hints

wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

/etc/unbound/unbound.conf.d/pi-hole.conf

server:
    # Network interface
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no
    
    # Root hints
    root-hints: "/var/lib/unbound/root.hints"
    
    # Trust glue only if in server's authority
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    
    # Reduce EDNS reassembly buffer size
    edns-buffer-size: 1232
    
    # Perform prefetching
    prefetch: yes
    
    # Cache settings
    num-threads: 1
    msg-cache-slabs: 2
    rrset-cache-slabs: 2
    infra-cache-slabs: 2
    key-cache-slabs: 2
    rrset-cache-size: 100m
    msg-cache-size: 50m
    
    # Privacy
    hide-identity: yes
    hide-version: yes
    
    # Time to live minimum
    cache-min-ttl: 3600
    
    # Access control
    access-control: 127.0.0.0/8 allow
    access-control: 0.0.0.0/0 refuse

Start and Enable Unbound

systemctl enable unbound
systemctl restart unbound

# Test Unbound
dig @127.0.0.1 -p 5335 google.com

Configure Pi-hole to Use Unbound

Go to Pi-hole Admin → Settings → DNS
Uncheck all upstream DNS servers
Add custom DNS: 127.0.0.1#5335
Save changes

Add Custom Blocklists

Enhance blocking with additional community blocklists:

Add via Web Interface

Go to Pi-hole Admin → Group Management → Adlists
Paste blocklist URLs one at a time
Click "Add"
Run "pihole -g" to update

Recommended Blocklists

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt

https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts

https://v.firebog.net/hosts/Easyprivacy.txt

https://v.firebog.net/hosts/Prigent-Crypto.txt

Update Blocklists

pihole -g
# This updates gravity (blocklists)

Security Hardening

Secure your Pi-hole installation:

Option 1: Restrict DNS Access by IP

UFW Rules for Specific IPs

# Remove open DNS rules
ufw delete allow 53/tcp
ufw delete allow 53/udp

# Allow only specific IPs
ufw allow from YOUR_HOME_IP to any port 53
ufw allow from YOUR_OFFICE_IP to any port 53

Option 2: Use with VPN (Recommended)

Pair Pi-hole with WireGuard VPN for secure, private DNS everywhere:

• Install WireGuard on the same VPS
• Configure VPN clients to use Pi-hole IP as DNS
• Block port 53 from the internet entirely

View WireGuard Guide →

Secure Admin Interface

Set Up SSL with Certbot

apt install -y certbot
certbot certonly --webroot -w /var/www/html -d pihole.yourdomain.com

# Configure lighttpd for SSL (advanced)
# Or use Nginx as reverse proxy

⚠️ Never expose an open DNS resolver to the internet! Open resolvers can be abused for DNS amplification attacks. Always restrict access.

Updates & Maintenance

Keep Pi-hole updated and maintained:

Update Pi-hole

pihole -up

Update Gravity (Blocklists)

pihole -g

Check Pi-hole Status

pihole status
pihole -c  # Real-time stats

Useful Commands

# Temporarily disable blocking
pihole disable 5m    # Disable for 5 minutes

# Enable blocking
pihole enable

# Tail the query log
pihole -t

# Flush logs
pihole flush

# Restart DNS
pihole restartdns

💡 Automated Updates: Pi-hole checks for updates weekly. You can also set up a cron job for automatic gravity updates.

Troubleshooting

DNS Not Resolving

Check Services

systemctl status pihole-FTL
pihole restartdns
dig @127.0.0.1 google.com

Web Interface Not Loading

Check Lighttpd

systemctl status lighttpd
systemctl restart lighttpd
pihole -r  # Reconfigure/repair

Website Incorrectly Blocked

• Check query log to identify blocked domain
• Add domain to whitelist via admin interface
• Or use command line:

Whitelist Domain

pihole -w example.com

Unbound Not Working

Debug Unbound

systemctl status unbound
unbound-checkconf
dig @127.0.0.1 -p 5335 google.com

View Logs

Check Logs

# Pi-hole FTL log
tail -f /var/log/pihole/pihole.log

# Query log
tail -f /var/log/pihole/pihole-FTL.log

Pi-hole Deployed Successfully!

Your network-wide ad blocker is now running. Configure your devices to use your new DNS server and enjoy ad-free browsing.

More Guides View Cloud VPS Plans

Self-Hosted Pi-hole

📋 Guide Contents