Setup Pi-hole with Docker Compose

TL;DR — Quick Summary

A step-by-step tutorial on securing your home network by deploying Pi-hole as a DNS sinkhole via Docker containerization.

Blocking advertisements across every single device in your house—including Smart TVs and IoT vacuums—is the Holy Grail of home networking. Pi-hole accomplishes this by acting as a “DNS Sinkhole.”

In this guide, we will effortlessly deploy a highly available Pi-hole instance using Docker Compose.

Step 1: The Port 53 Warning (Ubuntu Users)

Pi-hole is a DNS Server, meaning it strictly requires Port 53. Unfortunately, modern Ubuntu distributions ship with a native service (systemd-resolved) that permanently hogs port 53. We must free it up first.

Open the systemd config:

sudo nano /etc/systemd/resolved.conf

Uncomment and change the line to:

DNSStubListener=no

Save the file, then apply the changes:

sudo systemctl restart systemd-resolved

Step 2: Prepare the Directory

Create a stable landing zone for our persistent DNS data blocks.

mkdir -p /opt/pihole
cd /opt/pihole

Step 3: Write the Configuration

Inside your /opt/pihole folder, create a docker-compose.yml file:

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'America/New_York'
      WEBPASSWORD: 'SuperSecretPassword'
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

Important: Change the TZ to your exact timezone and set a strong WEBPASSWORD. You will use this password to access the Web UI.

Step 4: Fire up the Sinkhole

Deploy your application stack:

docker-compose up -d

Give it exactly 60 seconds to download the massive ad-blocking blocklists from GitHub. Once it stabilizes, you can access the beautiful admin interface at: http://<YOUR_LINUX_SERVER_IP>/admin

Step 5: Route Your Entire House Through Pi-hole

Right now, Pi-hole is sitting idle. To actually block ads, devices must ask Pi-hole “where is this website?” instead of asking Google or your ISP.

Log into your physical home router (e.g., Netgear, Asus, Unifi).
Look for the LAN / DHCP Server settings.
Find the DNS Server settings.
Replace the existing DNS IP with the Static IP Address of your Linux server hosting Docker.

Renew the DHCP lease on your phone by toggling Wi-Fi off and on. Congratulations! Every device is now cryptographically shielded against telemetry and tracking domains.

Guide & Instructions

Estimated Time: 15m

Tools Needed:

Docker
Docker Compose
Linux Terminal
Home Router Panel

Prepare the Host Server

Ensure your Linux server has a static IP address assigned. Create the project directory using `mkdir -p /opt/pihole` and navigate into it.

Resolve Port 53 Conflicts

On Ubuntu hosts, `systemd-resolved` often monopolizes port 53. You must disable its DNS stub listener by editing `/etc/systemd/resolved.conf` and setting `DNSStubListener=no`, then restarting the service.

Create docker-compose.yml

Define the `pihole/pihole:latest` container. Explicitly map ports 53 (TCP/UDP) and 80 (TCP). Add environment variables for `TZ` (Timezone) and `WEBPASSWORD` (Admin password).

Deploy the Stack

Execute `docker-compose up -d` to launch the container. Monitor the output using `docker-compose logs -f` to wait for the startup sequence to finish.

Configure Router DHCP

Log into your main house Wi-Fi router, locate the DHCP/LAN settings, and update the Primary DNS field to point exclusively to the IP address of your new Pi-hole.

Frequently Asked Questions

What exactly does Pi-hole do on my network?

Pi-hole acts as a DNS sinkhole. When any device on your Wi-Fi requests to load an advertising URL or known malware domain, Pi-hole intercepts the request and instantly blocks it at the network level, before it ever reaches your browser.

Why run Pi-hole in Docker instead of natively?

Running Pi-hole in Docker isolates it from your host operating system. This prevents package conflicts, allows you to easily upgrade versions by simply pulling the `latest` image, and makes backups as easy as copying a single folder.

How do I force all my devices to use the new Pi-hole?

You must log into your physical home router's admin panel (usually 192.168.1.1) and navigate to the DHCP settings. Change the Primary DNS Server IP to match the local static IP address of the machine running your Docker container.

What happens if my Docker server crashes?

If your Pi-hole goes offline, your entire house will lose DNS resolution (meaning you cannot load any websites). It is highly recommended to properly set up a secondary fallback DNS server, or deploy a secondary Pi-hole for High Availability.