How to Supercharge Pi-hole with Unbound

Turn Your Ad Blocker Into a Fully Private DNS Resolver

If you’ve set up Pi-hole already, congratulations! You’ve taken the first big step toward a faster, cleaner, and more privacy-respecting internet experience. Pi-hole blocks ads and trackers at the DNS level, which means your entire network benefits—from smart TVs to tablets.

But here’s a question: who is answering your DNS queries? If you’re using Cloudflare, Google, or OpenDNS as your upstream DNS provider, your network is still sharing every single lookup with a third party. While they may promise privacy, there’s still an element of trust.

If you want to truly take control of your DNS, the next step is to run your own DNS resolver. In this tutorial, you’ll learn how to add Unbound to Pi-hole—giving you full independence from outside DNS services and increasing your privacy and speed.

And importantly, we’ll also talk about something often misunderstood: why you shouldn’t block Google AdSense, and how responsible ad-blocking makes the web better for everyone—not just faster.

What Is Unbound?

Unbound is a DNS resolver. Unlike a DNS forwarder (like Pi-hole by default), which passes your requests along to another DNS server, Unbound performs the full lookup itself. It starts at the root servers of the internet and works its way down to the final destination (for example, google.com).

Here’s what Unbound brings to your setup:

• No reliance on external DNS providers

• DNSSEC validation for added security

• Caching for faster lookups over time

• Complete privacy—no logging, no tracking, no third parties

  
  

Adding Unbound to your Pi-hole setup gives you a completely self-contained DNS chain.

Before We Begin: A Note About Ethical Ad Blocking

Pi-hole gives you the power to block any domain, including advertising platforms like Google AdSense. But just because you can block something doesn’t mean you should—especially if you’re a website owner or content creator yourself.

Here’s why blocking Google AdSense is generally discouraged:

• AdSense funds creators and independent websites, just like the one you may be building.

• Blocking AdSense hurts small blogs, tutorial sites, and YouTubers who rely on ad income.

• It can prevent pages from loading correctly or damage the user experience.

• If you’re applying for AdSense on your own site, Google will check for DNS-level blocking.

  
  

Responsible ad blocking means targeting malicious trackers, popups, and intrusive advertising, not ethical ad networks that keep the web free and independent.

We recommend not adding AdSense domains to your blocklists in Pi-hole. Focus on domains that serve malware or disruptive ads instead. You’ll still enjoy a faster, cleaner internet while supporting the people who make it possible.

What You’ll Need

• A working Pi-hole installation on a Raspberry Pi or any Debian-based system

• Terminal access (via SSH or directly)

• About 20–30 minutes to complete the steps

  
  

This guide assumes Pi-hole is already set up and running.

Step 1: Update Your System

Start by updating your packages to ensure everything is current.

Run:

```bash

sudo apt update && sudo apt upgrade -y

```

Step 2: Install Unbound

Next, install the Unbound resolver and the dnsutils package (which includes the dig tool we’ll use for testing).

Run:

```bash

sudo apt install unbound dnsutils -y

```

Step 3: Add the Root Hints File

Unbound needs to know where the root DNS servers are. This file tells it where to start its lookups.

Run:

```bash

sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

```

Step 4: Create a Configuration File for Unbound

Create a new config file just for Pi-hole’s use by running:

```bash

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

```

Paste the following configuration exactly:

```plaintext

server:

verbosity: 0

interface: 127.0.0.1

port: 5335

do-ip4: yes

do-udp: yes

do-tcp: yes

root-hints: "/var/lib/unbound/root.hints"

hide-identity: yes

hide-version: yes

harden-glue: yes

harden-dnssec-stripped: yes

use-caps-for-id: yes

edns-buffer-size: 1232

prefetch: yes

cache-min-ttl: 3600

cache-max-ttl: 86400

num-threads: 1

so-rcvbuf: 1m

so-sndbuf: 1m

```

Save and close the file by pressing `CTRL + O`, then `Enter` to confirm, then `CTRL + X` to exit.

Step 5: Restart Unbound

Apply the new configuration by restarting Unbound.

Run:

```bash

sudo service unbound restart

```

Step 6: Test Unbound

Check that Unbound is working properly by running a DNS lookup:

Run:

```bash

dig @127.0.0.1 -p 5335 example.com

```

If it returns an IP address and shows a query time, Unbound is resolving domains correctly. If you get a timeout, double-check your config file and make sure the root hints were downloaded.

Step 7: Configure Pi-hole to Use Unbound

Now tell Pi-hole to forward DNS requests to Unbound instead of an external DNS provider.

1. Open the Pi-hole web admin interface at http://pi.hole or your Pi’s IP address.

2. Go to Settings > DNS.

3. Uncheck any boxes under Upstream DNS Servers.

4. In Custom 1 (IPv4), enter: `127.0.0.1#5335`.

5. Scroll down and click Save.

   
   

Pi-hole will now send all DNS requests to Unbound, which will handle them independently.

Step 8: Confirm It’s Working

Try another test by running:

```bash

dig pi-hole.net

```

Also test directly through Unbound again:

```bash

dig pi-hole.net @127.0.0.1 -p 5335

```

If both commands return a valid IP address, everything is working. In the Pi-hole dashboard, check your Query Log to see DNS lookups coming in. You’ll notice that upstream queries are now minimal—because Unbound caches results locally for faster reuse.

Optional: Reduce Logging

If you want to reduce system log entries from Unbound, open your config file again:

```bash

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

```

Add this line at the end:

```plaintext

logfile: "/dev/null"

```

Then restart the service again:

```bash

sudo service unbound restart

```

Final Thoughts: Responsible Control

With Pi-hole and Unbound working together, your home network now has a powerful, private, and self-contained DNS system. This setup improves your privacy, reduces external dependencies, and speeds up domain lookups over time.

Remember: while blocking ads is useful, don’t block Google AdSense domains or ethical ad networks. Supporting content creators helps keep the internet free and accessible for everyone. Use your new setup responsibly for the best experience.

If you have questions or want help with your Pi-hole + Unbound setup, feel free to ask!