Skip to main content
Mini PC Lab logo
Mini PC Lab Tested. Benchmarked. Reviewed.
tutorials

Pi-hole on a Mini PC — Complete DNS Ad Blocking Guide | Mini PC Lab

By Mini PC Lab Team · January 7, 2026 · Updated March 27, 2026

This article contains affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. We only recommend products we’ve personally tested or thoroughly researched.

Pi-hole on mini PC DNS ad blocking guide hero image

Pi-hole blocks ads at the DNS level for every device on your network — phones, TVs, gaming consoles — without installing anything on those devices. A mini PC running Pi-hole in Docker is more reliable, faster, and easier to maintain than a Raspberry Pi. This guide covers installation, configuration, and the advanced settings that most guides skip.

Before You Start

Requirements:

  • Mini PC running Linux with Docker installed
  • Static IP on your mini PC (required — DHCP address can change and break DNS)
  • 512MB RAM allocated (Pi-hole is extremely lightweight)
  • Estimated time: 15–20 minutes

The cheapest way to get started: A Beelink EQ14 at ~$190 runs Pi-hole, Vaultwarden, Home Assistant, Nginx Proxy Manager, Uptime Kuma, and several other services simultaneously at ~6W idle. If you only want Pi-hole, any Intel N-series mini PC works — the EQ14 is the best value option.

Already have a server? Pi-hole runs alongside other Docker containers without conflict. It only needs port 53 (DNS) and optionally 80/443 (admin UI).

Step 1: Set a Static IP

Pi-hole must have a consistent IP address — your router will point DNS to it. If your server’s IP changes, DNS breaks for the entire network.

Option A — DHCP reservation on your router (easiest):

  1. Find your mini PC’s MAC address: ip link show | grep "link/ether"
  2. In your router admin panel, find “DHCP reservations” or “address reservation”
  3. Assign your chosen static IP (e.g., 192.168.1.53) to that MAC

Option B — Static IP in Debian:

nano /etc/network/interfaces
iface enp2s0 inet static
    address 192.168.1.53
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 1.1.1.1
sudo systemctl restart networking

Step 2: Install Pi-hole via Docker

mkdir -p ~/services/pihole
cd ~/services/pihole

Create docker-compose.yml:

services:
  pihole:
    image: pihole/pihole:2024.07.0
    container_name: pihole
    hostname: pihole
    environment:
      TZ: 'America/New_York'          # Your timezone
      WEBPASSWORD: 'your-secure-password'
      PIHOLE_DNS_: '1.1.1.1;1.0.0.1' # Upstream DNS servers
      DNSSEC: 'true'                  # Enable DNSSEC validation
      VIRTUAL_HOST: 'pihole.home'     # Optional: local hostname
      CORS_HOSTS: 'pihole.home'
    volumes:
      - ./etc-pihole:/etc/pihole
      - ./etc-dnsmasq.d:/etc/dnsmasq.d
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8080:80/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
docker compose up -d
docker compose logs -f pihole
# Wait for "FTL started" in the logs — Pi-hole is ready

Access the admin UI at http://[YOUR-IP]:8080/admin.

Step 3: Configure Your Router to Use Pi-hole

This is what makes Pi-hole work for every device on your network. Change your router’s DNS settings to point to your mini PC’s IP.

Access your router admin panel (usually 192.168.1.1 or 192.168.0.1).

Find the DNS settings — typically under: LAN Setup, DHCP Server, or Advanced DNS.

Set:

  • Primary DNS: 192.168.1.53 (your Pi-hole’s IP)
  • Secondary DNS: Leave blank or set to 1.1.1.1 as a backup

Save and let clients renew their DHCP leases. This may take a few minutes, or you can disconnect and reconnect devices manually.

Test it’s working:

# From another device on your network
nslookup ads.google.com 192.168.1.53
# Should return 0.0.0.0 — ad domain blocked

nslookup google.com 192.168.1.53
# Should return a real IP — legitimate domain passes through

Step 4: Set Up Pi-hole v6 (Major Update)

Pi-hole v6, released in early 2026, completely rewrites the admin interface and adds a new blocking engine. If you’re running v5 (from 2024 or earlier), update:

# Pull the latest image
docker compose pull
docker compose up -d

# Verify version
docker exec pihole pihole version

Pi-hole v6 changes:

  • New REST API replaces the old API
  • Redesigned dashboard with real-time query graphs
  • Better regex blocklist support
  • Improved group management for per-device blocking rules

Step 5: Add More Blocklists

The default blocklist blocks about 70,000 domains. More lists block more ads and trackers.

In the Pi-hole admin UI: Adlists → Add URL

Recommended blocklists for 2026:

ListDomainsFocus
Steven Black (default)~70KAds, malware
HaGeZi Multi Normal~150KAds, trackers, malware
OISD Big~270KComprehensive
Hagezi Pro~350KMost comprehensive
EasyList~60KBrowser-focused ads
EasyPrivacy~40KTrackers

Start with HaGeZi Multi Normal — it’s comprehensive without false positives. Add OISD Big if you want maximum blocking.

After adding lists, go to: Tools → Update Gravity

# Or via terminal:
docker exec pihole pihole -g

Check your blocking rate: The Pi-hole dashboard shows the percentage of DNS queries blocked. Typical home networks: 15–30% blocked. Higher than 40% may indicate over-aggressive lists causing false positives.

Step 6: Set Up DNS-over-HTTPS (Encrypted DNS)

Standard DNS queries are sent unencrypted — your ISP and anyone on your network can see what domains you’re looking up. DNS-over-HTTPS (DoH) encrypts these queries.

Method: cloudflared as a DoH proxy

Add cloudflared as a container that runs alongside Pi-hole:

# Add to your docker-compose.yml, in the services section:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
    restart: unless-stopped

Then update your Pi-hole environment variable to use cloudflared as the upstream:

PIHOLE_DNS_: '172.x.x.x#5053'  # cloudflared container's IP on port 5053

To get cloudflared’s container IP:

docker inspect cloudflared | grep IPAddress

Restart both containers. Now Pi-hole → cloudflared → Cloudflare DoH. Your DNS queries are encrypted to the upstream resolver.

Step 7: Configure Per-Device Rules (Advanced)

Pi-hole groups let you apply different blocklists to different devices — useful if some devices need stricter blocking (kids’ devices) or fewer blocks (smart TVs that break with aggressive lists).

Create a group:

Group Management → Groups → Add → name it “Kids” or “IoT”

Add a client to the group:

Group Management → Clients → Add → enter device’s IP or MAC → assign to “Kids” group

Assign blocklists to the group:

Group Management → Adlists → for each list, check/uncheck which groups it applies to

Now the “Kids” group gets the standard lists plus a YouTube adult content blocklist; the “IoT” group gets only malware lists (avoiding false positives on smart TVs).

Step 8: Set Up Local DNS Records

Pi-hole can resolve custom local hostnames — so you can type proxmox.home instead of 192.168.1.50:

Local DNS → DNS Records → Add:

  • Domain: proxmox.home
  • IP: 192.168.1.50

Now all devices on your network resolve proxmox.home to your Proxmox server.

Quick Price Summary

Troubleshooting

Specific sites not loading after enabling Pi-hole

The site’s domain is probably on a blocklist — a false positive. Check the Query Log in Pi-hole for the blocked domain. Whitelist it: Domains → Whitelist → Add.

# Or via terminal:
docker exec pihole pihole -w example.com

DNS port 53 conflict — container won’t start

Another service is using port 53. On Ubuntu 24.04, systemd-resolved listens on 53. Fix:

# Disable systemd-resolved's stub listener
sudo sed -i 's/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved

Then restart the Pi-hole container.

Queries still going through even though Pi-hole is running

Your devices may be using hardcoded DNS servers (common on Android phones and Google devices) that bypass the router’s DNS setting. Solution: On your router, add a DNS redirect rule that forces all port 53 traffic to your Pi-hole IP. This varies by router firmware — look for “firewall rules” or “port redirect” in your router admin panel.

Pi-hole admin shows no statistics

Verify Pi-hole is actually being used. Check the Query Log — if it’s empty, your devices aren’t using Pi-hole as their DNS. Re-verify router DNS settings.

What to Do Next

  • Add Unbound as a local recursive DNS resolver (DNS queries resolve directly without upstream resolver privacy concerns)
  • Integrate with OPNsense — OPNsense’s built-in Unbound DNS can replace Pi-hole for networks running OPNsense. See our OPNsense setup guide
  • Monitor stats — Pi-hole’s built-in dashboard shows blocked queries per client, top blocked domains, and query history

See also: best mini PC for Pi-hole guide | mini PC home server beginner’s guide

→ Check Current Price: Beelink EQ14 on Amazon — Intel N150, 6W idle, runs Pi-hole + 10 other containers simultaneously