Single-board computers (SBCs) are used for plenty of uses, and they've found a permanent home in the home labs of many of our writers and readers. One of those popular uses is the DNS-based ad-blocking Pi-hole, which doesn't necessarily need the power of the Raspberry Pi 5 to run, but will do its best to keep every device on your home network free from ads. It'll also try to block any URLs that go to known malware sources, which keeps everyone safer. But for all it can do, it's not a complete network security solution, and there are some cracks in its virtual armor. It's still a fantastic addition to your other network security options, but here's why it's not the only thing you need to be running.

๐Ÿ‘ A person holding an HDD in front of a PC and two TerraMaster NAS units
5 networking tools to safeguard your home lab from the inside out

Whether youโ€™re a pro or new to home labs, securing your self-hosted systems is vital. These 5 networking tools will keep threats at bay.

5 Incomplete blocking

Since it's a DNS-based blocking utility, there are ways around its blocking ability

Credit: Pi-hole

Pi-hole uses a DNS-based method for blocking ads, malware, and other unwanted URLs. It's powerful, works off the domain name of the URL, and blocks ads before they're even downloaded to your devices. This keeps your network faster because it's not pulling data it doesn't need to. That also means it works on every device on your network, whether that's an IoT device or a web browser on a computer. This approach has its benefits, but there's one major drawback: only domains or subdomains can be blocked.

It's easier to illustrate why this is an incomplete method of ad blocking with an example. Everyone hates unskippable YouTube ads, and many ad-blocking solutions are popular because they say they can stop YouTube ads from running. If YouTube was using a third party tracker or even a different URL to serve those ads to you, Pi-hole could block them easily. But YouTube doesn't do that. It likely puts its ad tracking at https://youtube.com/trackernamehere.js, so it's part of the main domain, and the only way for Pi-hole to block it is to block YouTube entirely.

Browser extensions work differently and use various other methods to block ads from being rendered by the browser once they've been downloaded to the computer. That's why even Pi-hole's developers say you should use both DNS-based and extension-based ad blockers at the same time, because they complement each other and fill in the other's deficiencies.

๐Ÿ‘ A person holding a Raspberry Pi 5
7 reasons you should turn your Raspberry Pi into a DNS server

If you aren't using your Raspberry Pi as a DNS server for your home network, there are plenty of reasons why you should

By  Jeff Butts

4 It doesn't always work

This really depends on your router, but it's an annoyance

Networking was hard enough to route when IPv4 was the only thing you had to worry about with DNS requests, but now IPv6 is everywhere and that can be a problem for the Pi-hole's effectiveness. Most of the problems stem from locked-down routers, which often do the barest minimum for supporting IPv6, and sometimes don't let you change IPv4 DNS servers either.

But there can also be an issue with the prefix pushed by your ISP for IPv6, as they often use the Global Unicast Address (GLA) of 2000::/3, and could change this prefix several times a day, breaking your Pi-hole configuration every time. If you can, use the Link-Local Address (prefix fe80::/10) for your Pi-hole host or the Unique Local Address (prefix fc00::/7) for your router. The Unique Local won't ever change, and the Pi-hole host IP will only change if you change it, giving you plenty of insight into why your Pi-hole stopped working suddenly.

๐Ÿ‘ An iPhone connected to a travel router.
3 reasons you don't need IPv6 in your home network

If you're considering switching to IPv6, there are a few reasons why you shouldn't bother.

3 It won't stop you downloading malware

Malicious files are still downloadable, but a Pi-hole will stop you getting to some known sources

Pi-hole's DNS-based blackhole doesn't just block ads; it's also set to block any traffic going to known malware-serving domains. That goes a long way to keeping you and your other home network users safer, especially if you add a few more blocklists, but this could also make you complacent. The Pi-hole won't stop you from downloading malicious files, whether they're from email attachments, dodgy websites, or instant messages. It will block malware placed in dodgy ad networks though, which automatically downloads when the ad is loaded on non-protected systems.

Which is fine, really. It's still a viable security help for all your devices, including those that can't use other methods of DNS-based blocking. It's just important to know what it can do, and what it can't do, so you can build a proper security profile for your home network, and decide which other pieces you want to add to the mix to fill any gaps in your existing security.

2 It's not a firewall

You'll want to invest in more hardware to run a hardware firewall

Pi-hole is a DNS-based tracker and blocking tool. It does not replace other important network security appliances or tools. Network security is also best done with a layered approach, and running a network-level firewall is one more layer of the onion. Whether you go for a pre-configured hardware firewall, or create your own, there are some other tools to add to your security stack before you're finished.

An Intrusion Detection System and Intrusion Protection System (IDS and IPS) will work in tandem to keep attackers off your network. Some network monitoring software will show you how much traffic has changed on your home network since before you installed the Pi-hole, and also alert you to possible configuration issues, misbehaving devices, and other things that could affect the smooth running of your network.

๐Ÿ‘ Sharevdi F12
5 reasons you need a hardware firewall

Secure your entire network with a single network appliance.

1 Won't block all traffic

Hard-coded DNS traffic might still get through with ads

Some apps, devices, and services have hard-coded DNS entries that are there either to sidestep adblocking efforts or to facilitate the setup process for IoT devices. Your Pi-hole won't be able to block these because those devices aren't using the Pi-hole for DNS resolving, at least not without some additional setup. You could use your firewall or router to intercept all traffic going to port 53 and pass it to the Pi-hole DNS, which would make it a man-in-the-middle of the DNS requests. The devices would still think their DNS requests are coming from their hard-coded option, which is nice, but there could be issues if those IoT devices are trying to talk to domains in one of the Pi-hole blocklists. Then again, if they're trying to talk to blocklisted sites, you probably don't want them on your home network.

๐Ÿ‘ The NordVPN add-on for Firefox shows the main login screen on Mac
5 VPN myths that are putting your digital security at risk

Think a VPN guarantees online anonymity? Letโ€™s debunk the most common misconceptions to help you make informed choices about your digital privacy.

Pi-hole is a great secondary line of defense for your home network

There are plenty of best practices for network security, but there are multiple ways of achieving each of them, and Pi-hole servers are a good option for DNS-based adblocking on your home network. You could even set up Tailscale or other ways of having your mobile devices think they're on your home network at all times, so that the Pi-hole is always blocking ads. But it's important to know that security works best in layers. Pi-hole isn't the only thing you should run on your home network to stay safe, and that you'll want firewalls, monitoring solutions, and potentially other security software running to keep your devices safe.