Pi-hole: Not Blocking Ads — Fix
The Problem
Pi-hole is running but ads still appear on websites. The dashboard may show queries but few or no blocked domains, or clients may not be using Pi-hole at all. Common symptoms:
- Ads still displaying on websites despite Pi-hole running
- Dashboard shows 0% blocked or very low block rate
pihole statussays “Pi-hole blocking is enabled” but nothing is blocked- Some devices block ads while others don’t
- YouTube ads still playing (Pi-hole can’t block most YouTube ads)
The Cause
Pi-hole blocks ads at the DNS level by returning 0.0.0.0 for known ad-serving domains. If ads aren’t blocked, either clients aren’t using Pi-hole for DNS, the blocklists don’t cover the ad domains, or the ads are served from the same domain as the content (making DNS-level blocking impossible).
The Fix
Work through these checks in order — each subsequent fix assumes the previous ones are correct.
Method 1: Verify Clients Are Using Pi-hole for DNS
The most common cause — your devices aren’t actually using Pi-hole as their DNS server.
Check from a client device:
# Linux/macOS
nslookup google.com
# The "Server:" line should show your Pi-hole's IP address
# Or use dig
dig google.com | grep SERVER
# Should show your Pi-hole IPOn Windows:
nslookup google.com
:: Server should show Pi-hole IPIf the DNS server shown is NOT your Pi-hole (e.g., it shows 8.8.8.8, 1.1.1.1, or your router’s IP):
Fix — Router-level DNS (recommended): Set your Pi-hole’s IP as the only DNS server in your router’s DHCP settings. This forces all devices on the network to use Pi-hole.
- Log into your router admin panel
- Find DHCP settings (usually under LAN or Network)
- Set Primary DNS to your Pi-hole’s IP
- Remove or clear the secondary DNS (if you add
8.8.8.8as secondary, devices may bypass Pi-hole) - Reboot the router
- On client devices, release and renew DHCP:
# Linux sudo dhclient -r && sudo dhclient # macOS sudo ipconfig set en0 DHCP # Windows ipconfig /release && ipconfig /renew
Fix — Per-device DNS: If you can’t change router settings, manually set DNS on each device to the Pi-hole IP.
Method 2: Check Pi-hole Is Actually Blocking
Verify blocking is enabled:
docker exec pihole pihole statusIf it says “Pi-hole blocking is disabled”:
docker exec pihole pihole enableTest with a known ad domain:
# This domain should resolve to 0.0.0.0 if Pi-hole is blocking
nslookup ads.google.com your-pihole-ip
# Expected: 0.0.0.0 or NXDOMAIN
# If it returns a real IP, Pi-hole is not blocking this domainCheck the query log:
Open the Pi-hole admin panel (http://your-pihole-ip/admin) and go to Query Log. Look for:
- Green entries (allowed) for domains that should be blocked
- Whether your client’s IP appears at all — if not, the client isn’t using Pi-hole
Method 3: Update Gravity (Blocklists)
Pi-hole’s block database (“gravity”) may be empty or outdated.
# Update blocklists
docker exec pihole pihole -g
# Check how many domains are blocked
docker exec pihole pihole -g -lIf gravity update fails:
# Check DNS resolution from within the container
docker exec pihole nslookup raw.githubusercontent.com
# If DNS fails inside the container, the upstream DNS is misconfigured
# Check Settings → DNS in the admin panelAdd more blocklists for better coverage. Go to Group Management → Adlists and add:
| List | URL | Coverage |
|---|---|---|
| Steven Black’s Unified | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | Default, good baseline |
| OISD (Big) | https://big.oisd.nl/ | Comprehensive, low false positives |
| HaGeZi Multi Pro | https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt | Aggressive blocking |
After adding lists, run pihole -g to update gravity.
Method 4: Check for DNS-over-HTTPS Bypass
Modern browsers (Chrome, Firefox, Edge) can use DNS-over-HTTPS (DoH), completely bypassing Pi-hole. This is the #1 reason Pi-hole “stops working” on specific browsers.
Fix for Firefox:
- Open
about:preferences#privacy - Scroll to “DNS over HTTPS” and set to Off (or “Max Protection” pointing to Pi-hole if it supports DoH)
Fix for Chrome:
- Open
chrome://settings/security - Toggle “Use secure DNS” to Off, or set the custom provider to your Pi-hole
Network-wide fix: Block known DoH providers at the firewall level by blocking traffic to common DoH endpoints:
# Block common DoH providers (add to your firewall)
# Cloudflare DoH
iptables -A FORWARD -d 1.1.1.1 -p tcp --dport 443 -j REJECT
iptables -A FORWARD -d 1.0.0.1 -p tcp --dport 443 -j REJECT
# Google DoH
iptables -A FORWARD -d 8.8.8.8 -p tcp --dport 443 -j REJECT
iptables -A FORWARD -d 8.8.4.4 -p tcp --dport 443 -j REJECTOr add these DoH domains to Pi-hole’s blocklist:
dns.googlecloudflare-dns.comdoh.opendns.comdns.quad9.net
Method 5: Check Upstream DNS Configuration
If Pi-hole’s upstream DNS is misconfigured, it can’t resolve legitimate queries, which may cause devices to fall back to alternative DNS.
In the Pi-hole admin panel, go to Settings → DNS:
- Verify at least one upstream DNS server is selected (e.g., Cloudflare
1.1.1.1, Google8.8.8.8, or a custom resolver) - Ensure “Never forward non-FQDN” and “Never forward reverse lookups” are checked
- Under “Advanced DNS settings,” ensure “Use DNSSEC” is checked only if your upstream supports it
Test upstream resolution:
docker exec pihole dig @1.1.1.1 google.com +short
# Should return an IP addressMethod 6: Container Network Issues
In Docker, Pi-hole needs to be accessible on the host network or have correct port mappings.
Check port bindings:
docker port pihole
# Should show 53/tcp, 53/udp, and 80/tcp mapped to host portsCommon Docker Compose issue — port 53 already in use:
On Ubuntu 22.04+, systemd-resolved listens on port 53. Pi-hole can’t bind to it.
# Check what's using port 53
sudo lsof -i :53
# If systemd-resolved is listed, disable it:
sudo systemctl disable --now systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.confThen restart Pi-hole:
docker compose restart piholeWhat Pi-hole Cannot Block
Some ads are unblockable at the DNS level:
| Type | Example | Why |
|---|---|---|
| YouTube video ads | Pre-roll, mid-roll ads | Served from *.googlevideo.com — the same domain as the video content |
| Facebook/Instagram feed ads | Sponsored posts | Served from facebook.com / instagram.com |
| Amazon product ads | Sponsored products | Part of the main Amazon domain |
| First-party ads | ”Recommended for you” sections | Served from the same domain as content |
For these, you need a browser-based ad blocker (uBlock Origin) in addition to Pi-hole. Pi-hole handles network-wide blocking of third-party ad trackers, analytics, and telemetry. A browser extension handles first-party and in-stream ads.
Prevention
| Action | How Often | Impact |
|---|---|---|
Update gravity (pihole -g) | Weekly (cron) | Keeps blocklists current |
| Check dashboard block rate | Daily glance | Catch anomalies early |
| Verify client DNS settings | After network changes | Ensure clients use Pi-hole |
| Check for DoH bypass | After browser updates | Browsers may re-enable DoH |
| Monitor Pi-hole logs | After complaints | Identify false positives |
# Weekly gravity update cron
0 3 * * 0 docker exec pihole pihole -g > /dev/null 2>&1Related
Get self-hosting tips in your inbox
Get the Docker Compose configs, hardware picks, and setup shortcuts we don't put in articles. Weekly. No spam.
Comments