Setting up PiHole within a Windows domain

Setting up PiHole within a Windows domain


Since ads are bothering me more and more, and if you feel the same like me you can look into installing PiHole on a Debian server (or RaspberryPi, whatever…).

This setup includes Easylist functionality!

The following is my PiHole setup:

In my domain there are two domain servers. The upstream DNS (forwarders) are configured towards my PiHole servers.
These are on their turn the downstream and upstream DNS servers of my domain.

This provides me with a certain fail over safeguard.


  1. Install a new Debian server (or use your existing one) with 1024MB RAM (or 512MB), 2 CPU (or 1) with 1 NW interface
  2. Install the following programs before installing PiHole
    sudo apt-get update
    sudo apt-get upgrade
    sudo apt-get install curl ntp mailx iptables-persistent
  3. Set a static NW address. In my case I have also an IPv6 network next to my IPv4
  4. If you have a Windows domain server(s) create a new A-record for the IPv4 (and IPv6) address(es)
  5. Set the firewall ports on your Debian server
    • Note firewallD will not work on Debian 9, I’ve installed iptables-persistant
    • Add the rules mentioned in the URL
    • Then save the added rules:
      • iptables-save > /etc/iptables/rules.v4
      • ip6tables-save > /etc/iptables/rules.v6
  6. Set the firewall ports (DNS 53) on your firewall (I use PFsense) inbound (upstream) and outbound (downstream).

  7. Then install PiHole on your new Linux server
    • curl -sSL | bash
    • Follow the automated setup
  8. Configure PiHole via it’s webconsole
    • Set the desired DNS servers to your flavor
    • Do not forget to set your administrator address
  9. For Windows domains extra config:
    • Enable “Never forward non-FQDNs”
    • Enable “Never forward reverse lookups for private IP ranges”
    • Enable “Use conditional forwarding”
      • Set it to the IP address of your AD server
      • Set the local domain name to your domain name
  10. Now go to your domain controller it’s DNS server and change your forwarders to your PiHole server(s)
    • You may also disable the root hints, currently it’s enabled on my set up for testing purposes.
  11. This wil place your PiHole between your Windows domain and the outside world.
  12. Optional visit my GitHub page for the scripts (EasyList downloader, DB backup script, DB rotation script, …) and extra information about the configuration of PiHole
  13. The end result will be similar to mine


Note 1: Since 2020 I’m using pfBlockerNG, and then switched over to opnsense in 2022 there I use the build-in blocker within Unbound.

Note 2: Your devices will not show their hostname, only the AD server’s name because all your Windows DNS traffic is still routed through the AD server’s DNS. You can circumvent this by pointing your DNS to the pihole for all clients and then doing a conditional forward to your AD servers to process your local domain requests.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *