![[cover 2 (Edit).jpg#center| Raspberry Pi Zero 2 W in enclosure - Photo by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
%% Use bold for emphasises and italics for quotes or phrases %%
## Sections
%% ## What problem does it solve %%
### The Web Landscape
Ads are known to everyone, especially the generation in touch with the internet and online services.
Whether ads *should*, or *should not* be blocked is often not up to a debate. Often it is a technical task pertaining to security of computers and home devices. The importance of it becomes especially clear when working on projects requiring lots of web querying.
Who has not attempted looking for crucial documentation, only for the search engine to not only return **SEO-driven garbage**, but also as the recent technology has proven - hallucinated bot content?
The range of search results varies from suggestions to buy products advertised by malicious domains, and plain malware, to even deepfakes used in political campaigns...
Broadly defined 'ads' are one of the most common attack vectors for malware, scripts and unwanted content. Web browsers typically do little to eliminate this *'spam surface'* on their own, although some of them do offer such protection, e.g. a European browser called *Vivaldi* [[#^1|(1)]]. <sub>Yes, it is 'Chromium-based', *sigh*</sub>
However, this is a problem caused mostly by search engines and not web browsers and should be approached as such. You might have heard of Kagi [[#^2|(2)]], which eliminates plenty of these problems by allowing to create so called *lenses*, used to block or lower rank of unwanted domains.
However, Kagi and similar search engines do not eliminate ads at their core, only limit the amount of low quality results from the queries.
%% ## How does it solve it %%
### The Solution
Perhaps the easiest way to filter the results is right in the name.
DNS - Domain Name System. Every request that resolves to something, resolves according to the DNS server's response.
A private DNS server may be hosted to filter the unwanted requests. The additional benefit is the monitoring layer, which provides incredibly valuable data on how the users' data is processed by the local devices.
#### A... Pi-hole?
![[Pasted image 20251207233415 (Edit).png#center| Pi-hole traffic overview - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
> Why is this app uploading logs all the time?
> What is this weird domain the devices talk to?
Pi-hole [[#^3|(3)]] is an example of FOSS software that offers filtering for all network traffic. It is not a firewall, rather a monitoring tool with filters to block specific DNS domains.
The project describes itself as:
> "A black hole for Internet advertisements"
The clear benefits are:
- observation of the network traffic,
- integration with open-source maintained DNS filters,
- possibility to manually block certain domains.
>[!question] Question
>*Pi-hole or a browser extension?*
The browser extensions may read data from the browser tabs. Extensions operate only on one device at the time, while 'Pi-hole' covers the entire network, including multiple PC computers, mobile devices and servers.
>[!Warning] Warning [[#^4|(4)]]
> Browser extensions contribute to a so called **digital fingerprint** and may also become compromised, as recently proven by MalwareBytes.
>
> >"After seven years of behaving normally, a set of browser extensions installed on roughly 4.3 million Chrome and Edge users’ devices suddenly went rogue. Now they can track what you browse and run malicious code inside your browser."
> >...
> >"The extensions turned into a remote code execution framework. They could download and run malicious JavaScript inside the browser and collect information about visited sites and the user’s browser, sending it all back to attackers"
>
>MalwareBytes, by [Pieter Arntz](https://www.malwarebytes.com/blog/authors/metallicamvp) | December 2, 2025
%% ## How to use it %%
### Deployment of Raspberry Pi
Pi-hole may be installed in different ways: using packages, Docker containers, or installation scripts from the project's website (repository) [[#^5|(5)]].
The presented method involves manual flashing of the OS, with SSH setup and without a Desktop Environment. The end result should be a device hosting a web server with a GUI panel for management.
#### Requirements
Recommended setup:
- Raspberry Pi Zero 2 W (or better) [[#^6|(6)]] with:
- 1GHz quad-core 64-bit Arm Cortex-A53 CPU
- 512MB SDRAM
- 2.4GHz 802.11 b/g/n wireless LAN
- 'Raspberry Pi OS Lite' image
- Any OS without Desktop Environment, to operate in the headless mode.
- Micro SD card
- V10, <32GB
- Raspberry Pi enclosure for convenience
- '*Raspberry Pi Imager*' software [[#^7|(7)]]
- The 'Imager' software is generally very convenient to use and one of the main benefits behind paying more for a Raspberry Pi.
- **Router with support of configuring DNS servers**
- Very important!
>[!info] Info
>Raspberry Pi Zero 2 W does not have a LAN port. It can be powered through the USB and instead utilise the wireless connectivity.
The Micro SD card must be formatted and flashed with a compatible OS image.
The newest lite distribution at this time (as of 7th of December 2025) is '**Raspberry Pi OS Lite**' built on Debian Trixie as base image.
>[!warning] Warning (Rant)
>After investing a couple days into finding an explanation for why my original Pi-hole instance worked, while 2 freshly provisioned Raspberry Pi Zero 2 W did not connect to WiFi in headless mode, I discovered that *Debian Trixie* DOES NOT WORK in my setup.
>
>I have ran tests on different WiFi networks, including adjustments of network configuration to no effect. If you ram your head against the wall, instead just downgrade to *Bookworm* as there clearly must have been a regression in between the two images.
The image can be found at: `Operating System -> Raspberry Pi OS (other) -> Rasperry Pi OS Lite (32-bit) `
Whether the selected OS is 32-bit or 64-bit should not matter (although Linux distributions tend to generally end support for 32-bit software).
![[Pasted image 20251207213718.png#center| Raspberry Pi Imager OS selection - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
After selecting the OS, but before performing the final installation step - the 'edit settings' tab should not be omitted!
![[Pasted image 20251207214230.png#center| Raspberry Pi OS setup - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
It is a good idea to make life easier, by pre-configuring SSH and WiFi settings from the settings window. This is also why my proposed setup utilises Raspberry Pi Zero 2 W, as it has WiFi support, which is invaluable for the SSH.
>[!warning] Warning
> The supported encryption level for WiFi on Raspberry Pi Zero 2 W is WPA-2 only. Make sure the network used for the Raspberry Pi does not strictly enforce the WPA-3 standard.
![[Pasted image 20251207214506.png#center| Raspberry Pi Imager settings - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
![[Pasted image 20251207214859.png#center| Raspberry Pi Imager SSH settings - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
Certain users might prefer to generate an RSA key for the SSH certificate-based authentication. It is not required.
Once all the details are filled in, the flashing process may begin.
Once finalised, the micro SD card must be inserted into Raspberry Pi and the device should configure itself automatically. It will typically take a few minutes and should not be interrupted.
>[!warning] Warning
> If you run into issues connecting the Raspberry Pi Zero 2 to your WiFi, compare against my settings (I run a couple of networks, some full of smart home devices).
>
> The exact requirements for WiFi network configuration are not documented by the manufacturer, which is a common occurrence...
>
> >[!info] Compatible network configurations
> Configuration 1
> - Wireless mode: Auto | b/g Protection |11b enabled
> - 802.11ax: enabled
> - Multiband: disabled
> - Channel: 20/40 (Mhz)
> - Authentication mode: WPA2-Personal
> - Protected Management Frames: Capable
>
> Configuration 2
> - Wireless mode: Auto | b/g Protection |11b disabled
> - 802.11ax: disabled
> - Multiband: disabled
> - Channel: 20/40 (Mhz)
> - Authentication mode: WPA2-Personal
> - Protected Management Frames: Enforced
#### Static IP binding
In order to reliably reference Raspberry Pi as the DNS server, the device must be configured to receive a static private IP address from the DHCP server. Otherwise the IP will change randomly every time the DHCP server restarts.
![[Pasted image 20260401182312.png#center| DHCP server static IP assignment - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
### Pi-hole 'Headless' Setup
Further installation of Pi-hole may conveniently take place from the terminal.
It is as simple as running two commands [[#^8|(8)]].
Connecting through the SSH.
```Bash
ssh {ssh-name}@{static-ip}
```
Installing *Pi-hole* through a Bash script on the SSH host.
```Bash
curl -sSL https://install.pi-hole.net | bash
```
Brief inspection of the script before running in Bash is recommended.
The SSH terminal will open a setup wizard, with different steps where personal configuration choices must be made. <sub>Surprisingly, SSH supports mouse clicks capturing.</sub>
![[Pasted image 20260401183147.png#center| Pi-hole configuration wizard - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
The last step will also configure a Pi-hole password, that must be used to log into the GUI. Setting up own password is done using the ~~`pihole -a -p`~~ `pihole setpassword` command, needless to say, through the SSH.
#### Polishing
This is how a *Pi-hole* service presents itself after the initial configuration.
Without traffic, the service uses 0.3% CPU and 12.9% of memory of Raspberry Pi Zero 2 W. <sub>In case of any doubt regarding RPIZ2W's suitability as the DNS server.</sub>
![[Pasted image 20260401184133.png#center| Pi-hole web GUI interface - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
The most important feature to configure on the *Pi-hole* are the lists to filter out ads and malware.
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts [[#^9|(9)]]
- proposed by default during setup of *Pi-hole*. A list containing 'a merged collection of hosts from reputable sources'.
- https://hole.cert.pl/domains/v2/domains.txt [[#^10|(10)]]
- a list distributed by '*CERT.pl*', a Polish institution aggregating malware sites.
- https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-pihole-filters/all_ads_filters.txt [[#^11|(11)]]
- a list distributed by a random community group I found, for the purpose of targeting Polish advertisers.
![[Pasted image 20260401220816.png#center| Pi-hole lists, pre-configured example - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
Yet this is not all! Some ads may still make it through.
This is precisely why *Pi-hole* allows to manually **block domains** and this is perhaps one of my favourite features. This great feature allows to block visiting websites from specific domains that are not included in the filters. Often times certain *legitimate* websites act as CDNs for business partners, not getting blocked as a result.
Manually targeting such domains also blocks their **iframes**, the elements displaying cross-site content on popular media sites. Every update to the lists of domains requires the '*gravity update*' (re-building list index) to take effect.
![[Pasted image 20260401222206.png#center| Pi-hole domain filters, pre-configured example - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
The last task on the list is configuration of the network's '*router*' to reference the *Pi-hole* server as the DNS server to send queries to. This is typically a very simple step and varies by the used device, so it is not presented.
> Afterwards, all that's left is to enjoy the web with fewer ads and less malware.
![[Pasted image 20260402101333.png#center| Pi-hole service after running for 5 minutes - Screenshot by 'Mateusz Adamczyk' / blog.amatthew.eu, CC BY-SA 4.0]]
## References
### Section 1 - The Web Landscape
- https://vivaldi.com ^1
- https://kagi.com ^2
### Section 2 - The Solution
- https://pi-hole.net/ ^3
- https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices ^4
- https://docs.pi-hole.net/main/basic-install/#alternative-2-manually-download-the-installer-and-run ^5
### Section 3 - Deployment of Raspberry Pi
- https://www.raspberrypi.com/products/raspberry-pi-zero-2-w/ ^6
- https://www.raspberrypi.com/software/ ^7
### Section 4 - Pi-hole 'Headless' Setup
- https://docs.pi-hole.net/main/basic-install/ ^8
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts ^9
- https://cert.pl/en/warning-list/ ^10
- https://github.com/MajkiIT/polish-ads-filter ^11
## Metadata
Date of creation: 2025-12-07
Date of revision: 2026-04-02