You need a Raspberry Pi with either rasbian or ubuntu installed. We recommend installing ubuntu (64bit if you have Raspberry Pi 3 B+ or newer):

Open up a terminal window and run the following command to install it.

sudo apt install stubby

The main configuration file is /etc/stubby/stubby.yml. You can open the file with:

sudo nano /etc/stubby/stubby.yml

The following line makes stubby run as a stub resolver instead of a full recursive resolver, which is why it’s named stubby.


The following configuration make stubby send DNS queries encrypted with TLS. It will not send quries in plain text.


This following line requires a valid TLS certificate on the remote recursive resolver.


The following lines set the listen addresses for the stubby daemon. By default, IPv4 and IPv6 are both enabled.

- 0::1

Standard port is 53, but we’re going to change this to 5053. Edit the listen addresses so it looks like this:

- 0::1@5053

The following line make stubby query recursive resolvers in a round-robin fashion. If set to 0, Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.

round_robin_upstreams: 1

By default there are 3 recursive resolvers enabled in stubby configuration file. They are run by stubby developers and support DNS over TLS. You can choose to leave them enabled or disable them by putting an # in front.

Scroll down to the upstream_recursive_servers: section and add the following text above other DNS servers.

# CloudFlare servers
  - address_data:
    tls_auth_name: ""
  - address_data:
    tls_auth_name: ""

Then find the following line:

round_robin_upstreams: 1

Change 1 to 0. This will make stubby always use CloudFlare DNS server. If CloudFlare is not available, stubby will use other DNS servers. Save the file and restart stubby for the changes to take effect.

sudo systemctl restart stubby

Now that stubby is set up we can start installing pi-hole. So type in this:

curl -sSL | bash

When the installation is done open a browser window and type in your raspberry pi’s IP-address (example: to log into your pi-hole admin page. Then go to settings and click on DNS and change everything as done in the picture below.

Screenshot of Pi-hole configuration

Remember to click save at the bottom of the page afterwards.

Good, your pi-hole is now using DNS over TLS.


Now we should whitelist a couple of pages so that some everyday websites will function as normal.

First off you should take a look at pihole’s own list over commonly whitelisted domains and either add all or those you need:

If you’re lazy and don’t want to check out Pihole’s own list and copy and paste many times over, we’ve compiled one list of the most important domains here which will fix issues with the following services: Google (Maps, Youtube, etc), Microsoft (Windows, Office, Skype, etc), Spotify, Facebook, Plex, Sonarr, Dropbox, Apple (ID, Music, etc), NVIDIA GeForce Experience, Android/iOS updates, Grand Theft Auto V Online, Epic Games Store, Mozilla Firefox Tracking Protection, Twitch

pihole -w s{1..5}

We also recommend the whitelist from to be installed with automatic update. So continue with the following steps:

cd /opt/
sudo git clone

Make the script to run the script at 1AM on the last day of the week

sudo nano /etc/crontab

Add this line at the end of the file:
0 1 * * */7 root /opt/whitelist/scripts/

CTRL + X then Y and Enter

sudo python3 whitelist/scripts/


For adlists we recommend that you add the DBL list from OISD (this list should be the only one you need as this is a collection many adlists from accross the Internet, all verified). Go into your Pi-hole admin page -> Group Management -> Adlists and add the DBL list url there.

Optional, you can also add some of the lists from Firebog’s ticked list, but keep in mind some of those links are already in the OISD list so it’s no point in adding them for a second time since they are already included in OISD list


That’s it. Now all you need to do to protect your network is to point your DNS in the LAN settings of your router towards the IP address of your pi-hole and your whole network will be free of ads and protected by DNS over TLS.

To check that it’s working visit this page:

And to test the DNSSEC Resolver you can do this on this page:

Accessing pihole with HTTPS

If you have a domain and would like to access your pihole from outside your network with HTTPS, this is how you continue to set it up.

sudo apt install certbot
sudo certbot certonly --webroot -w /var/www/html -d

Enter your email address. Then hit A and press enter. And then hit N and press enter.

sudo cat /etc/letsencrypt/live/ \
/etc/letsencrypt/live/ | \
sudo tee /etc/letsencrypt/live/

Next, ensure the lighttpd user www-data can read the required certificates:

sudo chown www-data -R /etc/letsencrypt/live

Now, place the following into /etc/lighttpd/external.conf (again, making sure to subsitute for your FQDN):

$HTTP["host"] == "" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/" =  "/etc/letsencrypt/live/"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")

Finally, be sure to run sudo service lighttpd restart after this change has been made.