Get AI summaries of any video or article — Sign up free
BLOCK EVERYTHING w/ PiHole on Docker, OpenDNS and IFTTT thumbnail

BLOCK EVERYTHING w/ PiHole on Docker, OpenDNS and IFTTT

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Run Pi-hole in Docker, but disable Ubuntu’s systemd-resolved DNS service first to prevent DNS conflicts.

Briefing

A self-hosted Pi-hole DNS server running inside Docker can block streaming and other unwanted domains across a home network—and the setup can be automated so a voice command triggers new block/unblock rules on demand. The practical payoff is immediate: once devices point their DNS to Pi-hole, requests for sites like Netflix, Hulu, and Disney Plus get intercepted and denied before they consume bandwidth or reach the wider internet.

The build starts with a Linux machine (Ubuntu in the example) running a Docker container that bundles Pi-hole plus a Flask-based control layer. Because newer Ubuntu installs its own local DNS resolver, the process first stops and disables that service (systemd-resolved) and then updates /etc/resolv.conf so the host can still resolve names while Pi-hole takes over DNS duties. After Docker is installed, a prepared bash script creates the Pi-hole container from a Docker image pulled from Docker Hub, then exposes the container’s web admin interface and DNS ports.

Once the container is up and healthy, Pi-hole’s web UI is reachable at the machine’s IP address, with the admin panel at /admin. The default password is changed, and the upstream DNS settings are configured to use OpenDNS—leveraging OpenDNS for additional filtering while Pi-hole handles local domain blocking. To confirm everything works, the network’s DNS is pointed to the Pi-hole IP and DNS lookups (e.g., nslookup for Google and Facebook) are verified; the Pi-hole query log then shows that client traffic is flowing through the server.

The “automation” portion adds a Python script (network.py) and two bash scripts that manage regex-based blocklists. Instead of manually editing Pi-hole’s blacklist for every site, the scripts accept commands that apply or remove regex rules targeting domains such as Hulu, Netflix, and Disney Plus. A test run shows that calling the Flask endpoint on port 8080 with a “block” or “unblock” action updates Pi-hole’s blocking behavior in real time.

To connect this to voice control, the workflow uses IFTTT. An Alexa trigger (“break everything”) calls a Webhook request to the Pi-hole control URL, swapping the action parameter between block and unblock. A key networking requirement is that IFTTT must reach the control endpoint via a public IP address, which typically means port-forwarding router traffic for port 8080 to the internal server. After wiring the Alexa-to-Webhook recipe, the system can be tested by attempting to access blocked services and then checking Pi-hole’s query log to confirm the regex matches.

The result is a layered filtering setup: Pi-hole blocks at the DNS level, OpenDNS adds content filtering, and IFTTT provides a simple remote control mechanism. The transcript also notes a measurable benefit from running it for about a week—roughly a quarter of requests were blocked—reducing unnecessary traffic before it ever leaves the network.

Cornell Notes

Pi-hole in a Docker container can act as a home network DNS gatekeeper, blocking unwanted domains like Netflix and Hulu as soon as devices point their DNS to it. The setup on Ubuntu requires disabling the built-in DNS resolver (systemd-resolved) to avoid conflicts, then installing Docker and launching a Pi-hole container from a Docker image via a script. After Pi-hole is running, its admin UI is used to change the password and configure upstream DNS to OpenDNS for additional filtering. Automation is added through a Python/Flask control endpoint (port 8080) plus scripts that apply or remove regex-based blacklist rules. IFTTT then connects Alexa voice commands to Webhook calls so “block” or “unblock” actions can be triggered remotely, provided the endpoint is reachable via a public IP and router port-forwarding.

Why disable Ubuntu’s built-in DNS resolver before installing Pi-hole?

The transcript notes that later Ubuntu versions run their own DNS server via systemd-resolved, which conflicts with Pi-hole taking over DNS duties. The fix is two commands: stop the service with systemctl stop systemd-resolved, then disable it with systemctl disable systemd-resolved. After disabling, name resolution breaks until /etc/resolv.conf is edited to point to an external nameserver (the example uses Google) so the host can still resolve domains while Pi-hole handles DNS for clients.

How does the Docker-based Pi-hole setup get created and started?

Docker is installed using apt (apt update, then apt install docker.io). A bash script (pi-hole.sh) is created from a template sourced from Pi-hole people, then modified to include the desired blocking targets (including Alexa-related control). Running the script pulls the Pi-hole Docker image from Docker Hub, starts the container, and prints an admin password. Container health and port mappings are checked with sudo docker ps, and the admin UI is accessed at the machine IP plus /admin.

What role does OpenDNS play once Pi-hole is running?

Pi-hole is configured to use OpenDNS as its upstream DNS. In the Pi-hole web UI, the DNS settings page lets the user select upstream DNS servers (the example selects OpenDNS options). This creates a layered approach: Pi-hole performs local regex/domain blocking, while OpenDNS handles additional content filtering that Pi-hole doesn’t do natively.

How are domain blocks automated without manually editing Pi-hole’s blacklist each time?

Inside the container, a Python script (network.py) and two bash scripts manage blocking and unblocking. The block script applies regex rules (e.g., patterns intended to block Hulu, Netflix, Disney Plus), while the unblock script removes those rules by deleting the corresponding blacklist entries. The control happens through a Flask endpoint on port 8080; hitting a URL path with “block” or “unblock” triggers the scripts, and Pi-hole’s query log reflects the updated behavior.

What networking changes are required for Alexa/IFTTT to trigger blocking remotely?

IFTTT can’t reliably reach a private home-network IP (like 192.168.x.x). The transcript emphasizes using a public IP address (from “what’s my IP”) in the Webhook URL, and then port-forwarding router traffic for port 8080 to the internal server’s private IP. Without port-forwarding, the Webhook call from the internet won’t reach the Pi-hole control endpoint.

How can you verify that blocking is actually working?

After pointing the client DNS to Pi-hole, DNS lookups and browsing are used to test. The transcript specifically checks Pi-hole’s query log: when “block” is triggered, requests for targeted domains (e.g., Hulu) appear and are marked as blocked, matching the regex rules. The dashboard’s blocked-query counts provide additional confirmation (the transcript mentions about 26% of requests blocked after a week).

Review Questions

  1. What conflict does systemd-resolved create with Pi-hole, and what exact steps are used to resolve it?
  2. How do the block/unblock scripts differ in their command structure, and how does the Flask endpoint on port 8080 control them?
  3. Why does the IFTTT Webhook URL need a public IP and router port-forwarding for port 8080?

Key Points

  1. 1

    Run Pi-hole in Docker, but disable Ubuntu’s systemd-resolved DNS service first to prevent DNS conflicts.

  2. 2

    Update /etc/resolv.conf after disabling systemd-resolved so the host can still resolve names while Pi-hole handles client DNS.

  3. 3

    Launch the Pi-hole container via a bash script that pulls the Docker image from Docker Hub and exposes the admin UI and control ports.

  4. 4

    Configure Pi-hole upstream DNS to OpenDNS to combine local domain blocking with OpenDNS filtering.

  5. 5

    Use regex-based blacklist rules managed by scripts so “block” and “unblock” can be applied automatically rather than manually.

  6. 6

    Expose a Flask control endpoint (port 8080) and trigger it via IFTTT Webhooks tied to Alexa phrases.

  7. 7

    For remote automation, ensure the control endpoint is reachable from the internet using a public IP and router port-forwarding for port 8080.

Highlights

Pi-hole becomes effective only after clients point their DNS to it; once that happens, unwanted domains get blocked at the DNS level before bandwidth is wasted.
The automation hinges on regex-based blacklist scripts plus a Flask endpoint on port 8080, letting “block” and “unblock” happen instantly.
Alexa control works through IFTTT Webhooks, but it requires public reachability—typically public IP plus port-forwarding for port 8080.
Layering OpenDNS upstream with Pi-hole local blocking creates a more complete filtering setup than either approach alone.
Disabling systemd-resolved on Ubuntu is a necessary step to avoid DNS server conflicts when Pi-hole takes over DNS duties.

Topics

  • Pi-hole Docker
  • OpenDNS Upstream
  • IFTTT Webhooks
  • Alexa Automation
  • Regex Blacklists

Mentioned

  • DNS
  • IFTTT
  • IP
  • SSH
  • IT
  • CCNA
  • CCMP
  • regex
  • Pi-hole
  • OpenDNS
  • Flask
  • Docker
  • VM
  • UI
  • ISP

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library