🐑 Commons Host



Dohnut with Pi-hole

Pi-hole is an effective way to block ads across all devices on a network. It provides many powerful options and is easy to deploy and manage.

Dohnut works with Pi-hole as a local upstream DNS server. Dohnut encrypts outbound DNS queries and can load-balance between multiple DoH providers for performance and privacy benefits. Additional countermeasures supported by Dohnut can be enabled to deter tracking even by DoH providers.

Tip: See the Dohnut with Docker Compose guide for an easy way to run Pi-hole and Dohnut together.

Table of Contents

Deploy Dohnut

Dohnut can run on the same device as Pi-hole. A popular approach is to set up Raspbian Linux on a Raspberry Pi.

Run Dohnut in Docker or run Dohnut with systemd.

Configure Dohnut

Pi-hole exposes a DNS server on port 53/udp. Dohnut can avoid conflict by running on a different port, for example 53000.

The only DNS "client" talking directly to Dohnut will be Pi-hole. If both are deployed on the same machine, Dohnut can be restricted to allow only on local connections by listening on a loopback interface


Specify any other command line interface options as needed. These options can be passed to the dohnut command directly, via a JSON file (e.g. --options dohnut.json), or as arguments to the Docker image using docker run.

For example:

$ dohnut \
  --listen \
  --doh cleanbrowsing cloudflare commonshost quad9 \
  --countermeasures spoof-queries spoof-useragent

Deploy Pi-hole

See the Pi-hole documentation for installation instructions.

Configure Pi-hole

Access the Pi-hole dashboard and log in as administrator.

(or the Pi-hole's IP address)

Go to: Settings > DNS > Upstream DNS Servers > Custom 1 (IPv4)

Enter the Dohnut IP address and port using the hash syntax (address#port). Enable its checkbox.

Disable any other Upstream DNS servers to ensure all DNS queries make use of Dohnut.

All your DNS queries through Pi-hole are now encrypted and load balanced for enhanced security, privacy, and performance.