DNS Is the Map of the Internet
Every time your browser loads a page, it first asks the DNS system to translate a human-readable name into an IP address. This lookup chain involves up to four servers and completes in milliseconds, billions of times per second globally. For self-hosters, DNS is more than a lookup service — it is the layer where you can control how your own hostnames resolve differently inside your home network versus the public internet, block ads before they reach any device, and understand why your Caddy cert requests succeed or fail.
Follow the Recursive Resolution Chain
When you type home.example.com into a browser, your device first asks its configured resolver (usually your router or ISP). If the resolver has the answer cached, it returns it immediately. If not, it asks one of the thirteen root nameserver clusters, whi
Learn the Record Types That Matter
A records map a hostname to an IPv4 address. AAAA records map to an IPv6 address. CNAME records create an alias from one hostname to another — the lookup continues at the target name. MX records specify mail servers for a domain, with a priority number. T
Install Pi-hole as a Local DNS Resolver
Pi-hole is a DNS server that intercepts queries, blocks domains on its blocklists, and forwards everything else to an upstream resolver of your choice. Install it on your Pi using the official curl-based installer or the Docker image. During setup, choose
Configure Split-Horizon DNS
Split-horizon DNS means the same hostname resolves to different addresses depending on where the query originates. You want nextcloud.example.com to resolve to 192.168.1.50 inside your house (no round-trip to the internet) and to your public IP outside. I
Set Your Router to Distribute Pi-hole's IP
Log into your router's admin interface and find the DHCP server settings. Change the DNS server address that gets handed out to DHCP clients from your ISP's DNS to Pi-hole's IP address — your Pi's static LAN IP. Some routers allow you to set a primary and
99.9%DNS Queries Resolved Locally
If Pi-hole goes down and you have not set a fallback, your whole network loses DNS resolution and appears to lose internet access entirely. Configure a secondary DNS on devices that can tolerate bypassing Pi-hole during outages, or run a second Pi-hole instance on different hardware. Do not rely on a single DNS server for critical infrastructure.
What Comes Next
Your DNS queries no longer leave your network — they resolve locally through Pi-hole. But all your other traffic still flows through your ISP unencrypted at the network level. A WireGuard VPN server on your Pi lets you tunnel your traffic back to your home network from anywhere, giving you access to your local services and Pi-hole's filtering even when you're on a coffee shop network.
Self-Host a WireGuard VPN Server
Set up a WireGuard VPN on your home server so you can tunnel back into your private network — and your files, services, and LAN — from anywhere in the world.
