You've got Pi-hole installed. The dashboard is up. Ads are getting blocked. Grand. But there's one decision that trips people up more than it should: which upstream DNS server should Pi-hole forward queries to?
Now, pi-hole blocks ads by intercepting DNS queries for known ad domains and returning nothing. But for everything else, it needs to forward the query to an actual DNS resolver. That upstream resolver is doing the real work of turning domain names into IP addresses. Picking the right one matters.
What the Pi-hole docs suggest
The Pi-hole setup wizard gives you a list of common options:
- Google (8.8.8.8)
- OpenDNS (208.67.222.222)
- Cloudflare (1.1.1.1)
- Quad9 (9.9.9.9)
Any of these will work. But "works" and "works well for you" aren't the same thing.
What to optimise for
Speed
I had a client in Connemara last month who had this exact issue, and DNS latency compounds. A page with 40 resources from 20 different domains means 20 DNS lookups. If each one takes 50ms instead of 5ms, that's nearly a full second added to your page load.
The fastest upstream for you depends on where you are geographically. Google and Cloudflare have data centres everywhere, so they're usually fast. But a smaller regional provider might be closer to you.
Test it:
# From the machine running Pi-hole
dig @8.8.8.8 example.com | grep "Query time"
dig @1.1.1.1 example.com | grep "Query time"
dig @9.9.9.9 example.com | grep "Query time"
Honestly, run each one a few times. The first query to a new domain is always slower (cache miss). It's the second and third queries that show you the real-world performance.
If you want to test a wider range of servers, publicdns.info has a directory of thousands of live-tested public DNS servers. You can filter by country to find resolvers close to you. I've found some regional servers in Ireland that consistently outperform the big names for my setup.
Privacy
Pi-hole itself doesn't encrypt DNS queries to the upstream. So your ISP can still see which domains you're looking up (just not the ad ones, since Pi-hole blocks those locally).
If privacy matters, you've got a few options:
- Use a privacy-focused upstream - Quad9 or Cloudflare with their no-logging policies
- Add Unbound - run a local recursive resolver alongside Pi-hole. Queries go directly to authoritative servers instead of a third-party resolver
- Enable DNS over TLS - encrypt the connection between Pi-hole and the upstream
Option 2 (Unbound) is what I use and recommend. It's more work to set up but it means your DNS queries don't go to any third party at all.
Security
Some upstreams add a layer of security:
- Quad9 blocks known malicious domains before they resolve. It uses threat intelligence feeds, so if someone on your network clicks a phishing link, Quad9 might catch it.
- OpenDNS lets you configure custom filtering categories through their dashboard.
- AdGuard DNS blocks ads and trackers at the resolver level (though Pi-hole already does this).
I like layering Quad9 as upstream with Pi-hole handling ad blocking. Two layers of protection, different approaches.
How many upstream servers should you set?
Pi-hole lets you configure multiple upstream DNS servers. The question is: should you?
One server: Simplest. All queries go to the same place. If it goes down, DNS breaks until you change it.
Two servers: Most people should do this. Pi-hole will use both and failover between them. Pick two from different providers for redundancy (e.g., Cloudflare + Quad9).
Three or more: Diminishing returns. Two is enough for redundancy. Adding more can actually slow things down slightly as Pi-hole rotates between them.
My setup: two upstream servers from different providers. If Cloudflare has a bad day, Quad9 picks up the slack.
The Unbound option
For maximum control, run Unbound as a local recursive resolver and point Pi-hole at it. Instead of forwarding queries to Google or Cloudflare, Unbound goes directly to the authoritative DNS servers.
Client -> Pi-hole (ad blocking) -> Unbound (recursive) -> Root/TLD/Auth servers
This means:
- No third party sees all your queries
- You're not trusting any single DNS provider
- You get DNSSEC validation locally
- Slightly slower first lookups (no shared cache), but Unbound caches aggressively
Setting it up is a separate guide, but the Pi-hole docs cover it well. It's about 15 minutes of work and it's been rock solid for me.
My recommended setups
Simple and fast:
Pi-hole -> Cloudflare (1.1.1.1) + Quad9 (9.9.9.9)
Privacy-focused:
Pi-hole -> Unbound (local recursive resolver)
Maximum protection:
Pi-hole -> Unbound -> DNS over TLS to Quad9 (with malware blocking)
Testing your setup
After configuring upstream DNS, test from a device on your network:
# Should resolve (not an ad domain)
dig google.com @<pi-hole-ip>
# Should be blocked (ad domain)
dig ads.google.com @<pi-hole-ip>
# Check query time
dig example.com @<pi-hole-ip> | grep "Query time"
Then check the Pi-hole dashboard. You should see queries flowing through, with ad domains getting blocked and everything else resolving normally.
Wrapping up
The upstream DNS choice isn't something you need to agonise over. Cloudflare + Quad9 is a solid default that gives you speed, privacy, and malware protection. If you want to go further, add Unbound for full recursive resolution.
The important thing is that you've got Pi-hole running at all. That's already a massive improvement over bare ISP DNS. The upstream choice is just fine-tuning from there.
Top comments (0)