I ditched Google’s DNS for a $20 Raspberry Pi, and I stopped handing my web history to third parties

Welcome! In this article, we will break everything down in a simple and practical way.

Introduction

Unless you’re typing in IP addresses by hand, every single time you visit a website, you perform a DNS lookup first. By default, your network probably points to a public DNS server, like your ISP’s server, Google’s 8.8.8.8, or Cloudflare’s 1.1.1.1. They’re convenient and fast, but it also means that a third-party gets an unredacted view of the websites you visit. If you want to minimize the amount of information you give away to Google, you can swap out a public DNS server for an inexpensive Raspberry Pi running a Pi-hole and Unbound.
Your DNS server knows every website you visit

Your DNS lookup requests aren’t usually encrypted either

Credit: Lucas Gouveia/How-To Geek | Rvector/Shutterstock

Any time you connect to a website using a domain name, a DNS server somewhere in the world translates that domain name into an IP address that your computer uses behind the scenes to actually connect. Whatever DNS server you use has full visibility of every domain you enter into your browser, and if your DNS requests aren’t encrypted, anyone that intercepts your DNS requests can also view the websites you’re visiting. That is a lot of information to trust to a third party.

Your ISP can still see which IP address you’re connected to, which can then be linked to a domain, unless you’re using a VPN.

Fortunately, you can use an inexpensive Raspberry Pi Zero 2 W and a few open-source projects to address the issue.
Quiz8 Questions · Test Your KnowledgeDNS servers & how the internet finds its wayTrivia challengeFrom 8.8.8.8 to how your browser finds cat videos — find out how much you really know about DNS.DNS BasicsIP AddressesSecurityProvidersHistoryBeginADigital Network SecurityBDomain Name SystemCDistributed Node ServiceDDynamic Naming StandardCorrect! DNS stands for Domain Name System — the internet’s giant phone book that translates human-friendly domain names like ‘howtogeek.com’ into IP addresses computers can actually use. Without it, you’d need to memorize a string of numbers every time you wanted to visit a website.Not quite — DNS stands for Domain Name System. It acts like the internet’s phone book, converting easy-to-remember domain names into the numerical IP addresses that computers use to route traffic. It’s one of the most fundamental building blocks of the modern web.ContinueBefore DNS was invented, how did computers resolve hostnames on the early internet (ARPANET)?AEach router kept its own lookup tableBUsers typed IP addresses directly every timeCA single text file called HOSTS.TXT was downloaded from a central serverDA broadcast message was sent across the network asking for the addressThat’s right! Before DNS, every computer on ARPANET relied on a file called HOSTS.TXT maintained by the Stanford Research Institute. Admins had to manually download the updated file to get new hostname mappings — not exactly scalable once the network started growing rapidly.The answer is HOSTS.TXT. Before DNS existed, a single text file maintained at the Stanford Research Institute mapped all hostnames to addresses, and every machine had to download it periodically. As the internet grew, this system became completely unmanageable, which is exactly what motivated the creation of DNS in 1983.ContinueThe famous DNS server at IP address 8.8.8.8 is operated by which company?ACloudflareBOpenDNSCGoogleDMicrosoftCorrect! 8.8.8.8 (and its companion 8.8.4.4) is Google’s Public DNS service, launched in 2009. It was one of the first major free public DNS resolvers and became incredibly popular as a fast, reliable alternative to ISP-provided DNS servers.The 8.8.8.8 address belongs to Google’s Public DNS, launched in 2009. Google made 8.8.8.8 easy to remember on purpose. Cloudflare runs 1.1.1.1, OpenDNS uses 208.67.222.222, and Microsoft’s Azure DNS exists but isn’t the same service — each provider pitches slightly different benefits like speed, privacy, or filtering.ContinueCloudflare’s DNS resolver at 1.1.1.1 launched in 2018 with a strong emphasis on what selling point?ABuilt-in ad blocking for all usersBUser privacy and not logging IP addressesCFaster speeds guaranteed by a global CDNDParental controls enabled by defaultSpot on! Cloudflare launched 1.1.1.1 on April 1, 2018 (yes, really) with privacy as its headline feature, promising never to log users’ IP addresses or sell browsing data. It was independently audited by KPMG to back up those claims, which set it apart from many competitors.Cloudflare’s big pitch for 1.1.1.1 was privacy — specifically the promise to never log users’ IP addresses or sell their data. While 1.1.1.1 is also very fast (often ranking #1 in independent speed tests), privacy was the headline claim at launch, backed by a third-party audit from KPMG. Ad blocking is available via a separate 1.1.1.2 address, but it’s not on by default.ContinueWhat is a DNS ‘resolver’ (also called a recursive resolver)?AThe server that stores the original authoritative records for a domainBA piece of hardware inside your router that caches all domain names locallyCThe server that does the legwork of querying other DNS servers on your behalfDA security certificate that verifies a domain name is legitimateExactly right! A recursive resolver (like 8.8.8.8 or 1.1.1.1) is the middleman that takes your query and chases down the answer by contacting root servers, TLD servers, and authoritative nameservers — then delivers the final IP address back to you. It does all the heavy lifting so you don’t have to.A recursive resolver is the server that does the legwork on your behalf — it contacts root nameservers, top-level domain servers, and authoritative nameservers in sequence until it finds the IP address you need. The authoritative nameserver is the one that actually holds the official records. Your resolver is essentially the internet’s investigator, tracking down answers one clue at a time.ContinueWhat type of attack involves poisoning a DNS cache with false records to redirect users to malicious websites?ADNS spoofing (cache poisoning)BDDoS amplificationCBGP hijackingDARP floodingCorrect! DNS spoofing, also known as cache poisoning, tricks a DNS resolver into storing a fraudulent IP address for a legitimate domain. When users then request that domain, they’re silently redirected to a malicious server — which is exactly why DNSSEC was developed to cryptographically sign DNS records.The attack you’re thinking of is DNS spoofing or cache poisoning. An attacker injects fake DNS records into a resolver’s cache, causing anyone who queries that resolver to be directed to the wrong — often malicious — IP address. DNSSEC (DNS Security Extensions) was designed specifically to fight this by adding cryptographic signatures to DNS records.ContinueWhich DNS record type is responsible for mapping a domain name to an IPv4 address?AMX recordBCNAME recordCA recordDTXT recordRight on! The ‘A’ record (short for Address record) is the most fundamental DNS record type, mapping a hostname directly to a 32-bit IPv4 address. Its cousin, the AAAA record, does the same job for 128-bit IPv6 addresses — you’ll sometimes see both configured for the same domain.The correct answer is the A record (Address record), which maps a domain to an IPv4 address. An MX record handles mail routing, a CNAME is an alias pointing one domain name to another, and TXT records store arbitrary text — often used for things like SPF email verification or domain ownership confirmation. The A record is the bread-and-butter of DNS.ContinueDNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both aim to solve the same core problem. What is it?ADNS queries are too slow over long distancesBTraditional DNS queries are sent in plain text, making them visible to eavesdroppersCISPs charge extra for unencrypted DNS trafficDIPv6 addresses are too long for standard DNS packets to carryAbsolutely correct! Traditional DNS queries travel as plain, unencrypted text — meaning your ISP, network admin, or anyone monitoring traffic can see every domain you look up. DoH wraps DNS in HTTPS (using port 443), while DoT uses a dedicated TLS connection (port 853), both making your browsing queries much harder to snoop on.The core problem that DoH and DoT solve is that standard DNS queries are completely unencrypted and readable by anyone watching your network traffic — your ISP, a coffee shop Wi-Fi operator, or a government. DNS-over-HTTPS hides queries inside normal HTTPS traffic, while DNS-over-TLS uses a dedicated encrypted channel. Both approaches protect your privacy at the DNS layer, which is surprisingly often overlooked.See My ScoreChallenge CompleteYour Score/ 8Thanks for playing!Try Again

A Pi-hole and Unbound can give you privacy and security

You don’t need to directly query a DNS server

You do need a DNS server if you want to use domain names to connect to websites, but nothing says you actually need to directly ask the DNS server. Instead, you can build your own using a program called Unbound, which is a recursive resolver. Unbound talks directly to the entire “DNS hierarchy,” which means it pulls data directly from the root server, TLD servers, the authoritative name servers. Basically, it asks all of the computers involved in linking domains to IP addresses for their information, and then saves that information locally. Whenever you need to access that domain in the future, you’ll be able to draw from Unbound’s saved result instead of asking Google or Cloudflare to connect you to the website.

Brand

Raspberry Pi

CPU

Quad-core 64-bit ARM Cortex-A53

Memory

512MB of SDRAM

The Raspberry Pi Zero 2 W is super tiny and super affordable, but it packs enough computing power for a variety of DIY projects. You can use it to create a handheld retro gaming console, for Klipper/Mainsail, a super compact home or media server, and more. 

You don’t need Google’s 8.8.8.8 server at all—everything required lives on your home network. Another important thing is, Unbound is capable of using DNSSEC, which uses cryptography to verify that the DNS records you’re receiving have not been tampered with. Though it is rare, DNS poisoning has been used to reroute traffic from legitimate websites to malicious clones to steal sensitive information, like credit card numbers. Big DNS servers are appealing targets because successfully compromising one could affect tens of millions of people. It isn’t likely to be a problem, but running your own tiny DNS resolver that double-checks the identity of a website makes you very resistant to that sort of attack.
A Pi-hole is a great natural combination with Unbound. A Pi-hole acts as a network-wide DNS “sinkhole.” When your devices ask to connect to a domain, the Pi-hole checks its blocklists. If the domain is known to run ads, trackers, or host malware, Pi-hole returns 0.0.0.0, which prevents you from ever connecting to the blocked domain in the first place.

This Raspberry Pi project quickly became the cornerstone of my homelab

The hole shebang.

Because the filtering happens at the DNS layer, you don’t need to install software on every individual phone, smart TV, or IoT device in your house. When used together with Unbound, you get two layers functioning in tandem. Everything on your network first communicates with the Pi-hole, which automatically blocks undesired domains. Once your traffic has been filtered by the Pi-hole, it gets forwarded to Unbound, which then links the domain name to the IP address for you and you connect. There is no third-party required, and you can block a reasonable amount of malware before it ever has a chance to infect any devices. For a small one-time hardware cost and a miniscule amount of electricity, you have full control over your network. Once the local cache gets loaded, repeat lookups are almost instantaneous.
Setting up your Pi-hole and Unbound

One hour and a Raspberry Pi is all you need

To begin, flash Raspberry Pi OS Lite (64-bit) to a microSD card using the Raspberry Pi Imager and install it in your Raspberry Pi. Then, log into your router and assign the Raspberry Pi a static IP address—if it changes, everything will stop working. With that set, SSH into the Raspberry Pi, install Pi-hole by running curl -sSL https://install.pi-hole.net | bashand then connect to the web dashboard to complete the setup. It is pretty hands-off—the installer is designed to be very user-friendly, and will walk you through the important parts. After that is done, SSH in again and install Unbound using sudo apt install unbound. You need to make sure it is listening to the loopback address (127.0.0.1) on port 5335 and that DNSSEC is enabled. To do that, create the configuration file at “/etc/unbound/unbound.conf.d/pi-hole.conf” according to the Pi-hole instructions. It should look like this:

Now, you need to tell the two devices to actually talk to each other. Open up the Pi-hole dashboard and go to the settings, then set your upstream DNS to the custom entry 127.0.0.1#5335 and untick all other options, including Google’s 8.8.8.8. Leave Pi-hole’s DNSSEC disabled.

Finally, point your router’s DNS settings to the Pi’s IP address like you would normally for a Pi-hole.
There are a few tradeoffs

The Pi-hole and Unbound combination is great if you’re privacy minded, or if you’re a homelabber that can make use of the granular control. However, it does have a few drawbacks.

The first time you visit a fresh domain, the lookup will be slower than a public resolver because Unbound has to load everything once the first time. Subsequent visits are much faster, but that initial delay is something you’ll probably notice. Another important thing is, remember that you are creating a single point of failure. If your Raspberry Pi gets thrown off a bookshelf by an inquisitive cat, your entire home network will lose internet access unless you have a backup resolver configured or until you fix the problem.

Conclusion

Thanks for reading this tutorial on HunterSam. Stay updated with smart how-to guides, troubleshooting tips, and easy tech tutorials.

Related Articles

• Letting Claude take control of Home Assistant sounded amazing—but it was far from perfect

• 7 photo gallery apps you should use instead of Samsung Gallery

• How I built a "Home Alone" automation that makes my smart home look lived in while I travel

Frequently Asked Questions

What is I ditched Google’s DNS for a $20 Raspberry Pi, and I stopped handing my web history to third parties?

I ditched Google’s DNS for a $20 Raspberry Pi, and I stopped handing my web history to third parties is an important topic that helps users better understand modern technology and SEO strategies.

Why is this topic important?

This topic is important because it improves productivity, SEO performance, and overall digital growth.

Can beginners understand this topic?

Yes, beginners can easily understand this topic with the help of practical examples and step-by-step guidance.