This is an unsupported configuration created by the community
This guide should work for the most recent Debian derivatives (Raspbian, Ubuntu). Alternatively, you can follow a Tor Installation Guide for your Host System.
sudo apt install tor
/etc/tor/torrc as root, include the following line at the end and save the changes
Restart Tor with:
sudo service tor restart
Change your Pi-hole upstream DNS server to use
127.0.10.1 in the Pi-hole WebGUI (Settings) under "Upstream DNS Servers" and click "Save".
Note: It's currently not possible to change the Upstream DNS Server directly in the
/etc/pihole/setupVars.conf file, the Pi-hole DNS Server won't pick up the change.
If you want a recognizable hostname for the Tor DNS in your Pi-hole GUI statistics, edit
/etc/hosts as root, include the following line at the end and save the changes
Restart Pi-hole DNS Server for the
/etc/hosts changes to take effect
sudo pihole restartdns
Testing your configuration¶
To see which DNS servers you're using, you can use a DNS Server Leak Test. Some of them don't work with DNS over Tor, this one does work tho. It should show random DNS Servers. Tor rotates the circuit approximately every 10minutes in the default configuration, so it might take 10minutes for you to see a new set of random DNS servers in the Leak Test.
You can also check the "Forward Destinations over Time" Graph (enabled per default) in your Pi-hole WebGUI - the latest Forward Destinations should only include "local" and "tor.dns.local" (if you updated the
To make sure that you always use the Pi-hole as DNS Server and to make sure that it handles IPv4 and/or IPv6 blocking if you configured it to do so, you should check which DNS Servers your client is using:
nmcli device show <interface> | grep .DNS (Linux) or
ipconfig /all (Windows, and look for DNS Servers on your LAN Adapter). You should then issue an IPv4 (A) and/or IPv6 (AAAA) DNS query to every IPv4 and/or IPv6 DNS Server that shows up:
dig @<IPv4/6-dns-server-address> api.mixpanel.com <A/AAAA>
nslookup -server=<IPv4/6-dns-server-address> -q=<A/AAAA> api.mixpanel.com
That should give you the Pi-hole IPv4 and/or IPv6 address as Answer and show up as "Pi-holed" in the WebGUI Query Log (assuming you have the default blocklist, otherwise replace
api.mixpanel.com with any domain on your blocklist).
If any of the queries don't show up in the Query Log you should make sure to configure your Pi-hole/network setup properly (this thread might help).