PublicDNS.info Live-tested public DNS
Retested every 72 hours.

How to Change Upstream DNS in Pi-hole

Pi-hole blocks ads at the DNS level, but it still needs an upstream resolver for everything else. Here is how to set your own.

Step 1 — Open the Pi-hole admin panel

Open a browser and navigate to http://pi.hole/admin. If that does not resolve, use the IP address of your Pi directly — for example, http://192.168.1.10/admin.

Log in with your Pi-hole admin password. If you have not set one, you can create or reset it over SSH with pihole -a -p.

Step 2 — Go to Settings → DNS

Click Settings in the left sidebar, then select the DNS tab along the top. This page controls which upstream servers Pi-hole uses to resolve queries that are not blocked or cached.

Step 3 — Uncheck pre-selected upstream providers

Under Upstream DNS Servers, you will see checkboxes for well-known providers like Google and OpenDNS. Uncheck any that are currently active. This gives you a clean slate before adding your own.

Step 4 — Enter your primary DNS server

On the right side under Custom 1 (IPv4), tick the checkbox and type the IP address of your preferred DNS server. For example:

  • 1.1.1.1 — Cloudflare
  • 9.9.9.9 — Quad9
  • 208.67.222.222 — OpenDNS

Step 5 — Enter your secondary DNS server

Under Custom 2 (IPv4), tick the checkbox and enter a second DNS address, such as 8.8.8.8 (Google) or 1.0.0.1 (Cloudflare secondary).

Having two upstream servers from different providers ensures queries still resolve if one provider has an outage.

Step 6 — Optional: Add IPv6 upstream servers

If your network supports IPv6, fill in Custom 3 (IPv6) and Custom 4 (IPv6). Example addresses:

  • 2606:4700:4700::1111 — Cloudflare
  • 2001:4860:4860::8888 — Google

Skip this step if your ISP does not provide IPv6 connectivity.

Step 7 — Save

Scroll to the bottom of the page and click Save. Pi-hole applies the change immediately. No restart is required.

Step 8 — Verify in the Query Log

Go back to the Pi-hole dashboard and open Query Log from the sidebar. Browse a few websites, then check the log. The Reply column should reference the upstream servers you just configured.

You can also run a quick check from any device on the network:

nslookup example.com

The server address in the response should be your Pi-hole's IP, confirming that queries are flowing through it to your chosen upstreams.

DNSSEC

On the same DNS settings page, you will see a Use DNSSEC checkbox. DNSSEC adds cryptographic verification to DNS responses, which protects against spoofing and cache poisoning.

Enable it only if your upstream server supports DNSSEC. Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) all support it. If your upstream does not, enabling DNSSEC in Pi-hole can cause queries to fail.

Rate limiting

Pi-hole includes a rate-limiting feature that caps the number of queries a single client can make per minute. The default is 1000 queries per 60 seconds, which works well for most networks.

If you notice legitimate queries being dropped — common with smart home devices or media streamers that make rapid DNS calls — you can increase the limit under Settings → DNS → Rate limiting. Set the value to 0 to disable rate limiting entirely.

CLI alternative: edit setupVars.conf

If you prefer to configure Pi-hole from the command line, SSH into your Pi and edit the configuration file directly:

sudo nano /etc/pihole/setupVars.conf

Find the lines that start with PIHOLE_DNS_ and replace the addresses:

PIHOLE_DNS_1=1.1.1.1
PIHOLE_DNS_2=8.8.8.8

Save the file, then restart the DNS service:

pihole restartdns

This achieves the same result as changing the settings through the web interface.

Recommended DNS servers

Not sure which upstream servers to use with Pi-hole? We maintain a live-tested directory of public DNS resolvers, filtered by reliability and response time.

Browse our full directory to find the best servers for your setup.

Frequently asked questions

Can I use more than two upstream DNS servers in Pi-hole?

Yes. Pi-hole supports up to four custom upstream servers — two IPv4 and two IPv6. You can also mix custom servers with the built-in provider presets if you want.

Does Pi-hole cache DNS queries?

Yes. Pi-hole uses its built-in DNS resolver to cache responses. Repeated queries for the same domain are served from cache until the TTL expires, which reduces load on your upstream servers and speeds up resolution.

Should I enable DNSSEC in Pi-hole?

Only if your upstream DNS server supports DNSSEC validation. Enabling DNSSEC with an upstream that does not support it can cause resolution failures. Cloudflare (1.1.1.1) and Google (8.8.8.8) both support DNSSEC.

Will changing upstream DNS affect my Pi-hole block lists?

No. Pi-hole blocks domains locally before any query reaches your upstream server. Changing the upstream only affects where non-blocked queries are forwarded for resolution.