open source · self-hosted · MIT
Pi-hole, rebuilt on the BEAM.
EliHole is a DNS sinkhole that blocks ads and trackers for your whole network — with DoH, DoT, enforced DNSSEC and native clustering built into the core, not bolted on.
★ Star on GitHub · one container, runs on 512 MB
| analytics.tiktok.com | 10.0.0.42 | blocked | 0.4ms |
| github.com | 10.0.0.17 | ok | 12.1ms |
| ads.samsungads.com | 10.0.0.88 | blocked | 0.3ms |
| fonts.gstatic.com | 10.0.0.17 | cached | 0.1ms |
| telemetry.lg.tv.net | 10.0.0.91 | blocked | 0.4ms |
| elixir-lang.org | 10.0.0.42 | ok | 9.8ms |
| app-measurement.com | 10.0.0.55 | blocked | 0.3ms |
| cloudflare.com | 10.0.0.17 | cached | 0.1ms |
Up in two commands
# clone, configure, run $ cp .env.example .env $ docker compose up -d # point your router's DNS at the host — done
Postgres included. Migrations run automatically. Full install guide →
Everything a sinkhole should have had years ago
DoH + DoT built in
DNS-over-HTTPS (RFC 8484) and DNS-over-TLS (RFC 7858) ship in the core. No cloudflared sidecar, no stunnel, nothing extra to babysit.
DNSSEC that actually enforces
Full chain-of-trust validation from the ICANN root. Bogus responses get SERVFAIL, secure ones get the AD bit — per query, visible in the log.
Native clustering
Master pushes config to slaves, slaves stream stats back. High availability without keepalived, cron jobs or archived sync scripts.
CNAME-cloaking defense
Inspects answer-section CNAME chains and blocks clean-looking domains that alias to trackers. Whitelist still wins.
Race resolution
Every query races two upstreams in parallel and returns the fastest answer, with weighted selection learned from real latency.
Prometheus, no exporter
Native /metrics endpoint plus a JSON health check. Point Prometheus at it and import the dashboard — no third-party exporter container.
Pi-hole migration in one upload
Imports Pi-hole Teleporter backups directly: blocklists, whitelists, adlists, upstreams and local DNS records.
Built on the BEAM
Elixir/OTP supervision keeps DNS answering even when a subsystem crashes. ETS-backed lookups keep blocking decisions sub-millisecond.
How it stacks up
The short version. The long version, with caveats and the cases where the others win, lives in the comparisons.
| Feature | EliHole | Pi-hole | AdGuard Home |
|---|---|---|---|
| DNS-over-HTTPS server (no sidecar) | ✓ | — | ✓ |
| DNS-over-TLS server | ✓ | — | ✓ |
| DNSSEC validation with enforcement | ✓ | via upstream | partial |
| CNAME-cloaking deep inspection | ✓ | deep CNAME | ✓ |
| Native multi-node clustering | ✓ | — | — |
| Prometheus metrics built in | ✓ | exporter | exporter |
| Imports Pi-hole Teleporter backups | ✓ | ✓ | scripts |
| Wildcard + regex blocking | ✓ | ✓ | ✓ |
Pi-hole v6 and AdGuard Home, as documented by each project. Found an error? Open an issue.
Your network. Your resolver.
Already running Pi-hole? Your blocklists, whitelists and local DNS records import in one upload.