How Pi-Hole Handles HTTPS / SSL


Potential FAQ? One common question I saw surfacing in the recent hacker news post about pi-hole was about SSL so I made a quick flow chart for that.

Difference between Pi-Hole when ads use SSL:

If you copy any of this SVG link you can just take off the file extension and see the code used to make the diagram on E.G. source code is at

Fork/Edit away if you see any mistakes. I would suggest if we use code2flow on FAQs we download the images & upload them to discourse to avoid hammering their service / disappearing images if they disappear.

How to handle HTTPS / SSL DNS lookups with pi-hole on Synology?
TCP Port 443 Transport error TCP_SIZE_ERROR
Pi Hole + MacOS + Speedport-Router: eine mögliche Konfiguration

Also good to note, the ad https request should not timeout if the Pi-hole’s port 443 rejects the connection instead of dropping it.


There was some chatting about maybe adding a default firewall rule for that, but it’d have to account for if people have SSL they actually want to serve out or not.

Part of the timeout is browser side settings not giving up and or javascript fetching retries. It may not be entirely clear from the flow diagram, I was thinking of tweaking that wording a little bit. I’ll play around with IPTables rejects tonight and see if it resolves the issue and maybe just map it out in an updated flow chart.

Sites are very slow

Moved this to FAQs. Thanks @diginc