Pi-hole in Proxmox: DNS Sinkhole, DHCP, and Local DNS with LXC

To err is human, to blame it on someone else is even more human, Jacob’s Law

Introduction

Pi-hole® is an easy-to-install, lightweight, and network-wide DNS sinkhole that blocks ads and trackers at the DNS level. It protects your devices from unwanted content, without installing any client-side software.

A sinkhole in Pi-hole is essentially a DNS resolution technique that redirects requests for known ad-serving domains to a non-routable IP address (typically 0.0.0.0 or 127.0.0.1). This means that when a device on your network attempts to reach an ad domain, it is redirected to a “black hole,” effectively preventing the ad from being served.

Installation Proxmox VE Helper-Scripts

We are going to install it using Proxmox VE Helper-Scripts. These are a collection of scripts for simplifying and optimizing your HomeLab.

In the section of Ad Blocker -DNS, select Pi-Hole LXC. AdBuard Home LXC is another widely-used Ad blocker.

To create a new Proxmox VE Pi-hole LXC, run the command below in the Proxmox VE Shell.

bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/pihole.sh)"

Step 1. This will create a New Pihole LXC. Proceed? Yes Step 2. User Default Setting? Yes Step 3. Which storage pool you would like to use for the container? mypool (Adjust to your settings.) Step 4. Would you like to add Unbound? Yes

LX Container 103 was successfully created. […] Network Connected: 192.168.1.126. […]

# After installing Pi-hole for the first time, a password is generated and displayed to the user. The password cannot be retrieved later on, but it is possible to set a new password:
# Go to your docker, e.g., 103 (pihole) (root, password empty) and create a new password.
sudo pihole -a -p

Normal Installation

1. Update LXC Templates and Download an OS Template. In the Proxmox web UI, select your Proxmode node, go to Shell, update available templates: pveam update

2. Download an OS Template. In the Proxmox web UI interface, select the storage where you want to store the templates (e.g., local (myserver)), select CT Templates, click Templates, find, select, and download a Debian template (e.g., debian-12-standard_12.7-1_amd64.tar.zst).

3. Create a New LXC Container. Right-click on your Proxmox node and select Create CT or click on Create CT at the top right of the screen.

4. A new window comes up for container creation.

   In the General tab, assign a unique VM ID, set a descriptive Hostname (e.g., mypihole) and a strong Password for the root user. It is generally recommended to run containers as unprivileged for better security.
   Template: Select the Debian template we downloaded previously. Allocate minimal resources.
   Disk: Set your storage (e.g., mypool) and a reasonable Disk size, e.g., 4 or 8GB. Pi-hole itself is lightweight, but consider providing enough space for logs and potential blocklists. You could keep the defaults for the rest of the tabs.
   CPU: Allocate at least 1 Core.
   Memory: Set Memory and Swap limits. 512MB of Memory and 512MB/1GB RAM of Swap are generally enough for most cases.
   Network. On the Network tab, choose a bridged mode. It is the most common and recommended setup. Select your network bridge (usually vmbr0) so the container (Pi-hole) is directly on the LAN. I am going to use DHCP, meaning my router’s DHCP will provide the Pi-hole’s IP address.
   Leave DNS Server on Use host settings unless you have specific requirements or specify a public DNS server (like 1.1.1.1 or 8.8.8.8).
   Finally, ensure Start at boot is enabled so the container auto-starts, Review carefully your settings and click Finish to create the container.

5. Some templates or container images may not have the correct console configuration. In Proxmox, go to the container, then Options, Console mode, select shell.

6. Access the Container (login as root and type the previous password that you introduced in the General tab) and Install Pi-hole. Select the newly created Pi-hole container in the Proxmox web interface, then run the following commands:

   # Update the package list and upgrade existing packages
   apt update && apt upgrade -y
   # Install curl, which is needed to download the Pi-hole installation script
   apt install curl -y
   # Download and run the official Pi-hole installation script
   # Make sure to review the script before running this command.
   curl -sSL https://install.pi-hole.net | bash
   

7. Configure Pi-hole during Installation. Follow the on-screen prompts: Confirm static IP. The Pi-hole is a SERVER so it needs a static ip address to function properly: Continue (DHCP reservation)
   Upstream DNS Provider: Choose your preferred resolver (e.g. Cloudflare, Google).
   StevenBlack’s Unified Host List (third party blacklist): Yes. Enable the default ad blocklists (recommended).
   Would you like to enable query logging: Yes.
   Privacy and query logging. Select a privacy mode for FTL. Using privacy levels you can set the desired privacy level; allowing full logging (Show everything) is useful for troubleshooting and is default: 0 Show everything.

   

8. Access the Pi-hole Web Interface. Open a web browser and navigate to [http://] + Pi-hole-IP + [/admin], e.g., [http://] + 192.168.1.43 + [/admin]. Log in using the password provided during the installation. You should change this password immediately for security by running sudo pihole setpassword in the container’s console.

9. Add a new adlist. Go to List, type a list in Address (e.g., Blocklistproject, https://blocklistproject.github.io/Lists/ads.txt), a description in Comments (e.g., adds), and smash the Add button. Then, run pihole -g or update your gravity list online after modifying your adlists.

DHCP reservation

To set up a DHCP reservation, you assign a specific IP address to a device based on its MAC address. This ensures the device always receives the same IP from your DHCP server (typically your router).

1. *Find the Device’s MAC Address: ipconfig /all (Windows).

   # Windows. Look for the Physical Address (MAC) under your active network adapter.
   ipconfig /all
   # Linux.
   ip a
   # Each interface has its own MAC address, which is a unique hardware identifier.
   1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host noprefixroute
      valid_lft forever preferred_lft forever
   2: enp5s0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
   link/ether 7d:10:c9:42:f2:b0 brd ff:ff:ff:ff:ff:ff
   # Wired Ethernet (enp5s0): 7d:10:c9:42:f2:b0
   inet 192.168.1.36/24 brd 192.168.1.255 scope global noprefixroute enp5s0
      valid_lft forever preferred_lft forever
   inet6 fe80::8599:d65a:4c5:a28a/64 scope link noprefixroute
      valid_lft forever preferred_lft forever
   

2. Access Your Router. Open a browser, enter your router’s IP (e.g., 192.168.1.1, 192.168.0.1, or 10.0.0.1), and log in with your admin credentials.
3. Create the Reservation. Navigate to LAN/DHCP Settings (varies by router, e.g., Configuración avanzada, Advanced Setup, LAN). Add a new entry by clicking Add Entries, type the device’s MAC address and assign a static IP. Save changes and reboot the router if required.

Router and client configuration

The rooter configuration depends on your models and ISP provider. Open a web browser, type your router's IP address in the address bar (e.g., 192.168.0.1, 192.168.1.1, 10.0.0.1, 172.16.0.1).

You’ll be prompted for a username and password. These are usually printed on a sticker on the router itself or in the manual.

You have two main options: let Pi-hole handle DHCP or continue using your router’s DHCP but point it to Pi-hole for DNS.The best approach is usually to configure your router’s DHCP server to provide the Pi-hole’s IP address. This way, all devices that connect to your network via DHCP will automatically use the Pi-hole. Then, use the Pi-hole as DNS Server.

Locate the DNS Settings. Look for a section labeled “Basic,” “Internet,” “WAN,” “LAN,” “DHCP,” or “DNS.” Within that section, you should find fields for “DNS Server,” “Primary DNS,” “Secondary DNS,” or similar, e.g., Menu, Configuración Avanzada, Advanced Setup, DNS, DNS Server.

Change the “Primary DNS Server” to your Pi-hole’s IP address. Leave the “Secondary DNS Server” blank or set it to the previous “Primary DNS Server”: Quad9 (149.112.112.112), Google (8.8.8.8) or Cloudflare’s (1.1.1.1). This servers are used as a backup DNS resolution name in case your Pi-hole is unavailable.

Click “Save,” “Apply,” or a similar button to save your changes. Your router might reboot.

If you can't or don't want to change your router's DNS settings, you can configure individual clients (computers, smartphones, tablets, etc.) to use your Pi-hole as their DNS server.

1. Windows. Open Control Panel and go to Network and Internet, Network and Sharing Center, Change adapter settings. Right-click on the network adapter you’re using (Wi-Fi or Ethernet) and select Properties. Internet Protocol Version 4 (TCP/IPv4): Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties.” Under the section Use the following DNS server addresses, Preferred DNS server: Enter your Pi-hole’s IP address.

2. macOS: System Preferences, Network. Select the network you’re using (Wi-Fi or Ethernet) and click Advanced. Go to the “DNS” tab. Add DNS Server: Click the “+” button to add a new DNS server. Enter your Pi-hole’s IP address. Click “OK” and “Apply” to save the changes.

3. Linux. It varies depending on the desktop environment and network manager you’re using, e.g., open your network settings, select the network connection you’re using, look for IPv4 Settings or similar. Change the Method to Manual and enter your Pi-hole’s IP address in the “DNS” field.

   

Configuring your Pi-hole to assign names to your clients

One way to ensure that clients always get the same IP address and hostname is using Pi-Hole as a DHCP server. Go to Settings, DHCP, and enable DHCP Server. Then, use the Pi-hole as DNS Server.

If your router is handling DHCP, you’ll need to disable DHCP on your router and let Pi-hole handle it.

Local DNS Records. If you don’t want to use DHCP or if you have devices with static IP addresses that you want to give names, you can use local DNS records. Use this to give fixed names to devices with static IPs, just like /etc/hosts.

In the Pi-hole web interface, go to Settings, Local DNS Records, List of local DNS records. There are two fields:

• domain: Enter the hostname you want to use (e.g., mynixos).
• IP Address: Enter the IP address of the client (e.g., 192.168.1.36).

Finally, save the changes by clicking + to create the record and verify ping 192.168.1.36.

Even though you’ve added the local DNS record in Pi-hole, your devices might not be querying Pi-hole for DNS or they might have cached old DNS records.

1. Verify Pi-hole is the DHCP Server.
2. Check Client DNS Settings (If Not Using Pi-hole DHCP).
3. Flush DNS Cache on Clients: ipconfig /flushdns (Windows), sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder (macOS), sudo resolvectl flush-caches or sudo systemctl restart systemd-resolved (Ubuntu).

In NixOS, open your /etc/nixos/configuration.nix file:

networking.nameservers = [ "192.168.1.43" "80.58.61.254" ]; # where "192.168.1.43" is Pi-Hole's IP Address

# Rebuild your NixOS configuration and switch to the new configuration:
sudo nixos-rebuild switch

Maintenance

To update Pi-hole in the future, simply open a shell in the container and run: pihole -up