# Domain Name System (DNS)

# Pi-hole - DNS server



# Pi-hole on container in Proxmox

Login into Proxmox





Download Debian distro template for containers. For some reason it might be cancelled or disrupted. As we now, which one template is expecting to find, let's download that manually. Navigate to containers' templates storage, find suitable and hit [Download] button
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/jC11M14U0vnzst2w-image-1776047559608.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/jC11M14U0vnzst2w-image-1776047559608.png)

Download task itself
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/UsKJgEmTpyDkkL9X-image-1776049815356.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/UsKJgEmTpyDkkL9X-image-1776049815356.png)

Template downloaded
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/i3t7w6bp5XxUEJw2-image-1776049915546.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/i3t7w6bp5XxUEJw2-image-1776049915546.png)

Script location:
```url
https://community-scripts.org/scripts/pihole?id=pihole
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/ux0DdwBOxOP5PGDD-image-1776046499317.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/ux0DdwBOxOP5PGDD-image-1776046499317.png)

```bash
curl https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/pihole.sh
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/Y6N7SHqkQARLqzz3-image-1776046567181.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/Y6N7SHqkQARLqzz3-image-1776046567181.png)


Paste and execute, this will download a script and execute it on hypervisor:

Let's see what is inside of this script
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/mo6uiVFUSvpvfv1s-image-1776046835958.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/mo6uiVFUSvpvfv1s-image-1776046835958.png)


and invoke it's from the shell, when confident:
```bash
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/pihole.sh)"
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/nzuwOE9o5M4Yj39H-image-1776046905560.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/nzuwOE9o5M4Yj39H-image-1776046905560.png)

First screen is regarding telemetry data, do you choice using [Tab], [Space], [Enter]:
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/Gi9JZL4CaQe9ZuCg-image-1776046632435.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/Gi9JZL4CaQe9ZuCg-image-1776046632435.png)

Use 'Default Install'
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/fm3JA32eFDzso8Hp-image-1776046983995.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/fm3JA32eFDzso8Hp-image-1776046983995.png)

Begin, this will look for Debian Linux distro (and if necessary download it):
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/gF8qlCoKnv6xfG6o-image-1776049978821.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/gF8qlCoKnv6xfG6o-image-1776049978821.png)[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/nzax3XQYhp96kBVu-image-1776047033341.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/nzax3XQYhp96kBVu-image-1776047033341.png)

Script will download container and do configuration of container

Now, when container is ready, Proxmox's script will invoke Pi-hole script (which is actual application installer)
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/hxLkJJrbF9w06VpY-image-1776050248856.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/hxLkJJrbF9w06VpY-image-1776050248856.png)


Final question is about 'Unbound' service
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/ZSdWS3yzI6J2BHYK-image-1776050468512.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/ZSdWS3yzI6J2BHYK-image-1776050468512.png)


Check in the browser the URL, which is indicated by installer.
```url
http://10.77.81.110/admin
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/4lQhoc8zFVnSMSlL-image-1776050541241.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/4lQhoc8zFVnSMSlL-image-1776050541241.png)



Configuration of Pi-hole is described in another page. 

The only change we want to perform is to change IP address. Locate container, open it's network configuration, change from DHCP to STATIC and define desired IP address (remember do define CIDR mask).
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/1rzsf3p8gPnagxkI-image-1776050869616.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/1rzsf3p8gPnagxkI-image-1776050869616.png)

Open container's shell , take a note of network address and perform restart
```bash
ip -br a
shutdown -r now
```

Verify after reboot again
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/H71VTfVlVgtmO6N8-image-1776051082382.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/H71VTfVlVgtmO6N8-image-1776051082382.png)
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/i6C6rYAGzjImQAsk-image-1776050993341.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/i6C6rYAGzjImQAsk-image-1776050993341.png)


Last thing, before go: verify that container has "Start on boot" tick box enabled. Thus, we shall be sure that DNS server will be started with hypervisor. That applies to all machines, which need to be started (such as main router :)
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/3zDfT7RJKI6tvJsp-image-1776051154530.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/3zDfT7RJKI6tvJsp-image-1776051154530.png)



Next morning, after the first day of DNS traffic

With no filtering lists loads, DNS server serverd 54% of cached traffic to local clients. That is very good, which means, that local clients received DNS response earlier, rather then for original query.

[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/scaled-1680-/9NrSQA23AibamPP0-image-1776138176574.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2026-04/9NrSQA23AibamPP0-image-1776138176574.png)

# Pi-hole - DNS server

Purpose: Trusted and Filtering Feature Domain Name Resolution
Solution: Pi-hole (https://pi-hole.net/)
OS: Debian GNU/Linux 12 (bookworm)


preparations:



setup
```
# Pi-hole Automated Installer
This installer will transform your device into a network-wide ad blocker!
[OK]

# Open Source Software
The Pi-hole is free, but powered by your donations:
https://pi-hole.net/donate/
[OK]
```

Decide and assign static IP address
```
# Static IP Needed
The Pi-hole is a SERVER so it needs a STATIC IP ADDRESS to function properly.

IMPORTANT: If you have not already done so, you must ensure that this device has a static IP.

Depending on your operating system, there are many ways to achieve this, through DHCP reservation, or by manually assigning one. 
Please continue when the static addressing has been configured.
[Continue]


# Select Upstream DNS Provider. To use your own, select Custom.
(*)  Cloudflare (DNSSEC)


# Blocklists
Pi-hole relies on third party lists in order to block ads.
You can use the suggestion below, and/or add your own after installation.
Select 'Yes' to include:
StevenBlack's Unified Hosts List
[Yes]


# Enable Logging
Would you like to enable query logging?
[Yes]


# Select a privacy mode for FTL.                                     https://docs.pi-hole.net/ftldns/privacylevels/
(*) 0  Show everything
[Continue]
```

```
# Installation Complete!

Configure your devices to use the Pi-hole as their DNS server using:

IPv4: 10.166.0.2
IPv6: Not Configured
If you have not done so already, the above IP should be set to static.
View the web interface at http://pi.hole/admin:80 or
http://10.166.0.2:80/admin

Your Admin Webpage login password is (superpass)
```


Configure admin dashboard listening port
```bash
vi /etc/pihole/pihole.toml
```
Let's disable IPv6, disable HTTP and swap HTTPS port
```bash
#  port = "80o,443os,[::]:80o,[::]:443os"
  port = "445os"
```

Restart service and check port has been changed
```bash
systemctl restart pihole-FTL
ss -ntap | grep hole
````


## Advanced usage

Install database cient
```bash
apt install sqlite
```

Set pattern
```bash
# export pattern="dox.installanduse.com"
# export pattern="dox.2dz.fi"
export pattern="ntp"
```

List domains from gravity database (blocking list)
```bash
sqlite3 /etc/pihole/gravity.db \
    "SELECT domain FROM gravity \
    WHERE domain LIKE '%${pattern}%' \
    COLLATE NOCASE ORDER BY domain;"
```

List schema
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db .schema
```

List queries from pihole-FTL database (log)
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT DISTINCT domain
    FROM queries
    WHERE domain LIKE '%${pattern}%'
    ORDER BY domain;"
```

Detail
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT DISTINCT d.domain
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    WHERE d.domain LIKE '%${pattern}%'
    ORDER BY d.domain;"
```

Query and client
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT c.ip || ' ' || d.domain
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    JOIN client_by_id c ON c.id = q.client
    WHERE d.domain LIKE '%${pattern}%'
    ORDER BY c.ip, d.domain;"

# can be used by adding suffix " | uniq"
```

Queries by specific client
```bash
export pattern="dox.2dz.fi"
export src="192.168.0.0"

sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT DISTINCT d.domain
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    JOIN client_by_id c ON c.id = q.client
    WHERE c.ip = '${src}'
      AND d.domain LIKE '%${pattern}%'
    ORDER BY d.domain;"
```

With count, most frequent
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT d.domain, COUNT(*)
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    WHERE d.domain LIKE '%${pattern}%'
    GROUP BY d.domain
    ORDER BY COUNT(*) DESC, d.domain;"
```

Only last 24 hours
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT DISTINCT d.domain
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    WHERE d.domain LIKE '%${pattern}%'
      AND q.timestamp > unixepoch('now','-1 day')
    ORDER BY d.domain;"
```

Detail: timestamp + source IP + domain
```bash
sqlite3 -noheader /etc/pihole/pihole-FTL.db \
    "SELECT datetime(q.timestamp,'unixepoch','localtime') || ' ' || c.ip || ' ' || d.domain
    FROM query_storage q
    JOIN domain_by_id d ON d.id = q.domain
    JOIN client_by_id c ON c.id = q.client
    WHERE d.domain LIKE '%${pattern}%'
    ORDER BY q.timestamp;"
```