Skip to content

Pi-hole and Cloudflared

Overview

Field Value
Purpose Resolve client DNS and filter unwanted domains
Business function Internal name resolution and DNS policy
Owner IT Operations
Criticality Critical
Host LXC 107 dns
Address 192.168.2.2

Architecture

LAN clients receive 192.168.2.2 from pfSense. pfSense redirects client DNS traffic to Pi-hole. Cloudflared provides the upstream encrypted resolver path.

Installation

Native services inside Debian 12 LXC 107. The June 14, 2026 audit found Pi-hole Core v5.18.4, Web v5.21, FTL v5.25.2, and Cloudflared 2025.6.1. A clean rebuild should install current Pi-hole v6 rather than restoring this LXC filesystem.

Configuration

  • Proxmox: 2 cores, 512 MiB RAM, 8 GiB disk
  • Network: vmbr0, VLAN 2, DHCP reservation/current address 192.168.2.2
  • Startup: second, after pfSense
  • Client DNS: handed out by pfSense LAN DHCP

Operational Procedures

ssh pve
pct status 107
pct enter 107
systemctl --failed

Enabled services are pihole-FTL.service and cloudflared.service. Export Pi-hole settings with Teleporter before rebuilding. The Cloudflared tunnel token is secret-bearing service configuration: store it outside the documentation repository and rotate it before migration.

Troubleshooting

  • Test IP reachability to 192.168.2.2.
  • Test dig @192.168.2.2 example.com.
  • Check pfSense DNS NAT and block rules.
  • Check Pi-hole query logs and upstream Cloudflared health.

References

  • Proxmox, Pi-hole, Cloudflared, and pfSense configuration captured June 14, 2026