Pi-hole and Cloudflared
Overview
| Field | Value |
|---|---|
| Purpose | Resolve client DNS and filter unwanted domains |
| Business function | Internal name resolution and DNS policy |
| Owner | IT Operations |
| Criticality | Critical |
| Host | LXC 107 dns |
| Address | 192.168.2.2 |
Architecture
LAN clients receive 192.168.2.2 from pfSense. pfSense redirects client DNS traffic to Pi-hole. Cloudflared provides the upstream encrypted resolver path.
Installation
Native services inside Debian 12 LXC 107. The June 14, 2026 audit found
Pi-hole Core v5.18.4, Web v5.21, FTL v5.25.2, and Cloudflared
2025.6.1. A clean rebuild should install current Pi-hole v6 rather than
restoring this LXC filesystem.
Configuration
- Proxmox: 2 cores, 512 MiB RAM, 8 GiB disk
- Network:
vmbr0, VLAN 2, DHCP reservation/current address192.168.2.2 - Startup: second, after pfSense
- Client DNS: handed out by pfSense LAN DHCP
Operational Procedures
ssh pve
pct status 107
pct enter 107
systemctl --failed
Enabled services are pihole-FTL.service and cloudflared.service. Export
Pi-hole settings with Teleporter before rebuilding. The Cloudflared tunnel
token is secret-bearing service configuration: store it outside the
documentation repository and rotate it before migration.
Troubleshooting
- Test IP reachability to
192.168.2.2. - Test
dig @192.168.2.2 example.com. - Check pfSense DNS NAT and block rules.
- Check Pi-hole query logs and upstream Cloudflared health.
Related Systems
References
- Proxmox, Pi-hole, Cloudflared, and pfSense configuration captured June 14, 2026