Pi-hole + Unbound

Overview

Pi-hole provides network-wide DNS ad blocking, and Unbound handles recursive DNS resolution — no queries go to Google, Cloudflare, or any third-party DNS provider.

All VLANs except WiFi (VLAN 1) route DNS through Pi-hole. Clients query Pi-hole directly (routed by UDR 7), giving per-client visibility in the dashboard.

Service Details

• VMID: 100
• IP: 10.1.99.100
• VLAN: 99 (DNS)
• Port: 53 (DNS)
• OS: Debian 13 (trixie)
• Container: Unprivileged LXC with nesting
• Resources: 1 vCPU, 512MB RAM, 4GB disk
• Pi-hole: v6.5
• Unbound: v1.22.0
• Web Admin: http://10.1.99.100/admin

DNS Architecture

Clients on VLANs 10, 20, and 30 have their DHCP DNS set to 10.1.99.100 in UniFi. DNS queries are routed by the UDR 7 to Pi-hole on VLAN 99. Pi-hole filters the query against its gravity blocklist (78,000+ domains), then forwards allowed queries to Unbound, which resolves recursively from root DNS servers.

VLAN 1 (WiFi) is excluded and uses the ISP's default DNS.

Why Unbound?

Instead of forwarding DNS to a third party like Google (8.8.8.8) or Cloudflare (1.1.1.1), Unbound performs recursive resolution starting from the root nameservers. This means no single upstream provider sees all your DNS queries — better privacy with no external dependency.

Blocked Domains

Pi-hole ships with default blocklists covering ads, trackers, and known malware domains. Additional curated lists like oisd.nl or hagezi can be added for broader coverage.