Pi-hole

Network-wide DNS sinkhole and ad blocker serving all production, tutorial, and IoT VLANs. Paired with Unbound for recursive DNS resolution — queries go directly to root servers with no third-party DNS dependency. The WiFi VLAN is excluded to keep guest and family devices on ISP DNS. Listening mode is set to SINGLE so it accepts queries from any subnet while only binding to eth0. Pi-hole v6 exposes a REST API at `/api/` for programmatic access (the old `/admin/api.php` endpoint from v5 is gone).