Hello,

i have a problem with my xiaomi smarthome devices. They are constantly spamming my pihole with DNS requests for facebook.com or google.com and i dont know why. My Xiaomi APs are spamming multiple AAAA requests a second that arent getting cached by pihole and get directly forwarded to Cloudflare... To the extend that the clients are getting ratelimited and I get blocked by cloudflare for spamming. Is there anything i can do via pi hole? They dont need to get any DNS responses as they are only accesspoints without direct connection to wan...

Is it possible to block the IPs or hosts?

Thanks in advance!

I created a guide on using Pi-hole and cloudflared for DNS-over-HTTPS (DoH) in Docker, since I didn't see one yet, and I wanted to try this setup for my homelab:

Pi-hole v6 + cloudflared (DoH) in Docker

I hope it's useful!

Hey folks, I'm trying to follow along to this process for my first pi hole, but using Mac 0SX I seem unable to use the Raspberry Pi imager as the Device drop down on won't populate any options.

Any advice would be greatly appreciated, I have checked the thread, it appears applepie bake, etcher and others exist, but will they work the same or will i need to follow a different process step by step tutorial.

Thank you
For reference, I am referring to Cross Talks youtube video and blog post.
https://www.crosstalksolutions.com/the-worlds-greatest-pi-hole-and-unbound-tutorial-2023/

https://www.youtube.com/watch?v=cE21YjuaB6o&t=395s

I am trying to figure out how to use pihole to assign or manage dhcp for ipv6

I have my pihole setup to work as my dhcp server, and it works fine, but after leaving for vacation the person looking after my house unplugged it from the wall. Now I have turned it back on, but it wont start working. Since dhcp server is disabled on my router, I cannot access that eather. I tried connecting keyboard and monitor to rpi, but it only says that its ip is 127.0.1.1

Please do not be harsh to a noob

So dont know when this started, i logged into my 2nd pihole (both running on rasp pis) this morning and i see negative values-

https://imgur.com/a/6LfrMCs

When i look at nebula logs i see this-

025-08-24T09:16:01-04:00 ERR Sync failed error="sync teleporters: https://piholehome2.lan/api/teleporter: unexpected status code: 400"

2025-08-24T09:30:00-04:00 INF Running sync mode=full replicas=1

2025-08-24T09:30:00-04:00 INF Authenticating clients...

2025-08-24T09:30:00-04:00 INF Syncing teleporters...

2025-08-24T09:31:00-04:00 INF Invalidating sessions...

2025-08-24T09:31:01-04:00 ERR Sync failed error="sync teleporters: https://piholehome2.lan/api/teleporter: unexpected status code: 400"

Whats going on? Do i have to reinstall this pihole or see if i can export and import config from my 1st pihole on gui?

Thank You

Hi all, ive just set up all my lxc on proxmox. next step was to install pihole. i originally tried creating it manually with the install script from pihole website as well as the proxmox helper scripts. Both times i manage to get dns set up and working but dhcp doesn't. I have disabled dhcp in my routers setting (vm hub 5) and disabled all firewalls on proxmox. datacentre, node and lxc. I can ping the container from outside and vice versa.

thanks for all of your wisdom - Squid

my iphone just ignoring pihole like it never exists any help? ... i saw some logs and blocked them .. no other logs

more info:

1. I don't have Icloud+ and so don't have access to Apple's private relay service
2. On your iOS device, go into your WiFi settings and turn off "Private Wi-Fi Address".
3. In the same location turn off "Limit IP Address Tracking"
4. Disable the setting in Safari for “Advanced Tracking and Fingerprinting Protection”. Find it in Settings > Safari > Advanced. By default it’s enabled for Private browsing only, but regardless when it's enabled it somehow overrides the DNS server addresses that are set on the router. Turn the feature off.

update :
dnsleaktest.com shows adguard-dns ... I've never installed it !
other devices in my network shows Cloudflare dns which is the on in my pihole settings

update 2 :

Finally fixed ... I found settings under general -> VPN & Device management

i think it's installed to all ios 14 update

Hi, when I click the hamburger menu in pihole web GUI it shows a Client IP address ending in .195. Nothing on my network has this according to the router.

The Primary IP (under System Settings) shows an IP ending in .3, which is the actual IP for the Pi.

I've noticed it is not blocking ads for some devices.

Some googling said to run pihole -r to reconfigure, but evidently that only does a repair now, and you're supposed to edit the setupVars.conf file but that is blank when I run

sudo nano /etc/pihole/setupVars.conf

Hey folks,

My existing pihole on raspberry pi has been working flawlessly for years with occasional updates.

The last major update from v5.x to 6.x - was done by me without reading the new requirements and effectively messed up my install where it got slow and would randomly drop DNS requests.

In comes the teleporter, this morning I had 15 minutes to stick an image on to a new SD card, then install pihole. Total 10 minutes, then restore pihole back to the original settings.

Total time took 15 minutes (or less) and then I had to remove DHCP/DNS from my router and hey presto back to a full ad blocking network!!

I wanted to donate a little but the links don't resolve and I get a 500 error as thanks for making pihole so simple to back and restore!

If anyone knows why its broken/ can fix it I will donate later when I get back home.

Has anyone else notice Google sponsored links (like the shopping links at the top of a search result) aren't filtered by the Steven Black list anymore? If anyone knows how to fix this I'd love to know!

So for some reason i realized that the ping is etremely high no matter what websites i vist, its in the 500-600 ms range and ive tried rebooting my pihole thinking that would fix it but yeah no luck.

CPU and memory usage still seem normal on my pihole so no idea whats going on.

Im running pihole on a rasp pi 5

Is something wrong with my rasp pi itself?

Whats going on guys and how do i fix it?

My browsing experience still remains good but yeah such high pings are unacceptable at the moment.

No idea how long this has been going for as i randomly decided to check pings this morning and found out about this.

Example -

ping reddit.com

PING reddit.com (151.101.193.140): 56 data bytes

64 bytes from 151.101.193.140: icmp_seq=0 ttl=58 time=514.741 ms

64 bytes from 151.101.193.140: icmp_seq=1 ttl=58 time=543.275 ms

64 bytes from 151.101.193.140: icmp_seq=2 ttl=58 time=574.555 ms

64 bytes from 151.101.193.140: icmp_seq=3 ttl=58 time=605.059 ms

Thank You.

Something that's been stumping me for a bit, but I just had a chance to try a little troubleshooting on my side so I'm now out of ideas and ready to post and see if the gurus can help.

I have two identical (I believe) Pi-Hole setups. They both run on Raspberry Pi Zero Ws, on the same build of DietPi with the same packages installed. I've used Teleporter to be sure that both of the Pi-Hole configurations are identical. One (PiHolePrime, 192.168.1.2) is regularly at a Load Average of 0.2, give or take. The other (PiHoleBackup, 192.168.1.3) is regularly at a Load Average of 1.1-1.2, give or take.

I considered that perhaps the MicroSD might be failing, so I swapped in a brand new MicroSD. Same issue,. I considered that perhaps a different part of the Pi might be having hardware failure, so I swapped over to an entirely different Pi Zero W. With both swaps, the Load Average has consistently been high, only on Backup.

I am stumped and figured I would turn to the experts to see if they can shed some light. In the end... everything appears to be working, so I'm not overly concerned... I'm just intensely curious at this point.

Debug tokens: https://tricorder.pi-hole.net/1Cvv8FrX/ (Prime) and https://tricorder.pi-hole.net/P7o98gh1/ (Backup)

Finally, just wanted to say thanks for everything you've done with this software (completely irrespective of if you guys can shed any light on this or not lol)

I'm at my wits end here. I've been at this since August 10th I built a headless Debian 13 server with these goals in mind: Jellyfin server, Rustdesk Server, caddy with duckdns, remote jdownloader, remote file manager, and lastly pi-hole. Everything else I got going in a few hours, but I've been trying to get pi-hole working since day one. I'm stuck in the circle of misery that goes like this: install pi-hole, mess around with it until it works, then try to go into the admin console and the webui is broken. Troubleshoot webui until it works, then any Internet things I try to do on the server automatically times out. Pull out hair trying to fix it, get it fixed, webui is broken again; rinse and repeat until my soul dies. I've tried installing it as part of the docker compose that runs the other services, same result. In a docker container by itself, same result, directly into the bare metal system, same result. I tried to go without the web UI and just use PADD. Doesn't work either. Can anyone please tell me what the fix is?

It's been driving me nuts and I can't seem to figure out what's going on. I have a Chargepoint EV charger that won't connect to the internet if I have my PiHole as the DNS; if I turn off pihole and use my ISP's DNS, everything works fine. It seems like the charger is spamming the DNS a lot. Below are some extracts from the pihole.log. On the first day, it gets a DHCP address, does whatever DNSing it needs and then chills out and stays connected for a while. But after a while the charger stops appearing in the app; when that happens, I see in the log that it is making requests every few seconds basically forever. Since, as I said, this doesn't happen if I use my ISP's DNS, I'm guess I have something misconfigured. Or maybe the EV charger is the culprit 🤷‍♀️. Hoping someone here can tell whether something screwy is going on!

I'm using the Google and OpenDNS upstreams, only ip4 (8.8.8.8 and 208.67.222.222), and I do have "Use DNSSEC" enabled.

2025-08-22 16:25:05.178 DHCPDISCOVER(wlan0) b0:fb:15:02:70:80 
2025-08-22 16:25:05.179 abandoning lease to b0:fb:15:02:70:80 of 192.168.1.23
2025-08-22 16:25:05.180 DHCPACK(wlan0) 192.168.1.23 b0:fb:15:02:70:80 
2025-08-22 16:25:05.477 DHCPREQUEST(wlan0) 192.168.1.23 b0:fb:15:02:70:80 
2025-08-22 16:25:05.478 DHCPNAK(wlan0) 192.168.1.23 b0:fb:15:02:70:80 wrong server-ID
2025-08-22 16:26:05.897 query[A] ntp.chargepoint.com from 192.168.1.23
2025-08-22 16:26:05.898 cached-stale ntp.chargepoint.com is <CNAME>
2025-08-22 16:26:05.898 cached-stale pool.ntp.org is 45.79.35.159
2025-08-22 16:26:05.943 cached-stale pool.ntp.org is 72.30.35.89
2025-08-22 16:26:05.944 cached-stale pool.ntp.org is 12.205.28.193
2025-08-22 16:26:05.945 cached-stale pool.ntp.org is 199.188.48.60
2025-08-22 16:26:05.947 forwarded ntp.chargepoint.com to 208.67.222.222
2025-08-22 16:26:05.947 query[AAAA] ntp.chargepoint.com from 192.168.1.23
2025-08-22 16:26:05.948 cached-stale ntp.chargepoint.com is <CNAME>
2025-08-22 16:26:05.949 cached pool.ntp.org is NODATA-IPv6
2025-08-22 16:26:05.949 forwarded ntp.chargepoint.com to 208.67.222.222
2025-08-22 16:26:05.958 query[A] pool.ntp.org from 192.168.1.23
2025-08-22 16:26:05.959 cached-stale pool.ntp.org is 199.188.48.60
2025-08-22 16:26:05.959 cached-stale pool.ntp.org is 45.79.35.159
2025-08-22 16:26:05.960 cached-stale pool.ntp.org is 72.30.35.89
2025-08-22 16:26:05.961 cached-stale pool.ntp.org is 12.205.28.193
2025-08-22 16:26:05.961 forwarded pool.ntp.org to 208.67.222.222
2025-08-22 16:26:05.962 query[AAAA] pool.ntp.org from 192.168.1.23
2025-08-22 16:26:05.963 cached pool.ntp.org is NODATA-IPv6
2025-08-22 16:26:05.970 validation result is INSECURE
2025-08-22 16:26:05.971 reply pool.ntp.org is 99.28.14.242
2025-08-22 16:26:05.972 reply pool.ntp.org is 173.230.154.254
2025-08-22 16:26:05.972 reply pool.ntp.org is 173.249.203.72
2025-08-22 16:26:05.973 reply pool.ntp.org is 45.79.189.79
2025-08-22 16:26:05.977 query[A] ntp.ev-chargepoint.com from 192.168.1.23
2025-08-22 16:26:05.977 cached-stale ntp.ev-chargepoint.com is <CNAME>
2025-08-22 16:26:05.978 cached pool.ntp.org is 99.28.14.242
2025-08-22 16:26:05.979 cached pool.ntp.org is 173.230.154.254
2025-08-22 16:26:05.980 cached pool.ntp.org is 173.249.203.72
2025-08-22 16:26:05.981 cached pool.ntp.org is 45.79.189.79
2025-08-22 16:26:05.983 forwarded ntp.ev-chargepoint.com to 208.67.222.222
2025-08-22 16:26:05.984 query[AAAA] ntp.ev-chargepoint.com from 192.168.1.23
2025-08-22 16:26:05.984 cached-stale ntp.ev-chargepoint.com is <CNAME>
2025-08-22 16:26:05.985 cached pool.ntp.org is NODATA-IPv6
2025-08-22 16:26:05.986 forwarded ntp.ev-chargepoint.com to 208.67.222.222
2025-08-22 16:26:06.001 query[A] pool.ntp.org from 192.168.1.23
2025-08-22 16:26:06.002 cached pool.ntp.org is 45.79.189.79
2025-08-22 16:26:06.003 cached pool.ntp.org is 99.28.14.242
2025-08-22 16:26:06.003 cached pool.ntp.org is 173.230.154.254
2025-08-22 16:26:06.004 cached pool.ntp.org is 173.249.203.72
2025-08-22 16:26:06.004 query[AAAA] pool.ntp.org from 192.168.1.23
2025-08-22 16:26:06.005 cached pool.ntp.org is NODATA-IPv6
2025-08-22 16:26:06.009 dnssec-query[DS] ev-chargepoint.com to 208.67.222.222
2025-08-22 16:26:06.019 query[AAAA] ntp.chargepointnetwork.net from 192.168.1.23
2025-08-22 16:26:06.020 cached-stale ntp.chargepointnetwork.net is NXDOMAIN
2025-08-22 16:26:06.021 forwarded ntp.chargepointnetwork.net to 208.67.222.222
2025-08-22 16:26:06.022 dnssec-query[DS] chargepoint.com to 208.67.222.222
2025-08-22 16:26:06.022 query[A] ntp.chargepointnetwork.net from 192.168.1.23
2025-08-22 16:26:06.023 cached-stale ntp.chargepointnetwork.net is NXDOMAIN
2025-08-22 16:26:06.024 forwarded ntp.chargepointnetwork.net to 208.67.222.222
2025-08-22 16:26:06.049 reply ev-chargepoint.com is no DS
2025-08-22 16:26:06.050 validation result is INSECURE
2025-08-22 16:26:06.050 reply ntp.ev-chargepoint.com is <CNAME>
2025-08-22 16:26:06.052 reply pool.ntp.org is 23.150.40.242
2025-08-22 16:26:06.052 reply pool.ntp.org is 129.250.35.250
2025-08-22 16:26:06.053 reply pool.ntp.org is 141.11.234.198
2025-08-22 16:26:06.053 reply pool.ntp.org is 204.197.163.71
2025-08-22 16:26:06.065 reply chargepoint.com is no DS
2025-08-22 16:26:06.065 validation result is INSECURE
2025-08-22 16:26:06.066 reply ntp.chargepoint.com is <CNAME>
2025-08-22 16:26:06.067 reply pool.ntp.org is 198.23.133.146
2025-08-22 16:26:06.068 reply pool.ntp.org is 23.186.168.130
2025-08-22 16:26:06.068 reply pool.ntp.org is 97.107.136.23
2025-08-22 16:26:06.069 reply pool.ntp.org is 129.146.193.200
2025-08-22 16:26:06.070 validation result is INSECURE
2025-08-22 16:26:06.070 reply ntp.chargepointnetwork.net is NXDOMAIN
2025-08-22 16:26:06.104 validation result is INSECURE
2025-08-22 16:26:06.104 reply ntp.chargepoint.com is <CNAME>
2025-08-22 16:26:06.105 reply pool.ntp.org is NODATA-IPv6
2025-08-22 16:26:06.110 validation result is INSECURE
2025-08-22 16:26:06.111 reply ntp.chargepointnetwork.net is NXDOMAIN
2025-08-22 16:26:06.185 validation result is INSECURE
2025-08-22 16:26:06.186 reply ntp.ev-chargepoint.com is <CNAME>
2025-08-22 16:26:06.187 reply pool.ntp.org is NODATA-IPv6

...checking the next day...
2025-08-23 09:11:36.425 query[AAAA] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.427 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.428 query[A] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.429 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.443 reply homecharger-cph50k-na.chargepoint.com is NODATA-IPv6
2025-08-23 09:11:36.446 reply homecharger-cph50k-na.chargepoint.com is 54.203.245.154
2025-08-23 09:11:36.447 reply homecharger-cph50k-na.chargepoint.com is 54.68.63.33
2025-08-23 09:11:36.448 reply homecharger-cph50k-na.chargepoint.com is 44.253.133.113
2025-08-23 09:11:36.449 reply homecharger-cph50k-na.chargepoint.com is 52.26.29.223
2025-08-23 09:11:36.450 query[DS] chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.451 forwarded chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.452 query[SOA] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.453 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.470 reply chargepoint.com is NODATA
2025-08-23 09:11:36.472 reply homecharger-cph50k-na.chargepoint.com is NODATA
2025-08-23 09:11:36.474 query[SOA] com from 192.168.1.23
2025-08-23 09:11:36.475 config com is NODATA
2025-08-23 09:11:36.476 query[DS] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.477 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.494 reply homecharger-cph50k-na.chargepoint.com is NODATA
2025-08-23 09:11:36.498 query[SOA] chargepoint.com from 192.168.1.23
2025-08-23 09:11:36.499 forwarded chargepoint.com to 8.8.8.8
2025-08-23 09:11:36.515 reply chargepoint.com is <SOA>
2025-08-23 09:11:43.094 query[AAAA] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:43.096 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:43.097 query[A] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:43.098 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:43.108 reply homecharger-cph50k-na.chargepoint.com is 52.26.29.223
2025-08-23 09:11:43.109 reply homecharger-cph50k-na.chargepoint.com is 54.68.63.33
2025-08-23 09:11:43.110 reply homecharger-cph50k-na.chargepoint.com is 44.253.133.113
2025-08-23 09:11:43.111 reply homecharger-cph50k-na.chargepoint.com is 54.203.245.154
2025-08-23 09:11:43.114 reply homecharger-cph50k-na.chargepoint.com is NODATA-IPv6
2025-08-23 09:11:43.115 query[SOA] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:43.116 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:43.118 query[DS] chargepoint.com from 192.168.1.23
2025-08-23 09:11:43.119 forwarded chargepoint.com to 8.8.8.8
2025-08-23 09:11:43.131 reply homecharger-cph50k-na.chargepoint.com is NODATA
2025-08-23 09:11:43.136 reply chargepoint.com is NODATA
2025-08-23 09:11:43.137 query[DS] homecharger-cph50k-na.chargepoint.com from 192.168.1.23
2025-08-23 09:11:43.138 forwarded homecharger-cph50k-na.chargepoint.com to 8.8.8.8
2025-08-23 09:11:43.140 query[SOA] com from 192.168.1.23
2025-08-23 09:11:43.141 config com is NODATA
2025-08-23 09:11:43.157 reply homecharger-cph50k-na.chargepoint.com is NODATA

Is it possible to change the host name for a pihole instance that is running as a truenas app? I tried adding an envormemtal variable: hostname, but that doesn't seem to work

Hello,

I am encountering performance issue with my pi-hole instance, and it feels quite recent, but I can't tell where it could come from.

What happens is sometimes the browser on a connected device hangs while waiting for the dns reply from pihole, and also I have uptime-kuma running locally, and it has regular timeouts on outside websites, but also on internal websites (local dns entry has been added to pihole configuration)

Below are some metrics of the instance itself, but also on the proxmox host where we can see a significant increase in disk read (steady 10mbps with some pikes, also it went from a 6mbps average to a 10+mbps average on august 1st). I don't remember having so much disk I/O for pihole, and I suppose this is creating the bottleneck.

Where should I look first ? nothing in the system, or the app seems to show related issues

Thank you ! :)

Is it possible to have a second PiHole running on my lan as a backup if the main should fail?

Many thanks for any help.

I have two piholes, pihole1 and pihole2

Each pihole handles DNS request for two separate subnets. Let's call them 192.168.1.0/24 (lan) and 192.168.2.0/24 (iot). Each as 2 nics

Right now, clients on both subnets point to pihole1.

I've had keep alived setup before, but I had 4 pihole vms, 2 on one subnet and 2 on the other. That was a easy set up. That's not an option this time.

Can keep alived be set up the way I have it configured now? Ideally have a vip for the 192.168.1.0 network and another for the 192.168.2.0 network but only using the 2 boxes.

These are not in containers. These are bare metal (working on making them vms)

Hi everyone, just start my adventure with pi-hole and docker. I’m running Docker on an Ubuntu PC with a static IP.

Both the PC and Docker containers have IPv6 addresses, but Pi-hole doesn’t seem to get one, which means I can’t use IPv6 DNS.

Pi-hole is DNS-only (not running DHCP).

What’s the proper way to assign/configure an IPv6 address for Pi-hole in this setup?

Apologies if this has been asked a bunch of times already.

Has anyone got deployed pihole inside k8s? I am trying to use deployment via argocd+kustomization, but having fee issues when deploying pihole 2025.08.0:

• web password does not get picked up from secrets (i am aware that it was moved from WEBPASSWORD v5 to FTLCONF_webserver_api_password for v6)
• resolv.conf is wrong
• can't find running unbound IP

My whole deployment comes from github workflow, where I deploy argocd, and then applies config in applications folder, where futher each application gets deployed from different folders.

Would be good if I could refer to working config, or possibly change deployment type to helm charts?

P.S. Keep in mind, that I have IPv4 + IPv6 enabled on my network. But not in kubernetes YET...

I am testing Cilium capabilities without kube-proxy, exposing admin URL via Gateway IP, while DNS is using LoadBalancer IP.

A lot of my own services are using custom internal CA [That is another project to follow up (not advertised yet)] - so keeping a single CA chain for all wildcard domains passed through Gateway API with a single secret [it is development anyways, no down vote needed], trying to get a production ready solution...

EDIT #1: Updated with manifests

ArgoCD Application: apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: pihole-a-dev namespace: argocd ## ensure it comes up after the unbound app is created; adjust as you prefer annotations: { argocd.argoproj.io/sync-wave: "1" } labels: app.kubernetes.io/part-of: pihole instance: a spec: project: default destination: { server: https://kubernetes.default.svc, namespace: default } sources: - repoURL: https://mojo2600.github.io/pihole-kubernetes/ chart: pihole targetRevision: "2.34.0" ## @TODO: bump intentionally helm: releaseName: pihole-a ## <— gives you pihole-a-web/dns Service names valueFiles: - $values/cicd/default/dev/pihole/values/base.yml - $values/cicd/default/dev/pihole/values/instance-a.yml - repoURL: https://github.com/<REDACTED_ORG>/<REDACTED_REPO> targetRevision: pihole ref: values syncPolicy: automated: { prune: true, selfHeal: true } syncOptions: ["CreateNamespace=false"]

Files inside "cicd/default/dev/pihole/" folder Secret... ``` $ k describe secret pihole-a Name: pihole-a Namespace: default Labels: <none> Annotations: <none>

Type: Opaque

Data

secret: 20 bytes ```

```

values/base.yml

admin: existingSecret: "" passwordKey: password

Turn off DHCP (we’re only using DNS)

dnsmasq: customDnsEntries: [] additionalHostsEntries: [] dhcp: enabled: false

Some charts have a second PVC for dnsmasq; leave off unless needed

dnsmasqPersistentVolumeClaim: enabled: false # ## @TODO: mirror the same as above if chart supports

extraEnvVars: DNSMASQ_LISTENING: "all" DNSMASQ_USER: "root" DNSSEC: "false" FTLCONF_dns_upstreams: "unbound.default.svc#5353" FTLCONF_dns_listeningMode: "all" FTLCONF_misc_etc_dnsmasq_d: "/etc/dnsmasq.d" FTLCONF_webserver_port: "80" PIHOLE_UID: "0" PIHOLE_GID: "0" SKIP_CHOWN: "true" TZ: "Europe/Vilnius"

image: repository: docker.io/pihole/pihole tag: "2025.08.0" ## @TODO: choose your tag imagePullPolicy: IfNotPresent imagePullSecrets: - name: dockerhub-creds ## @TODO

persistentVolumeClaim: enabled: false accessModes: ["ReadWriteOnce"] size: 32Gi

podSecurityContext: runAsUser: 0 ## @TODO: Pi-hole init runs as root runAsGroup: 0 fsGroup: 0 ## @TODO: for emptyDir it’s fine; see NFS notes below

replicaCount: 1

resources: requests: { cpu: 100m, memory: 128Mi } limits: { cpu: 300m, memory: 384Mi }

serviceDhcp: enabled: false

serviceDns: mixedService: true type: LoadBalancer externalTrafficPolicy: Local annotations: {}

serviceWeb: type: ClusterIP http: { enabled: true, port: 80 } https: { enabled: false } values/instance-a.yml admin: existingSecret: pihole-a ## @TODO: use the Secret name you created passwordKey: "secret" ## @TODO: set to the actual key in that Secret

extraVolumes: - name: vol-etc-pihole persistentVolumeClaim: { claimName: pvc-pihole-a-etc } - name: vol-etc-dnsmasq persistentVolumeClaim: { claimName: pvc-pihole-a-dnsmasq }

extraVolumeMounts: - { name: vol-etc-pihole, mountPath: /etc/pihole } - { name: vol-etc-dnsmasq, mountPath: /etc/dnsmasq.d }

serviceDns: extraLabels: { env: "dns" } annotations: lbipam.cilium.io/ips: "10.<REDACTED_SUBNET>.160" # optionally share VIPs across services by using the same key # lbipam.cilium.io/sharing-key: "dns-vip" loadBalancerIP: "10.<REDACTED_SUBNET>.160" ```

```

deployment-a.yml

apiVersion: apps/v1 kind: Deployment metadata: name: pihole-a namespace: default labels: app: pihole instance: a spec: replicas: 1 selector: matchLabels: app: pihole instance: a template: metadata: labels: app: pihole instance: a spec: # imagePullSecrets: # - name: dockerhub-creds securityContext: runAsUser: 0 runAsGroup: 0 fsGroup: 0 containers: - name: pihole image: docker.io/pihole/pihole:2025.08.0 imagePullPolicy: IfNotPresent ports: - { name: dns-udp, containerPort: 53, protocol: UDP } - { name: dns-tcp, containerPort: 53, protocol: TCP } - { name: http, containerPort: 80, protocol: TCP } env: - name: WEBPASSWORD valueFrom: secretKeyRef: name: pihole-a # ## @TODO: ensure this Secret exists key: secret

        # --- v6 upstreams & web
        - { name: FTLCONF_dns_upstreams,       value: "unbound.default.svc#5353" }   # <- no cluster domain
        - { name: FTLCONF_dns_listeningMode,   value: "all" }
        - { name: FTLCONF_webserver_port,      value: "80" }
        - { name: FTLCONF_misc_etc_dnsmasq_d,  value: "true" }

        # --- must be root (logs demanded this)
        - { name: DNSMASQ_USER, value: "root" }
        - { name: PIHOLE_UID,   value: "0" }
        - { name: PIHOLE_GID,   value: "0" }

        - { name: TZ,                   value: "Europe/Vilnius" }
        - { name: DNSMASQ_LISTENING,    value: "all" }
        - { name: IPv6,                 value: "true" }
        # - { name: DNS1,                 value: "unbound.default.svc.cluster.local#5353" }
        # - { name: DNS2,                 value: "no" }
        # - { name: SKIP_CHOWN,           value: "true" }
        # - { name: FTLCONF_PRIVACYLEVEL, value: "0" }
        # - { name: FTLCONF_MAXDBDAYS,    value: "3650" }
      volumeMounts:
        - { name: vol-etc-pihole,   mountPath: /etc/pihole }
        - { name: vol-etc-dnsmasq,  mountPath: /etc/dnsmasq.d }
      resources:
        requests: { cpu: 50m, memory: 256Mi }
        limits:   { cpu: 500m, memory: 1Gi }
  volumes:
    - name: vol-etc-pihole
      emptyDir: {}
    - name: vol-etc-dnsmasq
      emptyDir: {}

```

service: ```

service-a.yml

apiVersion: v1 kind: Service metadata: name: pihole-a-web namespace: default labels: app: pihole instance: a spec: type: ClusterIP selector: app: pihole instance: a ports:

- { name: http, port: 80, targetPort: 80, protocol: TCP }

apiVersion: v1 kind: Service metadata: name: pihole-a-dns namespace: default labels: app: pihole instance: a env: dns # ## @TODO: matches your Cilium LB IP pool selector annotations: # io.cilium/lb-ipam-ips: "10.<REDACTED_SUBNET>.160" # ## @TODO: pick an IP if you want deterministic spec: type: LoadBalancer externalTrafficPolicy: Local selector: app: pihole instance: a ports: - { name: dns-tcp, port: 53, targetPort: 53, protocol: TCP } - { name: dns-udp, port: 53, targetPort: 53, protocol: UDP } ```

PVs

```

apiVersion: v1 kind: PersistentVolume metadata: { name: pv-pihole-a-etc, labels: { app: pihole, instance: a, mount: etc } } spec: capacity: { storage: 32Gi } # ## @TODO: size accessModes: ["ReadWriteOnce"] storageClassName: "" # <- static PV (no dynamic SC) persistentVolumeReclaimPolicy: Retain mountOptions: [nfsvers=4.2, hard, noatime] # ## @TODO: tune; ok defaults nfs: server: 10.<REDACTED> # ## @TODO

path: /nfs/k8s/dev/pi1_etc # <- your exact path

apiVersion: v1 kind: PersistentVolumeClaim metadata: { name: pvc-pihole-a-etc, namespace: default } spec: accessModes: ["ReadWriteOnce"] resources: { requests: { storage: 32Gi } } storageClassName: ""

volumeName: pv-pihole-a-etc

apiVersion: v1 kind: PersistentVolume metadata: name: pv-pihole-a-dnsmasq labels: { app: pihole, instance: a, mount: dnsmasq } spec: capacity: { storage: 1Gi } # ## @TODO: size accessModes: ["ReadWriteOnce"] storageClassName: "" # <- static PV (no dynamic SC) persistentVolumeReclaimPolicy: Retain mountOptions: [nfsvers=4.2, hard, noatime] # ## @TODO: tune; ok defaults nfs: server: 10.<REDACTED>

path: /nfs/k8s/dev/pi1_dnsmasq # <- your exact path

apiVersion: v1 kind: PersistentVolumeClaim metadata: { name: pvc-pihole-a-dnsmasq, namespace: default } spec: accessModes: ["ReadWriteOnce"] resources: { requests: { storage: 1Gi } } storageClassName: "" volumeName: pv-pihole-a-dnsmasq ```

I've used Pi-hole as my primary DNS and DHCP server for seven years. Last night, friends reported their Pi-hole clients (wireless and LAN) couldn’t resolve DNS queries. I faced the same issue today. Reinstalling the OS and Pi-hole didn’t help. Switching to other DNS servers (local, Google, Cloudflare) resolves the issue, and redirecting DHCP clients to these servers works. Anyone else seeing DNS resolution failures with Pi-hole? Sorry if this is a known issue.

Baffling DHCP/DNS Problem (Work around - Not solved)

If you use a PI as your primary local DHCP and DNS server, this might help out in this specific case.

My Roku IoT devices, cameras running recently updated linux, and systems running Debian 13, Ubuntu 25.10, and Ubuntu 24.04 were getting a valid DHCP packet, but their /etc/resolv.conf file was incorrectly set to 127.0.0.53. This only happened on wireless connections and only when get DHCP from the PI. Other DHCP servers worked fine.

The problem persisted even after I migrated from a Raspberry Pi 3B to an EQ14 running Ubuntu 24.04, confirming it wasn't OS or hardware-specific.

My fix was to start a DNS server on my default gateway and point it to my Pi-hole for upstream resolution. I then added this new DNS server to my Pi-hole's configuration under All settings > Miscellaneous > misc.dnsmasq_lines. Now all my DCHP clients (wired and wireless) get two DNS Servers, the primary PI DNS and also the secondary default gateway DNS server (pointing back at the primary PI DNS server). After a full network reboot, the issue was resolved.

While unconventional, this solution has worked for me and the local folks. Hope this helps if you have this corner case requirement.

In the PiHole 'Upstream DNS Servers' there are two boxes inder each IPV4&6. Are these main & backup?

In the image below will it use Quad9 for the main and Cloudflare for the backup on IPV4?

https://postimg.cc/PvGs7KNk

Hi

I definitely had quite some hard making this possible( i did it) but its very unreliable.

I was planning to make an VPN Server( Dedicated Server with 10G Ethernet) but I setuped wireguard correctly worked fine with cloudflare dns. But when switched the local ip to pihole sometimes it worked sometimes not.

Also i had difficult time changing the web port drom 80,443 to 8080 and 8443. (If someone did please leave an pm)

Hey all. Have been running Pihole for several months and working well, but I haven’t really ever dug into the dashboard. Can someone help me understand the difference between the designations in the post title? I’m in my dashboard trying to figure out what device is what. Very confusing to a guy that isn’t too familiar with networking!