Description

Now that we have Proxmox up and running, we can start creating Containers and Virtual Machines. Our first Container will be running PiHole.

This is because not only can we use it to block ads, since we will be using it in place of our normal DNS nameserver, it is the perfect place to let all the devices on our network more easily access our homelab services via domain names instead of remembering IP addresses.

Installation

Download LXC Templates

• In the Proxmox web UI, navigate to your node's local storage in the tree view on the left. e.g., if you're using Server View: Datacenter > your node name > local , and if you're using Folder View: Datacenter > Storage > local
• Select CT Templates in the list view in the middle of the screen, then click the Templates button on the ribbon in the details pane on the right.
• Pick a flavour of Linux to download. For this guide I'll use Debian 12.

Create new LXC

• Once the ISO for your Linux distro has downloaded, click the Create CT button in the top right corner.
• Follow the wizard.
  • In the Network tab, note that under IPv4/CIDR you need to specify the IP address in CIDR notation, e.g., 192.168.100.3/24.
• It should create your container, which you can then Start.
• First, run apt update && apt upgrade -y
• Next, to install PiHole, run curl -sSL https://install.pi-hole.net | bash
  • Note: Remember, running scripts blindly from the internet is risky.
• Again, follow the wizard.
• Once you've installed it, run sudo pihole -a -p to set your own password for the Web GUI.
• Lastly, set the container to auto start. Select the container in the Proxmox web UI, select Options in the list view, then on the right pane change the setting for Start at Boot to enabled.

Test and Compare

Now that your PiHole instance is running, we can test to see how well it works. On your workstation, open a tab in your browser and visit a notoriously ad-heavy website, such as www.msn.com.

Then, change the DNS Nameserver on your workstation to the IP address of your PiHole instance. On Windows you can run ncpa.cpl which will display the Network Connections window. On Linux you can edit the file /etc/resolv.conf. Replace the existing DNS server: your OS will use both of them, not just the first, so if one of them is not an adblocking one, some ads will still get through.

Once that is done, open a second tab and visit the same site, and compare the difference. There should be a remarkable reduction in adverts. You can also visit your PiHole web UI to see how many requests it has blocked.

Local DNS

We can connect to web UI's like Proxmox, PiHole, and the future services we'll create using their IP address and port number. This is however not very convenient, so we'll set up PiHole to let us use domain names instead.

Best practice is to register an actual domain name and get a certificate from an actual Root Certificate Authority (e.g., LetsEncrypt). While what we will be doing next is not best practice, it is entirely possible for you to use whatever domain name you want on your homelab.

There are pros and cons to this approach which others have discussed ad nauseum and I won't delve into those. Many people suggest using the reserved TLD suffix .home.arpa, but personally I find it to cumbersome, and I just use foobar.box instead. This is a homelab after all, so let's experiment.

DNS [A/AAAA] and CNAME Records

A (and AAAA) records map a domain name to an IP address (AAAA being for IPv6). CNAMEs forward a domain or subdomain to another domain.

So if we set our workstation to use our PiHole as its DNS nameserver, and we create a Local A Record that maps proxmox.box to 192.168.100.2, instead of typing https://192.168.100.2:8006, we can type https://proxmox.box:8006.

You'll notice this only maps IP addresses - we cannot use this to map port numbers. In the next section, we'll set up a Reverse Proxy, which will do just that.

CNAME Records

As you create more services, you'll might want to access them via names such as foo.proxmox.box and bar.proxmox.box. While we can create a new CNAME record for each individual subdomain, I personally find it more convenient to use a wildcard subdomain. This requires you to use DNS Masquerading instead of CNAME records.

dnsmasq

Before we can get this method to work, we need a working Reverse Proxy. The Reverse Proxy will look at the URL and decide which entry to redirect the request to. So follow the steps in the next section, then return here.

Once nginx Proxy Manager has been set up, we need to update etc-dnsmasq. Unfortunately we cannot do this from the PiHole web UI. So instead, open the Proxmox Web UI, locate your PiHole container, access it via Shell.

Once you are logged in, create a file named:

/home/pastry/docker/pihole/etc-dnsmasq.d/02-local-wildcard-domain.conf

If you are not familiar with *.d folders, they store multiple configuration files that the command with the same name will reference. This lets us split and separate configuration files. In this case, we'll be adding all our changes into one file. The name doesn't matter, just the path and extension.

The contents of this file are the domain whose subdomains you want to redirect, and the IP of the Reverse Proxy:

address=/proxmox.box/192.168.100.4

This will redirect all requests of *.proxmox.box to our Reverse Proxy, who will then find the destination. Note that you don't need to include the *. part of *.proxmox.box. Remember to double check that you're using the IP address of your Reverse Proxy and not the the IP address of any of the services you want to redirect to.

See Also

• nginx Proxy Manager

External Links

• Pi-hole – Network-wide Ad Blocking
• Overview of Pi-hole - Pi-hole documentation
• Pi-hole · GitHub