I Blocked Every Ad on My Network
with Pi-hole on Proxmox

Every device on my home network — phones, laptops, iPads, smart TVs — blocks ads at the DNS level. I didn't install anything on any of those devices. One Ubuntu container on Proxmox, Pi-hole installed in 10 minutes, and it handles everything from a single point.

This is one of the highest-value-to-effort things I've built in my home lab. Simple to set up, genuinely useful every day, and it doubles as a DNS security layer that blocks malware domains, tracking scripts, and suspicious content.

How Pi-hole Works: DNS-Level Blocking

Pi-hole is a DNS sinkhole. Instead of your devices using your ISP's DNS server or Google's 8.8.8.8, they query your Pi-hole first. Pi-hole checks the domain against its blocklists — if the domain is known for ads, tracking, or malware, it returns 0.0.0.0 (nothing). The request never leaves your network.

Unlike browser extensions (uBlock Origin etc.), Pi-hole works for every device — including things that can't install extensions: smart TVs, game consoles, IoT devices. One Pi-hole protects everything.

Why Proxmox LXC Container, Not a Raspberry Pi

Pi-hole was originally designed for Raspberry Pi (hence the name). But if you already have Proxmox running, there's no reason to buy and maintain a separate device. An LXC container on Proxmox uses less than 512MB RAM, has better uptime than a Pi (no SD card corruption), and is trivial to snapshot and restore.

The main argument for a dedicated Pi is "Proxmox might restart and kill DNS for the whole network." Valid concern — but easily solved by setting the container's startup order to boot before everything else, and giving it a static IP on your main LAN bridge.

Creating the Ubuntu LXC Container

In Proxmox, I use Ubuntu 22.04 LTS as the base for Pi-hole. The LXC template is available directly from the Proxmox template library.

1. In Proxmox, go to a storage node → CT Templates → Download Ubuntu 22.04
2. Create Container → select Ubuntu 22.04 template
3. Resources: 1 vCPU, 512MB RAM, 4GB disk (plenty for Pi-hole)
4. Network: bridge to your main LAN, static IP (critical — DNS must not change)
5. Uncheck "unprivileged container" — Pi-hole needs some privileged capabilities

Installing Pi-hole

Once the container is running, SSH in or use the Proxmox console:

# Update first
apt update && apt upgrade -y

# Install Pi-hole (one-liner official installer)
curl -sSL https://install.pi-hole.net | bash

The installer is interactive — it walks you through selecting an upstream DNS provider (I use Cloudflare 1.1.1.1), choosing which blocklists to start with, and setting up the admin password.

After install, the Pi-hole admin UI is at http://[your-pihole-ip]/admin. It's clean, shows query statistics, and lets you manage blocklists and whitelists.

Pointing Your Network to Pi-hole

You have two options for getting devices to use Pi-hole:

Option 1: Router DHCP (Recommended)

In your router's DHCP settings, change the DNS server handed out to clients to your Pi-hole's IP. Every device that gets a new lease will automatically start using Pi-hole — no per-device configuration needed.

On Unifi (what I use): Network → Settings → Networks → [your LAN] → DHCP Name Server → set to Pi-hole IP.

Option 2: Per-Device

If you can't change your router (rented modem, etc.), manually set DNS on each device. Less ideal but it works.

Blocklists: What I Use

Pi-hole ships with some default lists. I added several more via the Pi-hole admin → Adlists section:

• StevenBlack Unified Hosts — the gold standard, 100k+ domains
• OISD Big List — broad coverage, very low false positives
• Hagezi Multi Pro — aggressive tracker blocking
• URLhaus Malicious URLs — malware/C2 domains (security layer)

After adding new lists, run pihole -g (or click "Update Gravity" in the UI) to download and compile them. My current setup blocks around 700,000 domains.

# Update gravity (re-download all blocklists)
pihole -g

# Check Pi-hole version and stats
pihole status
pihole -c  # live stats in terminal

Whitelist: When Things Break

Sometimes Pi-hole blocks something it shouldn't. The most common complaints in my house:

• Spotify — some of its CDN domains get caught occasionally
• Smart TV firmware update servers — OEM domains can be in lists
• Some Google services on specific regions

When something breaks, check Pi-hole's query log, find the blocked domain, and whitelist it:

pihole -w spotify.com
pihole -w s.spotify.com

Why This Is Also a Security Tool

This is the part that doesn't get talked about enough. Pi-hole with the URLhaus and similar threat intel lists blocks malware command-and-control domains. If a device on my network gets compromised and tries to phone home to a known C2 server, Pi-hole blocks that DNS resolution.

It's not a replacement for endpoint security — but it's a free, always-on layer that catches a lot of commodity malware that relies on public C2 infrastructure.

From a visibility perspective, the query log is also useful for spotting weird behaviour. If a device is making hundreds of DNS requests to domains I don't recognise, that's a flag worth investigating.

The Numbers After Running It for a While

On an average day, around 25–35% of DNS queries on my network get blocked. That's not mostly ads — a huge chunk of that is tracking scripts, telemetry calls from apps, and background analytics that devices send constantly without you knowing.

Smart TVs are the worst. Unprompted, my TV makes DNS requests to about 30 different analytics/ad-serving domains every hour. Pi-hole blocks all of them.