Table of Contents
π‘ Pi-hole DNS & Network Ad Blocking
Pi-hole provides the primary DNS, network-wide ad blocking, and local hostname resolution inside the TorresVault environment. Two Pi-hole nodes run behind a virtual IP (VIP) for high availability, ensuring DNS services remain stable even during maintenance or reboots.
This page provides a high-level overview of the Pi-hole design, configuration, VIP behavior, and role in the broader TorresVault network.
Role in TorresVault
Pi-hole serves several critical functions:
- Network-wide ad blocking
- Local DNS + host overrides
- Fast internal resolution for all `*.torresvault.com` services
- DNS filtering for IoT, servers, and Home Assistant
- Unified DNS resolver for the entire UniFi network
- Supports VLANs 1, 10, 20, 50, and 60
It is the first-hop DNS for every device in the environment, including IoT, Kubernetes VMs (future), and internal services.
Architecture
Pi-hole is deployed as a redundant pair:
- Pi-hole 1 β runs on 192.168.1.2 (MAC ending in 51:24)
- Pi-hole 2 β runs on 192.168.1.4 (MAC ending in 38:DE)
- VIP (Virtual IP): 192.168.1.5 β the unified DNS endpoint
All clients point to the VIP so failover is seamless.
UniFi DHCP automatically hands out:
- Primary DNS: 192.168.1.5
- Domain: `torresvault.com`
This enables short-hostname access (e.g., `pve1`, `pve2`, `jellyfin`, `npm`, `in`) with no additional configuration.
What Pi-hole Resolves
Pi-hole acts as the internal authoritative DNS for key services:
| Domain | IP Address |
|---|---|
| ha.torresvault.com | 192.168.20.149 |
| hatest.torresvault.com | 192.168.20.150 |
| in.torresvault.com | 192.168.1.27 |
| jellyfin.torresvault.com | 192.168.1.86 |
| matrix.torresvault.com | 192.168.60.56 |
| megatree.torresvault.com | 192.168.60.55 |
| monitor.torresvault.com | 192.168.1.77 |
| next.torresvault.com | 192.168.1.75 |
| npm.torresvault.com | 192.168.1.99 |
| pbs.torresvault.com | 192.168.1.252 |
These DNS overrides are critical for:
- Home Assistant integrations
- FPP multi-controller sync
- NGINX Proxy Manager
- Prometheus/Grafana
- Internal web services & dashboards
VLAN Awareness
Pi-hole must respond appropriately across all VLANs:
- VLAN 1 β Servers, Proxmox, NPM, NAS
- VLAN 10 β User WiFi
- VLAN 20 β IoT
- VLAN 50 β WPA3-capable IoT
- VLAN 60 β FPP lighting network
Because the VIP sits on VLAN 1, other VLANs reach it through UniFi routing with no issue.
All VLANs use the same DNS resolver for consistency.
Ad Blocking
Pi-hole blocks ads, trackers, malware domains, telemetry, and known phoning-home services.
This benefits:
- Phones
- TVs
- Tablets
- IoT devices
- Media players
- Browsers across the entire house
Blocked domains reduce:
- bandwidth usage
- clutter
- tracking
- device noise
Integration With Other Systems
Pi-hole integrates cleanly with:
- Home Assistant
- DNS lookups for HA β FPP, HA β Proxmox, HA β NPM
- Pi-hole statistics displayed via HA sensors
- UniFi Network
- DHCP hands out Pi-hole VIP
- Gateway offloads DNS workload to Pi-hole
- NPM
- Internal service resolution
- CNAME simplification
- Proxmox & PBS
- VM naming resolution
- Snapshot/backup jobs that rely on hostname lookups
Current State
- Fully functioning dual-node Pi-hole deployment
- VIP failover works as designed
- All internal services use short hostnames
- All VLANs properly resolve through Pi-hole
- Integrated into Home Assistant dashboards
Future Enhancements
- Add DNS-based device-based filtering rules
- Enable Pi-hole β Loki / Grafana log ingestion
- Expand blacklist/whitelist automation
- Add local DNS automation from Home Assistant
- Include DNS health checks in network dashboard
- Add backup/restore automation to TrueNAS or NPM
This page documents the Pi-hole DNS + Ad Blocking platform used inside TorresVault.