# Ticket: Pi-hole ad-blocking service

## Metadata
- Type: Ticket
- Status: Deployed - needs DHCP DNS change for network-wide activation
- Project: Homelab Operations
- Created: 2026-06-07
- Updated: 2026-06-07
- Priority: Medium

## Goal

Deploy Pi-hole for user ad-blocking on the homelab network, transparent if practical and safe.

## Why

The user wants network users to benefit from ad blocking while retaining a manageable DNS architecture.

## Scope

Included:
- Decide Pi-hole placement relative to standalone Unbound.
- Define whether Pi-hole is upstream/downstream of Unbound.
- Plan transparent DNS interception only if safe and reversible.
- Verify Proxmox target resources before creation.
- Deploy and document Pi-hole.
- Define rollback/fallback DNS path.

Not included:
- Breaking client DNS resolution.
- Transparent firewall interception without explicit implementation approval.

## Acceptance Criteria

This ticket is done when:
- [x] Pi-hole/Unbound relationship is designed — Pi-hole → Unbound chain.
- [x] Pi-hole is deployed — CT 108 at `192.168.0.150`, Docker-based.
- [x] At least one client can use Pi-hole DNS successfully — verified from Nimrod.
- [x] Ad-blocking behavior is verified — `doubleclick.net` blocked, internal names resolve.
- [ ] DHCP DNS changed from Unbound to Pi-hole for network-wide activation — user action needed in OPNsense.
- [x] Rollback/fallback DNS path is documented.

## Notes

- Transparent DNS may involve OPNsense/firewall changes and should be planned carefully.