Deep Dive
How Pi-hole, Unbound DNS, local DNS records, and a reverse proxy work together to make the home network faster, more private, and fully accessible from within — without exposing anything it shouldn't.
The Foundation
Every device in a home connects through the network. Every request — a website load, a smart light command, a DNS query — passes through the router. That makes the network layer the most powerful place in the stack to enforce privacy, block unwanted traffic, and control how services are accessed.
Most home networks do none of this. The router from the ISP resolves DNS through the ISP's own servers — which means the ISP sees every domain you visit. Ads load. Trackers load. Everything on the network shares the same trust level. A little deliberate configuration changes all of that.
Network-Wide Ad Blocking
Pi-hole is a network-wide DNS sinkhole. It sits between every device on the network and the internet, and when any device tries to look up a known ad server, tracker, or telemetry domain, Pi-hole intercepts that request and returns nothing. The ad never loads. The tracker never phones home. The request never leaves the house.
The key word is network-wide. Pi-hole doesn't require installing anything on individual devices. No browser extension, no app. Once it's configured as the DNS server for the network, every device — phones, laptops, smart TVs, game consoles, IoT sensors — benefits automatically. A Smart TV that normally phones home to ad networks constantly is silenced at the network level without touching the TV itself.
Advertising networks, tracking pixels, telemetry endpoints, malware domains, and known data-harvesting services. Blocklists are community-maintained and updated regularly. The lab currently blocks tens of thousands of domains across multiple curated lists.
No device needs to be individually configured. The moment a device connects to the network, it's protected. Smart TVs, phones, tablets, laptops, and IoT devices all benefit without any software installation on those devices.
Pi-hole's dashboard shows every DNS query on the network in real time — which device asked for what, what was blocked, what resolved. That visibility alone is eye-opening. Most households have no idea how frequently their devices are phoning home.
Recursive DNS
Pi-hole blocks unwanted domains, but it still has to forward the legitimate DNS queries somewhere. By default, most setups forward to a public resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1). That means even with Pi-hole in place, a third party still sees every domain that resolves successfully.
Unbound DNS eliminates that dependency entirely. Instead of forwarding queries to an upstream resolver, Unbound is a recursive resolver — it goes directly to the authoritative name servers for each domain, starting from the DNS root. No third-party resolver ever sees the full picture of what's being looked up.
Device asks: "Where is example.com?"
The query goes to Pi-hole first. If it's a blocked domain, it stops here. If it's legitimate, Pi-hole forwards it to Unbound.
Unbound asks the DNS root servers
Unbound starts at the top — the root name servers — and asks which servers are authoritative for .com domains.
Follow the chain to the authoritative server
The root refers to the .com registry. The .com registry refers to the authoritative name server for example.com. Unbound asks that server directly.
Answer returned and cached
The IP address is returned to the device. Unbound caches the result so future lookups for the same domain are instant. No third-party resolver ever saw the complete query chain.
Internal Accessibility
Every self-hosted service in the lab runs on an internal IP address. Without local DNS, accessing them means typing something like 192.168.1.42:8080 — an IP address and port number that changes if the service moves, and that's impossible to remember across a dozen services.
Local DNS records solve this by creating human-readable hostnames that resolve only inside the network. A service running on an internal server can be reached at something like mealie.home or paperless.home — a real domain name that works on every device connected to the network, resolves instantly via Unbound's cache, and doesn't exist on the public internet at all.
Pi-hole hosts the local DNS records in this setup. Every time a new service is added, a single DNS entry maps its friendly name to its internal address. No memorising IPs, no port numbers, no confusion about which device hosts which service.
← Scroll →
Service Accessibility
Once local DNS resolves a friendly hostname to an internal address, something still needs to route that request to the right service. That's what a reverse proxy does — it sits in front of all the services and directs incoming requests to the correct container based on the hostname.
Without a reverse proxy, reaching a service means knowing its exact port — 192.168.1.42:8080 for one service, 192.168.1.42:9000 for another. With Traefik running as the reverse proxy, every service gets a clean hostname on standard ports. The request comes in as paperless.home and Traefik knows exactly which container to route it to. Adding a new service means adding a single configuration block — Traefik handles the rest automatically.
Traefik also handles TLS termination, meaning services can run over HTTPS internally, giving browsers the padlock and eliminating "not secure" warnings on self-hosted sites. For services that need to be accessible from outside the home network via Cloudflare Tunnel, Traefik sits at the edge of that path as well.
No port numbers to remember. Every service has a clean, meaningful URL. Bookmarks work. Muscle memory works. It feels like any other website.
Single point of entry. Traefik listens on ports 80 and 443. Everything flows through it. Firewall rules become simple: only Traefik needs those ports open internally.
HTTPS everywhere internally. TLS certificates mean browsers treat self-hosted services the same as any other secure website. No warnings, no exceptions to click through.
Automatic routing for new services. When a new Docker container is added with the right labels, Traefik picks it up and starts routing to it. Zero manual reconfiguration of anything else.
The Complete Picture
Pi-hole, Unbound, local DNS records, and Traefik are not four separate tools — they're four layers of a single coherent networking stack. Each one solves a specific problem and hands off cleanly to the next.
Ads, trackers, telemetry, and malware domains are blocked before they can reach the internet. All legitimate queries pass through to the next layer.
For everything that passes Pi-hole, Unbound resolves it recursively — going directly to authoritative servers without relying on Google, Cloudflare, or any third-party resolver.
Friendly hostnames for internal services are resolved locally before Unbound ever touches them. No external query needed for anything self-hosted.
Once a hostname resolves to the Traefik address, Traefik takes over and routes the request to exactly the right container — cleanly, over HTTPS, without exposing individual service ports.