The stale `address=/demo-felhom.eu/192.168.0.162` pinned A to the host (pre-Proxmox
era, when the host ran traefik) and forwarded AAAA upstream → Cloudflare (split-brain),
so LAN clients hit 192.168.0.162:443 (nothing there) → ERR_CONNECTION_REFUSED.
Switch to a conditional forward `server=/demo-felhom.eu/192.168.0.162` so the Pi-hole
relays the zone to the felhom-agent-managed dnsmasq on the host, which answers the
guest's live IP (192.168.0.151) + AAAA NODATA and tracks the DHCP IP.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq
security fixes, covering all publicly disclosed CVEs against the
dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are
"minimal, self-contained changes to the embedded dnsmasq sources. No
FTL-side configuration or API changes; users should see no observable
behavior change beyond the closed vulnerabilities."
Override the chart's default image.tag in helm/pihole/values.yaml (no
chart version bump). The pihole ArgoCD app is intentionally MANUAL
sync per Viktor's call -- after merge, sync the pihole app from the
ArgoCD UI to roll the pod over.
https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
admin
kisfenyo