The answer to this lies in the eye of the beholder.
There is no single best configuration for setting up Pi-hole. I'd deem any working configuration as proper, and Pi-hole can be setup to filter your DNS requests in a variety of ways.
Depending on your circumstances and personal preferences, you may decide on a set of configuration options another user wouldn't want to use, or couldn't use due to some external restrictions (like a router that allows only upstream DNS configuration).
We can try to highlight benefits and disadvantages of the options that most likely matter to you.
You may also refer to Pi-hole's online documentation. Specifically, one of the most basic choices is how you introduce Pi-hole into your network.
No, not the way you've configured it.
As I understand it, you are forwarding DNS requests from your AD DNS servers to Pi-hole, hence all DNS requests reaching Pi-hole will originate from those servers (this also means that Conditional Forwarding wouldn't help here).
In order to associate DNS queries to individual clients, you'd have to change the DNS forwarding chain in your network, e.g. by configuring your clients to use Pi-hole as DNS, and have Pi-hole forward requests to your AD DNS servers.
Note that client-based filtering (as introduced with Pi-hole 5.0) is only possible for clients as identified by Pi-hole via a DNS request's origin IP address.
Pi-hole's filtering works at the DNS level. It can either block resolution of a domain name (e.g. ads.content.com
) or return its associated IP addresses (e.g. for www.content.com
).
Any unwanted content that is delivered via the same domain as the content you want to access (e.g. www.content.com/ads/picture.jpg
) cannot be blocked by Pi-hole, unless you are willing to also block that content altogether (i.e. block www.content.com
).
Note that while Pi-hole provides the mechanism for blocking, it's ultimately still your decision what to block.
The default blocklists that you can opt to use during installation will provide an adequate level of filtering.
In case you find that your favourite sites are still showing ads, you can match Pi-hole to your individual browsing behaviour, by adding whole blocklists, a regex to block several domains matching a pattern, or a specific domain (How do I determine what domain an ad is coming from? will help you identify candidates for the latter).