Pihole and Unbound

Comments

30 comments

  • Avatar
    Andy brown

    Update:

    Solved the restart problem, didn't realize I had the wrong docker architecture image.  

    But It still wont work. I have an issue with the volume not being mounted correctly to the /data/pi-hole/unbound directory even though its there.

    Any thoughts

     

    Thanks

    1
    Comment actions Permalink
  • Avatar
    Simon

    Has anyone found a way to run unbound on FWG docker?

    1
    Comment actions Permalink
  • Avatar
    Andy brown

    I gave up in the end, I know a little bit but not enough to solve the unbound mounting issues.

    1
    Comment actions Permalink
  • Avatar
    Simon

    Gee, firewalla team, are you able to provide any guidance here please. This chap has already done most of the work and is close to have unbound running. From my reading FWG> pihole> unbound is the best way to remain safe, private and secure around

    1
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    I agree with Simon and Andy.  This would be a great feature to get working. Any chance @Firewalla you could provide some pointers if you don't have this in the backlog?

    THANKS!

    0
    Comment actions Permalink
  • Avatar
    Alex M

    Yes please, that would be the dream: Pi-Hole + compiled Unbound on my FW Purple.

    Please development team, make it happen :)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    One of developers was experimenting unbound natively ... I think it is working. If any of you are interested and feel we should bring that to the general public, please let us know. :)

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    YES please !!!!!  😁😁😁

    1
    Comment actions Permalink
  • Avatar
    Simon

    Excited to hear this!
    I don’t suppose that your developer has found a way to encrypt upstream requests from unbound server? As far as I understand this is currently not supported by root auth servers.

    looks like some possibilities exist:
    “Root server Operators encourage the increased deployment of both NAME minimisation and aggressive
    DNSSEC caching, which are available in recent releases of recursive DNS software“

    https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Disclaimer: this is just a prototype, and we have not committed to doing this in the releases. (But likely we will) 

    DNSSEC is supported

    ```

     % dig sigok.verteiltesysteme.net




    ; <<>> DiG 9.10.6 <<>> sigok.verteiltesysteme.net

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41987

    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1




    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 512

    ;; QUESTION SECTION:

    ;sigok.verteiltesysteme.net. IN A




    ;; ANSWER SECTION:

    sigok.verteiltesysteme.net. 60 IN A 134.91.78.139




    ;; Query time: 393 msec

    ;; SERVER: 192.168.3.1#53(192.168.3.1)

    ;; WHEN: Fri Jan 28 19:10:38 PST 2022

    ;; MSG SIZE  rcvd: 71

    ```

    1
    Comment actions Permalink
  • Avatar
    Alex M

    That is excellent news!
    Please let us know if we can do some beta testing :)

    0
    Comment actions Permalink
  • Avatar
    Lynk

    Any recent updates?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Unbound will be natively supported in 1.974+app 1.50. Likely be there in a month or two, from this message)

    1
    Comment actions Permalink
  • Avatar
    Lynk

    Excellent! 

    0
    Comment actions Permalink
  • Avatar
    Alex M

    Given that Firewalla doesn't support Pi-Hole and Unbound (together, individually they are supported), did anyone take this further?

    I'm currently looking into using this: https://github.com/chriscrowe/docker-pihole-unbound/tree/master/one-container

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Unbound will be supported in the next update, its already out for the Alpha testers.  However not sure how this is going to work for those of us that have pihole natively in docker on the gold.  

    Its great that the firewalla team have worked on the unbound problem, however I thought it would have been with pihole in mind.  I have no clue when unbound is selected in the app how this will work with pihole and the DNS settings on pihole.  

    For me pihole is better than selecting the inbuilt adblocker within firewalla.  

    Will have to wait and see how it all links together if at all. 

    If you get the one container working, it would be great if you share the script....:-)

     

     

    0
    Comment actions Permalink
  • Avatar
    Alex M

    @Andy, the embedded Unbound isn't going to work with Pi-Hole in Docker, see here: https://help.firewalla.com/hc/en-us/articles/4556423309587-DNS-Service-Unbound-early-access- (the dev team is quite clear in the comments)...

    As you, I was hoping/expecting it to work with Pi-Hole but sadly that's simply not the case nor does the team seem inclined to look further into this.

    I'll look further into the one-container solution and report back...

    0
    Comment actions Permalink
  • Avatar
    Alex M

    I've been trying to get Pi-Hole and Unbound in containers to run but no success so far.

    Can anyone help on this???

    0
    Comment actions Permalink
  • Avatar
    Alex M

    @Andy: I got it working after quite a bit of experimenting and consulting online documentation...

    (the fw support team is not interested in supporting this and expects the community to solve it)

    1
    Comment actions Permalink
  • Avatar
    Lynk

    @Alex,

    What did you do to get it working please? Also, thank you for testing this 🙏🤘

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Fantastic news….@Alex.  I would love to get a copy of your final instructions if you are happy to share.  I take full responsibility if I mess up my Firewalla config….😁

    I was going to have another go myself, but this is even better.  Someone who actually knows what they are doing, instead of me…

    When Firewalla said they were taking this on, I didn’t expect the direction they took, but fully understand why they did it.

    Huge thanks….:-)

    Andy

    0
    Comment actions Permalink
  • Avatar
    Alex M

    Here's the yaml file I use, all the steps are the same as those that can be found here for Pi-Hole or Pi-Hole + Cloudflared: https://help.firewalla.com/hc/en-us/articles/360051625034

    FYI:

    • I used 172.16.0.4 as IP address for unbound as I still had 172.16.0.3 temporarily running Cloudflared as back-up, feel free to adjust but then be sure to adjust all mentions of 172.16.0.4 to 172.16.0.3
    • giving the Unbound container a name breaks things for some reason
    • I use klutchell's unbound docker image, as it allows unbound to work as recursive resolver, rather than as a forwarding resolver (which in my opinion kind of defeats one of unbound's purposes as it gives all your dns data to the providers you forward to).
    • I haven't figured out a way to be able to reach unbound.conf - mounting volumes hasn't been succesful so far
    • adjust the password to one of your liking, I just put firewalla here as that fits with the tutorial that the Firewalla team have provided for Pi-Hole
    version: "3"

    services:
      pihole:
        container_name: pihole
        image: pihole/pihole:latest
        networks:
          default:
            ipv4_address: 172.16.0.2
        environment:
          TZ: 'Europe/Brussels'
          DNS1: '172.16.0.4'
          DNS2: 'no'
        WEBPASSWORD: 'firewalla'
        volumes:
          - '/data/pi-hole/etc-pihole:/etc/pihole'
          - './etc-dnsmasq:/etc/dnsmasq.d'
          - '/etc/localtime:/etc/localtime:ro'
        cap_add:
          - NET_ADMIN
        restart: unless-stopped
        links:
          - unbound

      unbound:
        image: klutchell/unbound
        networks:
          default:
            ipv4_address: 172.16.0.4
        ports:
          - 5335:5335/tcp
          - 5335:5335/udp
        restart: unless-stopped


    networks:
      default:
        driver: bridge
        ipam:
          config:
          - subnet: 172.16.0.0/24
    1
    Comment actions Permalink
  • Avatar
    Alex M

    @Andy: happy to help

    However, don't overestimate me by assuming that I know what I'm doing :)

    This is the result of a lot of reading, experimenting and trying to understand. It was fun to figure things out, and I've learned something along the way. I still haven't figured it all out yet though. (eg: why does it work with the 'links' bit in there, yet without a name for the unbound container)

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Thanks, I will have a go this weekend, already copied the file.  

    I agree, strange about the container name, but if it works don’t knock it.  Have to dig into the links part, not seen that before.

    The mounting part was my sticking point, maybe we will get there one day.

    just nice to get this to work with pihole…

    Thanks Again

    Andy

     

    1
    Comment actions Permalink
  • Avatar
    Simon

    Nice one, I will also test this out and report back.  
    Is it possible to use another network connectivity container mode other than bridge,? If we would expose unbound and pihole like external devices with their own I.p we could then force unbound traffic over encrypted third party vpn in firewalla 

    Edit: This works great, I did have a quick attempt at changing the network driver to MACVLAN with no luck :

    https://www.docker.com/blog/understanding-docker-networking-drivers-use-cases/

     

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Update on the script:

    Changed back to mvance container, just to see if it works - It does, so you have a choice

    Container name works and hostname which shows up in your pi-hole logs.  Links is a legacy command and has been replaced with the network section, so its not required.  Cap add is only required for DHCP.

    I tried putting the unbound mount higher, it mounted, but not with any config file etc.  Still working on the unbound.conf file.

    Changed the DNS to point to the IP and port.

    We will get there....:-)

    Andy

     

     

    version: "3"

    services:
      pihole:
        container_name: pihole
        image: pihole/pihole:latest
        hostname: pi-hole
        networks:
          default:
            ipv4_address: 172.16.0.2
        environment:
          TZ: 'Europe/Brussels'
          DNS1: '172.16.0.4#5335'
          DNS2: 'no'
          WEBPASSWORD: 'Whatever'
        volumes:
          - '/data/pi-hole/unbound:/opt/unbound/etc/unbound:rw'
          - '/data/pi-hole/etc-pihole:/etc/pihole'
          - './etc-dnsmasq:/etc/dnsmasq.d'
          - '/etc/localtime:/etc/localtime:ro'
        #Only required for DHCP in Pi-Hole
        #cap_add:
        #  - NET_ADMIN
        restart: unless-stopped

      unbound:
        container_name: unbound
        hostname: unbound
        image: mvance/unbound:latest
        networks:
          default:
            ipv4_address: 172.16.0.4
        ports:
          - 5335:5335/tcp
          - 5335:5335/udp
        restart: unless-stopped


    networks:
      default:
        driver: bridge
        ipam:
          config:
          - subnet: 172.16.0.0/2

    0
    Comment actions Permalink
  • Avatar
    Alex M

    For the mount, you probably need to declare that in the unbound part.
    To make it work, I think I know what's needed: you need to have a couple of files in there, you can find them e.g. here: https://github.com/klutchell/unbound-docker/tree/main/rootfs_overlay/etc/unbound
    (FYI: haven't tried it myself yet, that's for later)

    I didn't need to add the #5335 to the DNS address for Pi-Hole btw.

    0
    Comment actions Permalink
  • Avatar
    Simon

    There is a thread here:
    https://www.reddit.com/r/firewalla/comments/tja4ry/macvlan_for_docker/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
    That mentions that macvlan capability might of been added in 1.50 which will help with the encryption of unbound traffic by using third party vpn if this capability comes into play

    0
    Comment actions Permalink
  • Avatar
    Alex M

    FYI, due to some changes in Docker, the NET_ADMIN capability is currently required for Pi-Hole.

    The team there is working on resolving it.

    See also here: https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#upgrade-notes

    0
    Comment actions Permalink
  • Avatar
    Alex M

    And the issue is solved with the latest version: https://github.com/pi-hole/docker-pi-hole/releases/tag/2022.04.1

    This release should fix the capabilities issues once and for all. If you found you needed to set CAP_NET_ADMIN or set DNSMASQ_USER to root in recent releases, and would rather not have - you should now be able to unset those.

    0
    Comment actions Permalink

Please sign in to leave a comment.