Pihole and Unbound
I’m trying to run pihole and unbound in docker on the gold. But I’m having issues with unbound. The docker container continually restarts, so I’ve got something wrong or I’m approaching this incorrectly with the docker setup/network setup
Any help appreciated.
Here is the yaml file (i can also post the unbound config file if required):
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole
environment:
# set a secure password here or the default will be firewalla
WEBPASSWORD: 'XXXXXXXXXX'
# Volumes store your data between container upgrades
volumes:
- '/data/pi-hole/etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
- '/etc/localtime:/etc/localtime:ro'
restart: unless-stopped
networks:
default:
# static IP address for pi-hole
ipv4_address: 172.16.0.2
unbound:
container_name: unbound
image: mvance/unbound-rpi:latest
networks:
default:
ipv4_address: 172.16.0.10
volumes:
- '/data/pi-hole/unbound/:/etc/unbound/'
ports:
- "5335:5335/tcp"
- "5335:5335/udp"
healthcheck:
disable: true
restart: unless-stopped
networks:
default:
driver: bridge
ipam:
config:
# your chosen docker network here
- subnet: 172.16.0.0/24
-
Disclaimer: this is just a prototype, and we have not committed to doing this in the releases. (But likely we will)
DNSSEC is supported
```
% dig sigok.verteiltesysteme.net
; <<>> DiG 9.10.6 <<>> sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41987
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
;; Query time: 393 msec
;; SERVER: 192.168.3.1#53(192.168.3.1)
;; WHEN: Fri Jan 28 19:10:38 PST 2022
;; MSG SIZE rcvd: 71```
-
Here's the yaml file I use, all the steps are the same as those that can be found here for Pi-Hole or Pi-Hole + Cloudflared: https://help.firewalla.com/hc/en-us/articles/360051625034
FYI:
- I used 172.16.0.4 as IP address for unbound as I still had 172.16.0.3 temporarily running Cloudflared as back-up, feel free to adjust but then be sure to adjust all mentions of 172.16.0.4 to 172.16.0.3
- giving the Unbound container a name breaks things for some reason
- I use klutchell's unbound docker image, as it allows unbound to work as recursive resolver, rather than as a forwarding resolver (which in my opinion kind of defeats one of unbound's purposes as it gives all your dns data to the providers you forward to).
- I haven't figured out a way to be able to reach unbound.conf - mounting volumes hasn't been succesful so far
- adjust the password to one of your liking, I just put firewalla here as that fits with the tutorial that the Firewalla team have provided for Pi-Hole
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
networks:
default:
ipv4_address: 172.16.0.2
environment:
TZ: 'Europe/Brussels'
DNS1: '172.16.0.4'
DNS2: 'no'
WEBPASSWORD: 'firewalla'
volumes:
- '/data/pi-hole/etc-pihole:/etc/pihole'
- './etc-dnsmasq:/etc/dnsmasq.d'
- '/etc/localtime:/etc/localtime:ro'
cap_add:
- NET_ADMIN
restart: unless-stopped
links:
- unbound
unbound:
image: klutchell/unbound
networks:
default:
ipv4_address: 172.16.0.4
ports:
- 5335:5335/tcp
- 5335:5335/udp
restart: unless-stopped
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.16.0.0/24 -
Thanks, I will have a go this weekend, already copied the file.
I agree, strange about the container name, but if it works don’t knock it. Have to dig into the links part, not seen that before.
The mounting part was my sticking point, maybe we will get there one day.
just nice to get this to work with pihole…
Thanks Again
Andy
-
Excited to hear this!
I don’t suppose that your developer has found a way to encrypt upstream requests from unbound server? As far as I understand this is currently not supported by root auth servers.looks like some possibilities exist:
“Root server Operators encourage the increased deployment of both NAME minimisation and aggressive
DNSSEC caching, which are available in recent releases of recursive DNS software“https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf
-
Given that Firewalla doesn't support Pi-Hole and Unbound (together, individually they are supported), did anyone take this further?
I'm currently looking into using this: https://github.com/chriscrowe/docker-pihole-unbound/tree/master/one-container
-
Unbound will be supported in the next update, its already out for the Alpha testers. However not sure how this is going to work for those of us that have pihole natively in docker on the gold.
Its great that the firewalla team have worked on the unbound problem, however I thought it would have been with pihole in mind. I have no clue when unbound is selected in the app how this will work with pihole and the DNS settings on pihole.
For me pihole is better than selecting the inbuilt adblocker within firewalla.
Will have to wait and see how it all links together if at all.
If you get the one container working, it would be great if you share the script....:-)
-
@Andy, the embedded Unbound isn't going to work with Pi-Hole in Docker, see here: https://help.firewalla.com/hc/en-us/articles/4556423309587-DNS-Service-Unbound-early-access- (the dev team is quite clear in the comments)...
As you, I was hoping/expecting it to work with Pi-Hole but sadly that's simply not the case nor does the team seem inclined to look further into this.
I'll look further into the one-container solution and report back...
-
Fantastic news….@Alex. I would love to get a copy of your final instructions if you are happy to share. I take full responsibility if I mess up my Firewalla config….😁
I was going to have another go myself, but this is even better. Someone who actually knows what they are doing, instead of me…
When Firewalla said they were taking this on, I didn’t expect the direction they took, but fully understand why they did it.
Huge thanks….:-)
Andy
-
@Andy: happy to help
However, don't overestimate me by assuming that I know what I'm doing :)
This is the result of a lot of reading, experimenting and trying to understand. It was fun to figure things out, and I've learned something along the way. I still haven't figured it all out yet though. (eg: why does it work with the 'links' bit in there, yet without a name for the unbound container)
-
Nice one, I will also test this out and report back.
Is it possible to use another network connectivity container mode other than bridge,? If we would expose unbound and pihole like external devices with their own I.p we could then force unbound traffic over encrypted third party vpn in firewallaEdit: This works great, I did have a quick attempt at changing the network driver to MACVLAN with no luck :
https://www.docker.com/blog/understanding-docker-networking-drivers-use-cases/
-
Update on the script:
Changed back to mvance container, just to see if it works - It does, so you have a choice
Container name works and hostname which shows up in your pi-hole logs. Links is a legacy command and has been replaced with the network section, so its not required. Cap add is only required for DHCP.
I tried putting the unbound mount higher, it mounted, but not with any config file etc. Still working on the unbound.conf file.
Changed the DNS to point to the IP and port.
We will get there....:-)
Andy
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
hostname: pi-hole
networks:
default:
ipv4_address: 172.16.0.2
environment:
TZ: 'Europe/Brussels'
DNS1: '172.16.0.4#5335'
DNS2: 'no'
WEBPASSWORD: 'Whatever'
volumes:
- '/data/pi-hole/unbound:/opt/unbound/etc/unbound:rw'
- '/data/pi-hole/etc-pihole:/etc/pihole'
- './etc-dnsmasq:/etc/dnsmasq.d'
- '/etc/localtime:/etc/localtime:ro'
#Only required for DHCP in Pi-Hole
#cap_add:
# - NET_ADMIN
restart: unless-stoppedunbound:
container_name: unbound
hostname: unbound
image: mvance/unbound:latest
networks:
default:
ipv4_address: 172.16.0.4
ports:
- 5335:5335/tcp
- 5335:5335/udp
restart: unless-stopped
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.16.0.0/2 -
For the mount, you probably need to declare that in the unbound part.
To make it work, I think I know what's needed: you need to have a couple of files in there, you can find them e.g. here: https://github.com/klutchell/unbound-docker/tree/main/rootfs_overlay/etc/unbound
(FYI: haven't tried it myself yet, that's for later)I didn't need to add the #5335 to the DNS address for Pi-Hole btw.
-
There is a thread here:
https://www.reddit.com/r/firewalla/comments/tja4ry/macvlan_for_docker/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
That mentions that macvlan capability might of been added in 1.50 which will help with the encryption of unbound traffic by using third party vpn if this capability comes into play -
FYI, due to some changes in Docker, the NET_ADMIN capability is currently required for Pi-Hole.
The team there is working on resolving it.
See also here: https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#upgrade-notes
-
And the issue is solved with the latest version: https://github.com/pi-hole/docker-pi-hole/releases/tag/2022.04.1
This release should fix the capabilities issues once and for all. If you found you needed to set
CAP_NET_ADMINor setDNSMASQ_USERtorootin recent releases, and would rather not have - you should now be able to unset those.
Please sign in to leave a comment.
Comments
30 comments