Pihole + Unbound Docker Compose file
from Octavusss@lemm.ee to selfhosted@lemmy.world on 18 Jun 16:14
https://lemm.ee/post/67215371

Hi friends.

I’ve been trying to find docker-compose.yaml for pihole+unbound so I can use pihole as both a recursive dns server and as local dns alongside Nginx Proxy Manager. But since v6 of pihole all the old files I could find don’t work properly or at all.

Does anyone here use pihole+unbound in docker?

#selfhosted

threaded - newest

chris@lemmy.grey.fail on 18 Jun 16:19 next collapse 

services:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: sheldon
    environment:
      HOST_CONTAINERNAME: pihole
      TZ: ${TZ}
      WEBPASSWORD: ${WEBPASSWORD}
      DNSMASQ_LISTENING: "all"
      PIHOLE_DNS_1: "unbound#53"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "8080:80/tcp"
    # network_mode: host
    dns:
      - 127.0.0.1
    networks:
      dns:
        ipv4_address: 172.22.0.2
    volumes:
      - /mnt/appdata/pihole/etc-pihole:/etc/pihole
      - /mnt/appdata/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped
    depends_on:
      unbound:
        condition: service_healthy

  unbound:
    container_name: unbound
    image: klutchell/unbound:latest
    networks:
      dns:
        ipv4_address: 172.22.0.3
    volumes:
      - /mnt/appdata/unbound:/opt/unbound/etc/unbound/custom
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "dig", "google.com", "@127.0.0.1"]
      interval: 10s
      timeout: 5s
      retries: 5

  wg-easy:
    container_name: wg-easy
    image: ghcr.io/wg-easy/wg-easy:15
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    # environment:
    #   TZ: ${TZ}
    #   LANG: en
    #   WG_HOST: ${WG_HOST}
    #   PASSWORD_HASH: ${PASSWORD_HASH}
    #   WG_DEFAULT_DNS: 172.22.0.2
    #   WG_MTU: 1420
    networks:
      dns:
        ipv4_address: 172.22.0.4
    volumes:
      - /mnt/appdata/wg-easy:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1
    restart: unless-stopped

networks:
  dns:
    external: true

Feel free to just delete the wg-easy service.

Octavusss@lemm.ee on 18 Jun 22:42 next collapse

Thank you very much.

chris@lemmy.grey.fail on 19 Jun 17:05 collapse

How’d it work out?

Octavusss@lemm.ee on 20 Jun 03:42 collapse

Deleted the WireGuard and modified few other things in docker compose file and so far it’s running fine without any errors. So far do good.

Outwit1294@lemmy.today on 19 Jun 02:22 next collapse

You seem knowledgeable. I have a question about this. I have ran this type of setup before. Every time, I ended up ditching unbound because it throws DNSSEC error. I have tried troubleshooting but it doesn’t work.

chris@lemmy.grey.fail on 19 Jun 08:31 next collapse

Is your ISP interfering?

Outwit1294@lemmy.today on 19 Jun 08:35 collapse

Not as far as I know. I have never been throttled or anything ever. I have never seen any charges.

chris@lemmy.grey.fail on 19 Jun 16:58 collapse

I mean in terms of hijacking DNS. Might be worth a look.

Outwit1294@lemmy.today on 19 Jun 21:49 collapse

I don’t think it happens because I have used NextDNS and the logs show my activity.

Zanathos@lemmy.world on 20 Jun 03:30 collapse

I just went through my setup to verify dnssec settings in unbound to troubleshoot strange latency when removing random names while browsing. Did you verify the unbound certificate file was created and had the proper permissions? There are also a couple other configuration items in unbound related to dnssec that can be tweaked to improve the implementation.

Outwit1294@lemmy.today on 20 Jun 13:12 collapse

I tried again today with baremetal and docker install but I always end up with SERVFAIL after some time.

Zanathos@lemmy.world on 20 Jun 14:05 collapse

Instead of port 53, I need to run unbound on 5335 (or another obscure port).I believe I also had to make some host level changed for DNS to operate correctly for incoming requests.

Here’s my podman run commands. These might have changed a bit with Pihole v6, but should still be ok AFAIK.

#PiHole1 Deployment/Upgrade Script podman run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 8080:80/tcp --hostname pihole --cap-add=CAP_AUDIT_WRITE -e FTLCONF_REPLY_ADDR4=192.168.0.201 -e PIHOLE_DNS_=“192.168.0.201#5335;192.168.0.202#5335” -e TZ=“America/New York” -e WEBPASSWORD=" MyPassword" -v /var/pihole/pihole1:/etc/pihole -v /var/pihole/pihole1/piholedns/:/etc/dnsmasq.d --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/pihole/pihole:latest

#UnBound1 Deployment/Upgrade Script podman run -d --name unbound -v /var/pihole/pihole1/unbound:/opt/unbound/etc/unbound/ -v /var/pihole/pihole1/unbound/unbound.log:/var/log/unbound/unbound.log -v /var/pihole/pihole1/unbound/root.hints:/opt/unbound/etc/unbound/root.hints -v /var/pihole/pihole1/unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf -p 5335:5335/tcp -p 5335:5335/udp --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/mvance/unbound:latest

Outwit1294@lemmy.today on 21 Jun 21:41 collapse

I used a similar docker compose config. Yesterday I learned that unbound doesn’t have root.hints by default. I downloaded it following Anudeep’s guide on Github and it was working. But within 2 hours, it started taking too long to respond and eventually stopped replying to pihole. I had to switch to cloudflare.

irmadlad@lemmy.world on 19 Jun 09:58 collapse

How well does that run in docker? I’ve always liked docker, but it seems to me that certain apps should touch metal than be containerized. Maybe I’m too old school.

B0rax@feddit.org on 19 Jun 11:15 next collapse

I have all these services in docker as well (although not with the docker compose file here) and they run perfectly fine with a very low resource footprint.

irmadlad@lemmy.world on 19 Jun 18:57 collapse

0K that’s cool. I love docker. I would like to upgrade to k8s but I haven’t yet plumbed the depths of docker. I was just with the overhead of docker, since Pi-Hole/Unbound is a dedicated system, I thought maybe it’d get better thru put baked in. I wouldn’t listen to me tho, I’m medicated.

B0rax@feddit.org on 19 Jun 23:30 collapse

As an anecdote: I have one system (x86) with pi-hole and unbound in a docker, and a secondary raspberry pi with pi-hole running on bare metal. The docker system (although much more performant in general) has a lower latency as the raspberry bare metal install.

chris@lemmy.grey.fail on 19 Jun 16:55 next collapse

It runs quite well; Docker’s not a full fledged virtual machine so much as a virtualization layer. I also love the portability of running this in Docker. I rsync a backup of this and the Appdata folder every night. When or if this server fails, I can be up and running again in minutes on another machine.

Zanathos@lemmy.world on 20 Jun 03:27 collapse

I do exactly the same thing for all three of these services! My implementation is on podman rather than docker, but basically the same deal.

Appoxo@lemmy.dbzer0.com on 20 Jun 15:29 collapse

Focker Docker container in host mode is sufficient for most cases requiring bare deployment.

irmadlad@lemmy.world on 20 Jun 17:36 collapse

I’ve heard of Docker, Incus, k8s, VM, but not Focker. Is this some new containerization software?

Appoxo@lemmy.dbzer0.com on 20 Jun 23:44 collapse

Typo

irmadlad@lemmy.world on 21 Jun 03:19 collapse

Hey you never know. Could be the next big thing: Focker by Mo’Fugger Industries.

thagoat@lemmy.sdf.org on 18 Jun 17:51 next collapse

github.com/IAmStoxe/wirehole

Vanilla_PuddinFudge@infosec.pub on 20 Jun 06:26 collapse

3 years ago

2 years ago

uh, nah

thagoat@lemmy.sdf.org on 20 Jun 09:19 collapse

That’s when the compose file was written. The docker images named in the file are updated constantly. Fear not ad-block seeker!

Vanilla_PuddinFudge@infosec.pub on 20 Jun 09:23 collapse

Dope. Gonna give it a spin on a vps tonight.

slackarr@piefed.ca on 19 Jun 14:07 next collapse

I used to use a pihole+unbound single container docker image but technitium is just easier for me. Might be worth exploring other options like adguard home also.

numblyscabbyeach@lemmy.zip on 21 Jun 15:28 collapse

community-scripts.github.io/ProxmoxVE/scripts?id=…