Hi friends.
I’ve been trying to find docker-compose.yaml for pihole+unbound so I can use pihole as both a recursive dns server and as local dns alongside Nginx Proxy Manager. But since v6 of pihole all the old files I could find don’t work properly or at all.
Does anyone here use pihole+unbound in docker?
services: pihole: container_name: pihole image: pihole/pihole:latest hostname: sheldon environment: HOST_CONTAINERNAME: pihole TZ: ${TZ} WEBPASSWORD: ${WEBPASSWORD} DNSMASQ_LISTENING: "all" PIHOLE_DNS_1: "unbound#53" ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "8080:80/tcp" # network_mode: host dns: - 127.0.0.1 networks: dns: ipv4_address: 172.22.0.2 volumes: - /mnt/appdata/pihole/etc-pihole:/etc/pihole - /mnt/appdata/pihole/etc-dnsmasq.d:/etc/dnsmasq.d restart: unless-stopped depends_on: unbound: condition: service_healthy unbound: container_name: unbound image: klutchell/unbound:latest networks: dns: ipv4_address: 172.22.0.3 volumes: - /mnt/appdata/unbound:/opt/unbound/etc/unbound/custom restart: unless-stopped healthcheck: test: ["CMD", "dig", "google.com", "@127.0.0.1"] interval: 10s timeout: 5s retries: 5 wg-easy: container_name: wg-easy image: ghcr.io/wg-easy/wg-easy:15 ports: - "51820:51820/udp" - "51821:51821/tcp" # environment: # TZ: ${TZ} # LANG: en # WG_HOST: ${WG_HOST} # PASSWORD_HASH: ${PASSWORD_HASH} # WG_DEFAULT_DNS: 172.22.0.2 # WG_MTU: 1420 networks: dns: ipv4_address: 172.22.0.4 volumes: - /mnt/appdata/wg-easy:/etc/wireguard - /lib/modules:/lib/modules:ro cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 restart: unless-stopped networks: dns: external: trueFeel free to just delete the wg-easy service.
How well does that run in docker? I’ve always liked docker, but it seems to me that certain apps should touch metal than be containerized. Maybe I’m too old school.
It runs quite well; Docker’s not a full fledged virtual machine so much as a virtualization layer. I also love the portability of running this in Docker. I rsync a backup of this and the Appdata folder every night. When or if this server fails, I can be up and running again in minutes on another machine.
I do exactly the same thing for all three of these services! My implementation is on podman rather than docker, but basically the same deal.
I have all these services in docker as well (although not with the docker compose file here) and they run perfectly fine with a very low resource footprint.
0K that’s cool. I love docker. I would like to upgrade to k8s but I haven’t yet plumbed the depths of docker. I was just with the overhead of docker, since Pi-Hole/Unbound is a dedicated system, I thought maybe it’d get better thru put baked in. I wouldn’t listen to me tho, I’m medicated.
As an anecdote: I have one system (x86) with pi-hole and unbound in a docker, and a secondary raspberry pi with pi-hole running on bare metal. The docker system (although much more performant in general) has a lower latency as the raspberry bare metal install.
You seem knowledgeable. I have a question about this. I have ran this type of setup before. Every time, I ended up ditching unbound because it throws DNSSEC error. I have tried troubleshooting but it doesn’t work.
I just went through my setup to verify dnssec settings in unbound to troubleshoot strange latency when removing random names while browsing. Did you verify the unbound certificate file was created and had the proper permissions? There are also a couple other configuration items in unbound related to dnssec that can be tweaked to improve the implementation.
I tried again today with baremetal and docker install but I always end up with SERVFAIL after some time.
Instead of port 53, I need to run unbound on 5335 (or another obscure port).I believe I also had to make some host level changed for DNS to operate correctly for incoming requests.
Here’s my podman run commands. These might have changed a bit with Pihole v6, but should still be ok AFAIK.
#PiHole1 Deployment/Upgrade Script podman run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 8080:80/tcp --hostname pihole --cap-add=CAP_AUDIT_WRITE -e FTLCONF_REPLY_ADDR4=192.168.0.201 -e PIHOLE_DNS_=“192.168.0.201#5335;192.168.0.202#5335” -e TZ=“America/New York” -e WEBPASSWORD=" MyPassword" -v /var/pihole/pihole1:/etc/pihole -v /var/pihole/pihole1/piholedns/:/etc/dnsmasq.d --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/pihole/pihole:latest
#UnBound1 Deployment/Upgrade Script podman run -d --name unbound -v /var/pihole/pihole1/unbound:/opt/unbound/etc/unbound/ -v /var/pihole/pihole1/unbound/unbound.log:/var/log/unbound/unbound.log -v /var/pihole/pihole1/unbound/root.hints:/opt/unbound/etc/unbound/root.hints -v /var/pihole/pihole1/unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf -p 5335:5335/tcp -p 5335:5335/udp --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/mvance/unbound:latest
Is your ISP interfering?
Not as far as I know. I have never been throttled or anything ever. I have never seen any charges.
I mean in terms of hijacking DNS. Might be worth a look.
I don’t think it happens because I have used NextDNS and the logs show my activity.
Thank you very much.
How’d it work out?
Deleted the WireGuard and modified few other things in docker compose file and so far it’s running fine without any errors. So far do good.