[How To] Install Pi-Hole in Docker: Update 01/18/19 - Adding Unbound, a Recursive DNS Server.

    • core-plugin

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • [How To] Install Pi-Hole in Docker: Update 01/18/19 - Adding Unbound, a Recursive DNS Server.

      Pi-Hole is a network wide ad blocker which, also, provides protection from malware sites for the users of your LAN. It functions as a DNS proxy where, by blocking name requests to known malware and advertising sites, network security and the client Internet browsing experience are improved. Telemetry servers are blocked, which helps to preserve user privacy, and by eliminating many video advertising pop-up's, performance is improved as well.

      **For Intermediate Users:**
      See the last post, below, for installing unbound a recursive DNS server.


      Update (01/18/19):
      This Docker guide was tested on OMV4.1.12, with the docker-gui 4.1.2 plugin, and Pi-hole/Docker
      pihole/pihole image ID: 40531b860719

      If upgrading to the latest image, it is recommended that the previous container is stopped/deleted, delete the previous image, delete the macvlan driver in the networks tab and delete the file contents of [b]/dockerparms/pihole . [/b]Then proceed with the installation of the new image as follows.**

      To insure that any potential issues with Pi-Hole do not interfere with the OMV host/server, a direct DNS server entry should be configured in OMV as follows:

      Under System, Network,click on Interfaces and Edit.

      **This example uses one of Google's DNS servers. There are other, reliable, public DNS servers available.**

      For users who may be interested in bench marking DNS servers, this -> utility can be used for finding a fast DNS server for your geographical location.


      While in System, Network, Interfaces, note the interface Name as shown below. (In this example, the int name is enp0s4.)
      The name found is a variable that will be used in the creation of a MacVlan interface, later.



      Under Services, Docker,click on the Overview Tab.

      Begin typing pihole/pihole in the Search bar. After a few letters are typed in, selections will appear. Click on the image, named pihole/pihole as shown.


      The following dialog box appears.
      - For x86 and x64, the Tag field is empty. The "latest" image will be pulled by default.
      - If installing to an ARM device - Odriod, Raspberry PI, etc., add the following entry in the Tag field: v4.0_armhf

      Click Start.


      When the download is complete and the check sum is verified, click Close.


      Click on the Networks tab and the Create button.

      In the Network driver drop down, select macvlan.

      Fill in the remaining highlighted fields:
      Network name: your workgroup name or domain
      Subnet: your subnetwork. (In the example provided, a subnet mask of equates to /24)
      Gateway: the IP address of your router
      Parent: **enp0s4 <-This is an example only.** Use the interface name found under System, Network, Interfaces, in the Name column, as noted above.


      Click Save.


      Click on the Overview Tab, then the pihole/pihole image and the Run Image button.



      The Run image dialog box appears. In the following, there are three separate screen captures of the same dialog box. Scroll the box to fill in the required entries. (Leave the other un-highlighted, entries as they are.)

      Container Name:optional, but suggested
      Restart Policy: always

      Network mode: Macvaln
      Host name: optional,but suggested
      Select macvlan: select the network previously created
      IP address: ** Required **The IP address assigned to Pi-Hole should not be the same IP address your OMV server is using. Use a separate static address, outside of the scope of your DHCP server.**


      Scroll down to the following:

      When adding Environment variables:
      Fill out lines, as shown in the following, but note that entries will NOT be saved until the + button on each line is clicked!


      Add the following three lines to environment variables:

      ServerIP ___________ _ your-pihole-static-ip-here __....__________ <click the +>
      WEBPASSWORD ______ yourpasswordhere ______________________<click the +>
      TZ __________________ yourtimezonehere _____________________ <click the +>

      (The correct entry, for your time zone, can be found here-> Time Zones in the TZ column.

      After entering the above 3 lines, they should appear in Environment variables.
      (They may not appear together, as shown.)



      Continued, two posts below:

      Video Guides :!: New User Guide :!: Docker Guides :!: Pi-hole in Docker
      Good backup takes the "drama" out of computing.
      Primary: OMV 4.1.17, ThinkServer TS140, 12GB ECC, 16GB USB boot, 4TB+4TB zmirror, 3TB client backup.
      OMV 4.1.17, Intel Server SC5650HCBRP, 32GB ECC, 16GB USB boot, UnionFS+SNAPRAID
      Backup: OMV 4.1.9, Acer RC-111, 4GB, 32GB USB boot, 3TB+3TB zmirror, 4TB Rsync'ed disk

      The post was edited 45 times, last by flmaxey: minor edits, upgrade revisions, etc. ().

    • [How To] Install Pi-Hole in Docker: Update - 08/10/18

      This applies more to the docker plugin in general but if you are running this docker on ESXi, promiscuous mode needs to enabled on VM's virtual switch.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Continued, from above:

      Continue to scroll to Volumes and Bind mounts:
      Add the following entries into host path and container path fields as shown.

      **Note: If a space is inadvertently added before the "/" in any of the paths shown below, the container will produce an error dialog box that ends with "If you intended to pass a host directory, use absolute path", and refuse to save. **

      Host path _______________________ Container Path

      /dockerparms/pihole_______________/etc/pihole _________________ click the + button
      /dockerparms/pihole/dnsmasq.d _____ /etc/dnsmasq.d _____________ click the + button

      In Extra arguments, copy and paste the following line in.

      -p 53:53/tcp -p53:53/udp -p 67:67/udp -p 80:80 -p 443:443 --cap-add=NET_ADMIN

      The final result should appear as follows:

      Click Save.

      Test your container in a Web Browser

      - ** After saving - allow 2 to 3 minutes for the console web page to start.
      - Type in pihole's IPaddress/admin in the address bar.
      (In this example it's Enter the password you added to Environmental Variables.

      To finish the set up for your network, change your Router's DNS server entry to the Pi-hole's IP address.


      1. For statically addressed clients, it will be necessary to change the DNS entry, for each client, to Pi-Hole's IP address.
      2. Use only Pi-Hole's IP address as the DNS server. Setting a second, "alternate DNS address" will allow Pi-Hole to be bypassed under certain conditions.
      3. Pi-Hole can be bypassed, on a per client basis, by entering a public DNS server IP address in your client's network attributes.
      4. After your docker container is running and the Pi-Hole server is working and tested, avoid using the Container Modify button. While white and blacklists are persistent, as the Modify dialog warning indicates, the most minor change will result in the loss of Pi-hole's log files.
      5. Configuring pi-hole to use DNS servers that support DNSSEC is recommended. DNSSEC protects against "Man in the Middle" attacks and DNS cache poisoning. Configuring pi-hole to use DNS servers that support ANYCAST will, on average, supply faster responses for most locations. Using servers that support both DNSSEC and ANYCAST should yield the best overall results.
      6. Multicast and minidlna were not tested.

      **For those who what to block all IP-ver6 traffic, see this-> link.
      Given the use of Pi-Hole, in a Docker, the text file to be created and edited (pihole-FTL.conf) will not be in the standard location as described in the link above.
      Create the file under /dockerparms/pihole. After the file is created, the line AAAA_QUERY_ANALYSIS=no is added and the file is saved. The Docker would need to be restarted or the OMV server would need a reboot.**


      Extending Pi-Hole with Unbound, A Recursive DNS server

      Unbound, a self contained recursive DNS server, will maximize DNS security for your LAN and its users while providing exceptional name lookup performance.
      (In tests using GRC's DNS Benchmark, not even the closest and fastest public DNS servers equaled unbound's cached name lookup performance.)

      **Once installed, check the spoofability of your DNS server operation with this test page ->: grc.com/dns/dns.htm

      For Intermediate Users:
      This installation process requires SSH access, or local console operations, to OMV's command line. The creation of an unbound config file and editing that file, along with command line testing, is part of the installation.

      - Users who are using OMV's DNSmasq plugin should not install unbound. Conflicts may result. A mitigating strategy would be to transfer DHCP functions to the Pi-hole Docker or the gateway router, and removing the plugin. (Otherwise, backing up OMV's boot drive is recommended before proceeding.)
      - If not installed, DNS util's are needed.
      apt-get install -y dnsutils

      - A good explaination of what unbound is, what it does, and an installation process that works with OMV/Debian can be found ->here.
      - Using WinSCP for creating unbound's config file and WinSCP's editor for inserting text into the config file, will make the install process easier. (Text copy and pasting, from a Windows client, is supported by WinSCP.)
      - Permissions for the config file /etc/unbound/unbound.conf.d/pi-hole.conf are root:root 0644.
      - At the testing phase of unbound; due to separate IP addresses being used for OMV and Pi-hole, the command [color=#000000]dig pi-hole.net @ -p 5353[/color] will not work. Skip this specific test. The remaining dig tests should work.

      At the end of the installation:
      To configure Pi-hole (running in a Docker with a separate IP address) to look at OMV/unbound as it's up-stream DNS server; cannot be used.
      Insert OMV's IP address as shown in the following. Don't forget to "save" this change.

      (**For the same reason, **)


      Finally, Scheduled Jobs can be used for automating a semi-annual update of the following command lines.

      service unbound stop && wget -O root.hints [url='https://www.internic.net/domain/named.rootsudo']https://www.internic.net/domain/named.root[/url]
      mv root.hints /var/lib/unbound/ ; service unbound start

      Additional Information:
      Pi-Hole Web Site: pi-hole.net
      A Docker tutorial is available at: docker-curriculum.com/
      unbound: nlnetlabs.nl/projects/unbound/about/

      Video Guides :!: New User Guide :!: Docker Guides :!: Pi-hole in Docker
      Good backup takes the "drama" out of computing.
      Primary: OMV 4.1.17, ThinkServer TS140, 12GB ECC, 16GB USB boot, 4TB+4TB zmirror, 3TB client backup.
      OMV 4.1.17, Intel Server SC5650HCBRP, 32GB ECC, 16GB USB boot, UnionFS+SNAPRAID
      Backup: OMV 4.1.9, Acer RC-111, 4GB, 32GB USB boot, 3TB+3TB zmirror, 4TB Rsync'ed disk

      The post was edited 25 times, last by flmaxey: edits ().