Questions concerning [How To] Install Pi-Hole in Docker

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Questions concerning [How To] Install Pi-Hole in Docker

      @flmaxey Could you please explain the full path to "delete the file contents of /dockerparms/pihole"?Watchtower broke my pihole install and I cannot seem to find this file to delete it in order to start a fresh install.
      I am guessing from some of your posts that you have pihole running separate from your storage servers on a rpi3. If so, is there a reason for that, and is that the best way to set it up on your network?

      I had another question but cannot recall it at this time.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • @flmaxey I remember the other question: In the latest docker pi-hole install notes extra arguments "--dns=127.0.0.1 --dns=1.1.1.1" has been added yet you mention not using 127.0.0.1 down in the unbound section. The docker has been updated 9 days ago. Should I add this to extra arguments, along with the port numbers and --cap-add=NET_ADMIN?
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • delete the /config you define first time in my case /home/dockuser/pihole thats all.

      and remember that latest version of pihole (4.1.1) NEED THAT YOU DEFINE dns!=127.0.0.1 AND dns2=YOUR dns PROVIDER ( IN MY CASE 8.8.8.8)
      Images
      • 1.jpg

        99.8 kB, 660×716, viewed 467 times
      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ; ctop
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife
    • @raulfg3 I noticed from your image you listed the dns in the Environment variables and not along with the other extra arguments below. I just thought they would be added to the other extra arguments at the bottom of the container.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • pihole appears to be working properly, but when I add unbound and test it I get the following response:
      root@raspberrypi:~# dig pi-hole.net @192.168.1.110 -p 5353

      ; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.net @192.168.1.110 -p 5353
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached
      192.168.1.110 is the address of my pihole install.

      If I add the command without an address I get the following:
      root@raspberrypi:~# dig pi-hole.conf

      ; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.conf
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7275
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1452
      ;; QUESTION SECTION:
      ;pi-hole.conf. IN A
      ;; AUTHORITY SECTION:
      . 9478 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019012101 1800 900 604800 86400
      ;; Query time: 16 msec
      ;; SERVER: 1.1.1.1#53(1.1.1.1)
      ;; WHEN: Mon Jan 21 16:19:52 CST 2019
      ;; MSG SIZE rcvd: 116
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • @Agricola :

      Sorry, when you used Watchtower, you voided the warranty on this Pi-hole How-To. (See customer service to get your money back. :) )
      While some use Watchtower and like it, I'm not one of them. There's too many variables that Watchtower can't take into account. (As you may have noticed.)
      ______________________________________________________________

      If you created the Pi-hole container in accordance with this "How-To", exactly as written, the folder /dockerparms/pihole should exist. If it's not there, then either there was a deviation from the How-To when the container was created, Watchtower did something or maybe it was gremlins.
      If the host paths to be cleared do not exist, (as mentioned in the How-To), these folders will be recreated when a new container is configured. This is fine.
      ______________________________________________________________

      Regarding unbound:
      For the same reason the How-To instructed you to set OMV's IP address as a custom DNS server in Pi-hole, the command to test unbound dig pi-hole.net @127.0.0.1 -p 5353 will not work. Pi-hole has it's own, separate, IP address that does not exist at 127.0.0.1 (the local host - OMV). Skip this test.

      Thanks for the heads up - I've altered the How-To accordingly.
      ______________________________________________________________

      @raulfg3

      @Agricola was attempting to install and configure unbound to work with Pi-hole, running in a Docker. To get unbound (installed on the OMV host) to work with Pi-hole (in a Docker with a separate IP address), 127.0.0.1 can't be used. The upstream (custom) DNS server is OMV's IP address. Similarly, since the OMV host becomes a Recursive DNS server, users shouldn't add other DNS servers as an environment variable in the Pi-hole container. If they do, unbound is bypassed.

      The post was edited 1 time, last by crashtest: edit ().

    • flmaxey wrote:

      Sorry, when you used Watchtower, you voided the warranty
      I do agree...now. This is another topic all together, but how do you update your dockers?

      flmaxey wrote:

      If it's not there, then either there was a deviation from the How-To
      (Sheepish, red-faced look) I looked and, sure enough. I have been watching @TechnoDadLife s video on pihole, to help visualize some of the fine points. I see now the difference(s). All of his videos involve creating a share called AppData, and then creating the required folders inside it with my computer. So I was setting up the host path /sharedfolders/AppData/Pihole and /sharedfolders/AppData/Pihole/DNSmasq. I am sorry. I will start over, and stick closer solely with your guide. Now, if I insert the host path as directed, will the folders be created in the process? I guess I'll find out here in a minute when I recreate the container. Thanks for the patient help.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.

    • So is this what I am looking for?
      You stated that the test validations do not work. So how do I know unbound is working?

      And explain this to me: my wifi workes to my laptop, but my mobile devices are blocked, except I can surf around all day on the omv forums. Weirdest thing in the world, but going to all other sites continues to fail.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.

    • Agricola wrote:

      Now, if I insert the host path as directed, will the folders be created in the process?
      Yes (As previously stated.)

      Agricola wrote:

      So is this what I am looking for?
      Basically, yes.

      Agricola wrote:

      You stated that the test validations do not work.
      No I didn't. I said one command dig pi-hole.net @127.0.0.1 -p 5353 will not work. The name alias "pi-hole.net" works through pi-holes IP address which is different from the OMV host. A command that uses 127.0.0.1, on OMV's command line, will attempt to contact pi-hole.net on the local host. It won't find that name because it's isolated from the OMV host, by the docker.

      Agricola wrote:

      So how do I know unbound is working?
      The rest of the tests will work.

      dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

      Agricola wrote:

      my wifi workes to my laptop, but my mobile devices are blocked, except I can surf around all day on the omv forums. Weirdest thing in the world, but going to all other sites continues to fail.
      There could be multiple things going on here, to include network settings on the devices themselves. You'll have to check them. If you have trouble with a particular device using Pi-hole, unbound, etc., you can bypass them by setting an IP address, for a public DNS server, in the device's DNS setting. (In most cases, it's set to "automatic".)
      ______________________________________________________________________________

      This is what I have:
      (Setting aside statically addressed devices.)

      1. DHCP Client---to--->Router/DHCP server
      2. The Router's DNS server is set to Pi-holes address 192.168.1.56. (There are no second or third DNS addresses. This can result in bypassing pi-hole)
      3. Pi-hole is set to OMV's address (as a custom DNS server) where unbound is installed. 192.168.1.55#5353

      So the basic flow for DHCP clients is:
      Client ----> Router -----> Pi-hole -----> OMV w/unbound ----> Internet.

      Unbound takes all DNS requests coming in on port 5353. Since it's a DNS server, it traces uncached requests through authoritative DNS servers in the net, and obtains a remote host IP address. That address is added to unbound's cache. Thereafter, requests for that name are local. (And are blindingly fast.)

      If you're configured correctly and have the GRC DNS speed app installed on a Windows client, you'll see the performance. Since your DHCP client connects to your router first (if you're configured that way) your routers IP address will have the fastest uncached DNS lookups bar none. (Uncached is the wide red bar.)
    • I figured how to set my DNS server on my iPhone to my Rpi3's address but I still cannot set pihole DNS settings to unbound without blocking my iPhone from the internet on wifi.
      I am running a Tomato router and I have only the one pihole DNS server listed. I read somewhere that the DNS should be set in the LAN section of the router and NOT the WAN section. I don't seem to be able to find a place under the LAN settings to set a DNS server, only under the WAN.

      Pihole appears to be working some, blocking only about 3%. Pihole has a test page and I still see adds on it, so I,m not sure pihole is set right. Is there some tweaking that needs to be done over time, such as building a blacklist?

      @flmaxey Your guide sets up pihole on the sd card of the Rpi3 with the /dockerparms/. I assumed in the past that all dockers were to be installed outside of the boot drive to prevent unnecessary degradation. I just thought all of the config and data type stuff should reside "outside" so to speak. Not always?

      This whole pihole thing has been a fascinating project. With the exception of a trip to the ER to restart my ticker after I crashed my router, it has been quite educational. I learned all about chmod and how to find and change permissions, how to read the docker release notes, and how to create and find them thar /dockerparms/ with cd and ls. It has also made me more aware of my loss of privacy and the evil of google.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • When it comes to IPhones - you're the Mac man. :) I can't help you there.

      Agricola wrote:

      I read somewhere that the DNS should be set in the LAN section of the router and NOT the WAN section. I don't seem to be able to find a place under the LAN settings to set a DNS server, only under the WAN.
      I try to stay away from anything to do with consumer routers. I worked with data center routers, back in the day. The devices they're selling on the home market are not really routers. The switch part of it is, arguably, as intelligent as the grossly oversimplified layer 3 routing function. As least with tomato, you'll have more intelligence on OS side of it.

      If running Pi-hole, I would set any DNS address setting I found on the router to pi-holes IP which, after pi-hole applies it's blocking function, forwards to the up stream DNS server configured. This was the way it's intended to work. If unbound is installed, and pi-hole is set to forward to it, unbound takes care of the rest by querying authoritative DNS servers direct. While unbound sort of backs into a name lookup (recursive), with the settings used in its' config file, unbound is about as secure as name lookups can get (currently).

      Agricola wrote:

      Pihole appears to be working some, blocking only about 3%. Pihole has a test page and I still see adds on it, so I,m not sure pihole is set right. Is there some tweaking that needs to be done over time, such as building a blacklist?
      Never trust a test provided by of the "author" or "maker" of anything, if you're not looking for a rosy result.) Use something external. -> Ad block page In the bottom, pi-hole works. Build your own blacklist? You sure can, but I think it's easier to just add a few black list entries for detestable web sites (like microsoft.com).

      Agricola wrote:

      @flmaxey Your guide sets up pihole on the sd card of the Rpi3 with the /dockerparms/. I assumed in the past that all dockers were to be installed outside of the boot drive to prevent unnecessary degradation. I just thought all of the config and data type stuff should reside "outside" so to speak. Not always?
      Pi-hole mostly parses through existing black lists. Once it loads up (it's very small) the limited writes it performs are mostly log file entries. What degrades solid state media most is "write amplification" where a 1K write can result in 10k or more actually being written media. Obvious, this accelerates wear. The Flash-memory plugin, installed by default in SBC's, takes care of this.

      Agricola wrote:

      It has also made me more aware of my loss of privacy and the evil of google.
      Privacy loss? Absolutely. But those who scream the loudest put all of their info "out there" willingly. Facebook is a classic example, along with carrying smart phones around with the GPS function.
      But when compared to government, Google is privacy's patron saint. Google is trying to make money from their "so called" free services. You can't blame them for that and it's relatively easy to protect from their snooping. It's just a question of making your info harder to get, when compared to the next guy. (Let him be the "low hanging fruit".) Government is another matter. My personal info has been "outed" by lackadaisical branches of my own government, at least two times so far. (And this is just what they've admitted to.)
    • @flmaxey Thanks for the detailed reply. You are a wealth of information. On the router topic, they terrify me, so I always tread lightly. the Tomato (thanks @TechnoDadLife for nudging me down that path ... I think.) has about a thousand settings. The Airport Extreme that I was previously using has about three. One thing the two routers have in common is when you call AT&T for assistance they are zero help.

      I have been able to raise pihole's blocking to about 13%. I have added google.com and microsoft.com to the blacklist. Do any other biggies come to mind? Looking over the Query log shows variants of google such as googleapis.l.google.com. Thanks for the test site. Pihole has their own test site which is quite interesting.

      Here is how I have set up my router and iPhone to work with pihole. Maybe it will be helpful to someone in a similar situation:

      On the Tomato router:
      Under Basic Settings —> Network —> Wan Settings set DNS server to Manual and DNS 1 and DNS 2 are both set to 0.0.0.0.
      Under Advanced Settings —> DHCP/DNS Server (LAN):
      Check Use internal DNS. (Default was unchecked.)
      Uncheck Use received DNS with user-entered DNS. (Default was checked.)
      In the Dnsmasq Custom configuration insert server=192.168.1.104 (Your server’s address will probably be different)
      On iPhone/iPad:
      Under Settings —> Wi-Fi —> YourWiFi —> Configure DNS:
      Check Manual
      Click on Add Server
      Insert your server address: 192.158.1.104 (Your server’s address will probably be different.)
      Click Save in the top right hand of the screen.

      I still have not been able to get unbound to play with my mobile devices but I haven't given up. Tell me, is it possible to just run unbound on a separate SBC without pihole? I do still have one unused Rpi3.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • Agricola wrote:

      Under Basic Settings —> Network —> Wan Settings set DNS server to Manual and DNS 1 and DNS 2 are both set to 0.0.0.0.
      Since "auto" usually means use the first up stream DNS server found by the router when using DHCP (on the WAN side), this might be a problem. With the "Manual" setting, I'd set DNS 1 to pi-holes IP. Again, if a DNS setting is available I'd set it to pI-holes IP address.

      I'd look at the other settings for "Internal DNS", other than default. If there's a "yes" choice, I'm guessing an address window should appear where I'd enter pi-holes address.

      There's nothing to lose here. You're looking at a couple of changes than can always be changed back.
      __________________________________________________________________________________________

      Agricola wrote:

      I have added google.com and microsoft.com to the blacklist.
      I don't know if I'd do this. (I was just kidding when I said microsoft.com was offensive.) Pi-hole's default black lists already blocks microsoft's telemetry servers. If this were not the case, I'd have abandoned Windows altogether, as of Windows 10. (Win10 is riddled with holes that go directly back to microsoft.) Also, -> google analytics is blocked which are really nothing more than spy servers, for their advertising customers.
      In the bottom line, the folks that compile and maintain these lists watch for offending servers, hackers, etc., and do a very good job of verifying bad behavior before a site, domain, etc., makes the "naughty list".
      __________________________________________________________________________________________


      I have some sort of odd DNS issue myself. (Two statically addressed servers won't resolve outside the LAN for updates, plugin's, etc.) I'm hoping this has nothing to do with unbound, but have yet to run it down.

      If you want to see if unbound is affecting your phones, as a test, use one of the provided DNS servers in Pi-holes Settings/DNS page, uncheck the custom DNS box and save it.
    • Thanks for the tips. I’ll keep fiddling with it and check back.

      @flmaxey wrote:

      If you want to see if unbound is affecting your phones, as a test, use one of the provided DNS servers in Pi-holes Settings/DNS page, uncheck the custom DNS box and save it.
      I actually did that. Picked the one about halfway down the list (Quad9) and unchecked the custom DNS box. The iPhone worked fine on WiFi. That is the way I have left it.

      Now I need to start a fresh thread. Nextcloud quit yesterday for no apparent reason. Been away all day so haven’t had a chance to poke around. Not that I have the foggiest where or what to look for.

      Thanks again.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • I finally got home this evening, and checked my pihole desktop panel and it was reading 52.6% blocking! I went to my blacklist and deleted the google and microsoft entries. :whistling:
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • Yes sir. That is why I selected that one:
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • Well, wahoo! Mobile green lights! I did check a couple of extra boxes in my router's advanced/dns settings, but I really think I waited a little longer to see if wifi would come back to my phone. When I change the router settings, the wifi light on my phone always goes amber. I decided to wait a good while and it finally turned back green. I think it has been working all along.

      Thanks again @flmaxey.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.27-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.0.14-1 beta on an Odroid H2, HP dx2400, and Nanopi M4.
    • @flmaxey
      how do you get your Docker pihole Container communicating with the OMV-host which is running unbound (and Docker itself) under macvlan? Normally that should be impossible and doesn't work for me.
      docker exec pihole ping <OMV-IP-address> gives me a "Destination Host unreachable" as I expected.
      I do some testings with a separate unbound Docker Image at the moment which seems to be working together with pihole.
    • Did you see the most recent note in the How-To about port 53 (versus using 5353)? I observed inexplicable network behavior when using the custom port 5353, as outlined in pi-hole's doc's, with unbound and pi-hole in a docker. Using the standard DNS port, 53, corrected the issue.

      The unbound add-on (installed directly to the OMV host) is not a "walk through" type How-To. This is why it's stated, up front, that it's an Intermediate level endeavor. Unbound takes over DNS forwarding function from the host OS which takes in an interesting number of variables, that include conflicts with packages that may already be installed. If unbound doesn't work, all I could recommend is uninstalling it.

      However, in your case, it appears you got it to work by another route (an unbound Docker).
      __________________________________________________________

      Really, I believe the best method of running pi-hole and unbound, together, is a direct install on a dedicated host. At least two other users that I know of are using this approach, which creates a dedicated "DNS appliance". The resource requirements for both packages are very low, so I installed them on an old R-PI, using Diet-PI. It works well and provides fast and secure DNS to clients even if the OMV server is down. While I have unbound and pi-hole in Docker configured and tested, on OMV, that's a standby / fallback.