Questions concerning [How To] Install Pi-Hole in Docker

    • Agricola wrote:

      When I get close on the diet-pi install I will remove the other reference from my router.
      You don't have to. All of your LAN clients (if they're DHCP) get their DNS address from the router. If the router is currently pointed to pi-hole in the Docker, that's fine.

      On the other hand, if you statically configure just 1 client with the Diet-PI's IP address, as the DNS address, you can test the Diet-PI pi-hole install by simply browsing the net with that client. Then run another test, on the same client, when unbound is installed on the Diet-PI to confirm, whether or not, the entire package is working.

    • Oooo-kay. I got pihole running on the diet-pie/Odroid XU4 and just set one device to that ip and it worked. I then added unbound and set it up in the pihole web admin, and it worked with that one device. I then set the router's DNS to that pihole and the internet quit retrieving pages.

      I tried it with several other machines with the same situation. Then I went to my router and decided to try some single-switch setting changes. The first modification fixed everything. See the screen shot below. I checked "Use DHCP". So now I have two fully functional piholes. Should I just shutdown one and keep it ready as a backup? Thanks for your suggestion to just statically change one client without going through the router. When It worked with unbound I knew it had to be something with the router. Right there in the general Network settings was the obvious first test. I have started doing some reading/research on the Tomato firmware which has helped firm up some understanding of networking. Thanks again @flmaxey.
      OMV 5 (current) - NanoPi M4: Nextcloud, Plex, & Heimdall - Acer Aspire T180: backup - Odroid XU4: Pi-Hole (DietPi) - Odroid HC2, Raspberry Pi 3B+, and HP dx2400: testing.
    • Agricola wrote:

      Should I just shutdown one and keep it ready as a backup?
      It's your call but I don't see any point in running 2 XU4's, if one will do it. The HOW-TO works as written, and the pihole in Docker/unbound combo has nearly no performance hit and memory usage is very low. I'm running the Diet-PI setup on an old R-PI "B" model, that has terrible performance, but given some tests I did, I don't believe I could even stress it. (It's would take about 50 or more users, surfing at the same time, to begin to stress it.) In the bottom line, running these functions on your OMV XU4 will have nearly zero impact.

      But I would backup your main OMV configuration for sure. Clone your SD-card and, after the cloning is complete, use the new clone to be sure it works.
      As your config becomes more complex the time to restore, if rebuilding from scratch, gets long. (If you're not using the 2nd XU4, I'd stick the extra clone in it for a full OS and hardware platform backup, in the event that something happens to the on-line server. Swap out one, the other, or both, and you're back up in a matter of minutes.)

      Agricola wrote:

      Thanks for your suggestion to just statically change one client without going through the router.
      In the same way, you can bypass pi-hole on one or more clients by entering an upstream DNS server like 1.1.1.1 (If you need to get to a blocked site, for some reason, or if you like ad's. :) )
      A few months ago, I botched up a pi-hole update and was almost shocked at how may ad's pi-hole filters. (I run news streaming sites that, apparently, popup ad's all time.) My wife even complained about it, wanting to know when I would fix it.

      Agricola wrote:

      When It worked with unbound I knew it had to be something with the router.
      It's good that you got it sorted out. Take care.
    • hi. I installed pihole in OMV docker on Pi4b and everything works fine, but how do I configure OMV and all the other containers to use pihole? I don't have any entry in OMV -> network -> interfaces, in my OMV /etc/resolv.conf there is only one nameserver (OpenDNS). If I change it to pihole address, it does not work.
    • wookash wrote:

      hi. I installed pihole in OMV docker on Pi4b and everything works fine, but how do I configure OMV and all the other containers to use pihole?
      You use PIhole's IP address as the DNS address for all clients, or use your Router as the DNS address for LAN clients, and set your Routers DNS address to PI-holes IP address.

      If you configured Pi-hole with a MacVlan interface, in Docker, you'd use the IP address specified in the MacVlan (networking) section of the Docker. Otherwise, you would use OMV's server address since Pi-hole would be sharing it.

      What version of OMV are you using?
    • thanks for replying. I'm using OMV v4.1.26. I have the latter config, i.e. pihole IP address is configured in my router as DNS server (I have Edgerouter X and made sure it's the only DNS). The problem is that all my clients use pihole fine, but when I run e.g. nslookup from OMV server (where I have pihole configured with MacVlan, so it has it's own IP address), the server and the containers do not seem to use pihole, but use OpenDNS server instead, the one that I have specified in resolv.conf in my OMV server. If I then try to replace the OpenDNS server IP with pihole's IP address in resolv.conf, OMV server does not relsove names and my containers resolve fine but with the OpenDNS.. (the one container I have tested it with is configured as host network)
    • Pi-hole should be acting as a DNS server for LAN clients. Since Pi-hole is a DNS filter this is what you want. LAN Clients need ad blocking and are at higher risk for malware insertion. Your server(s) don't need the same protection.
      If it's a problem, the OMV server itself, it's containers or guest VM's do not need to run through Pi-hole. Server packages would be accessing repo's for software updates and very little more.

      In my case, I used to use a public DNS server that supports DNSSEC and ANYCAST, configured in OMV's GUI. There's a server list that supports these features here.

      (Now I'm running unbound as an add-on, which is self hosted recursive DNS server.)
    • Thanks again, I've found your guide and used it, but set up unbound in a container in bridge mode but had to connect it to the same network as pihole (which is set up as macvlan) and it is working fine. Initially I had it set up with DNSSEC and DNS over TLS, but eventually stuck to OpenDNS. Not sure what I would gain with the initial set up and I thought it was slower.. What's your high level config for unbound @crashtest?
    • wookash wrote:

      Thank you, @crashtest, this is helpful. I'll look into unboud - would like to run it in docker on my pi if possible. Cheers!

      wookash wrote:

      Thanks again, I've found your guide and used it, but set up unbound in a container in bridge mode but had to connect it to the same network as pihole (which is set up as macvlan) and it is working fine.
      Maybe this helps: I am running a Pi-Hole (pihole/pihole) and two different Unbound containers (klutchell/unbound & mvance/unbound-rpi) using macvlan on my Raspberry Pi 3B+. I am still looking for an additional Pi-Hole image for redundancy in case an update makes the Pi-Hole non-functional.
    • wookash wrote:

      Not sure what I would gain with the initial set up and I thought it was slower..
      On the very first name look up, a direct installation of unbound may be slower when compared to a Docker. (TBH, I can't imagine why and I can't think of a way to test the difference.) But I do know, after the name is cached, look up speed is blazing. The look up is local.

      wookash wrote:

      What's your high level config for unbound @crashtest?
      Right now, I'm running the unbound configuration as it's laid out in the How-To. Using that config, I have yet to see a hiccup and it's been running for awhile (about a year). I'm going to look at modifying unbound's configuration slightly, merging parts of a config provided by @Agricola.
    • wookash wrote:

      Not sure what I would gain with the initial set up and I thought it was slower..
      On the very first name look up, a direct installation of unbound may be slower when compared to a Docker. (TBH, I can't imagine why and I can't think of a way to test the difference.) But I do know, after the name is cached, lookup speed is blazing. The lookup is local.

      wookash wrote:

      What's your high level config for unbound @crashtest?
      Right now, I'm running the unbound configuration as it's laid out in the How-To and with the DNSSEC option in Pi-hole. Using that config, I have yet to see a hiccup and it's been running for awhile (about a year). I'm going to look at modifying unbound's configuration slightly, merging parts of a config provided by @Agricola .
    • apveening wrote:

      wookash wrote:

      Thank you, @crashtest, this is helpful. I'll look into unboud - would like to run it in docker on my pi if possible. Cheers!

      wookash wrote:

      Thanks again, I've found your guide and used it, but set up unbound in a container in bridge mode but had to connect it to the same network as pihole (which is set up as macvlan) and it is working fine.
      Maybe this helps: I am running a Pi-Hole (pihole/pihole) and two different Unbound containers (klutchell/unbound & mvance/unbound-rpi) using macvlan on my Raspberry Pi 3B+. I am still looking for an additional Pi-Hole image for redundancy in case an update makes the Pi-Hole non-functional.
      I'm using exactly the same container, just running only mvance now. Plus as I wrote earlier, did not have to configure unbound container as macvlan, just set it up in bridge mode and connected it to the pihole newtork (pihole is set up using macvlan)
    • crashtest wrote:

      wookash wrote:

      Not sure what I would gain with the initial set up and I thought it was slower..
      On the very first name look up, a direct installation of unbound may be slower when compared to a Docker. (TBH, I can't imagine why and I can't think of a way to test the difference.) But I do know, after the name is cached, lookup speed is blazing. The lookup is local.
      I was using DNSBench grc.com/dns/benchmark.htm, the results for OpenDNS (forwarding from ubound) vs Cloudflare with DNSSEC and DNS over TLS were better for OpenDNS

      The post was edited 1 time, last by wookash ().

    • Note that there's a difference be "cached" entries and "uncached" entries. When unbound is used, uncached entries are a very small percentage of actual traffic. Uncached is the very first name lookup and that will be slow. A traditional DNS (your ISP or a public server) may be faster for uncached name queries.

      After the first lookup, unbound has the name to IP cached. Cached entries, the majority of traffic, is where unbound shines. After a name is cached, it's an IP to IP exchange. It's ultra-fast when compared to traditional DNS.
      And there's the security aspect to consider as well. A recursive DNS queries from top level domain, down to the host itself in incremental steps, when it caches a name. (This is the reason why uncached look-ups take longer.)

      The following is a test I ran on my server. Cached entries return in 1ms. It doesn't get any faster than that. (If it is, it can't be measured on the CLI.)
      In the conclusions tab, it will complain about "only one DNS configured". And that "the server is not replying to all queries" and that it's "not 100% reliable". This is pi-hole in action. Since I'm running this from a client, I have DNSSEC configured with IPv6 disabled in Pi-hole, so all queries are not answered, by design.


      The post was edited 2 times, last by crashtest: edit ().

    • crashtest wrote:

      [Blocked Image: https://1drv.ms/u/s!Anjda_L6q2BKieVA9b7vWKVzbTyjcQ?e=rZjEYt]Note that there's a difference be "cached" entries and "uncached" entries. When unbound is used, uncached entries are a very small percentage of actual traffic. Uncached is the very first name lookup and that will be slow. A traditional DNS (your ISP or a public server) may be faster for uncached name queries.

      After the first lookup, unbound has the name to IP cached. Cached entries, the majority of traffic, is where unbound shines. After a name is cached, it's an IP to IP exchange. It's ultra-fast when compared to traditional DNS.
      And there's the security aspect to consider as well. A recursive DNS queries from top level domain, down to the host itself in incremental steps, when it caches a name. (This is the reason why uncached look-ups take longer.)

      The following is a test I ran on my server. Cached entries return in 1ms. It doesn't get any faster than that. (If it is, it can't be measured on the CLI.)
      In the conclusions tab, it will complain about "only one DNS configured". And that "the server is not replying to all queries" and that it's "not 100% reliable". This is pi-hole in action. Since I'm running this from a client, I have DNSSEC configured with IPv6 disabled, in Pi-hole, so all queries are not answered, by design.



      it looks like you don't have any uncached queries.. in my case I get these green and blue bars for uncached DNSBench

      one more thing I noticed is that with unbound pihole blocks higher % of queries. I had 10-15% without unbound and now it is at around 30%. I think I'm now hit with more bad stuff but I guess it's due to the way unbound works (all these recursive, root servers etc,)?
    • wookash wrote:

      one more thing I noticed is that with unbound pihole blocks higher % of queries. I had 10-15% without unbound and now it is at around 30%
      I've been asked the question about the percentage of Pi-hole blocks before. That's highly dependent on browsing habits and may (will) change from day to day. Much in the way of ad's at E-commerce sites are blocked. Religious sites? No blocks. Porn and other questionable sites, with auto redirects and links to malware? Heavily blocked. You get the picture. If you're interested in it what is blocked, it's detailed in Pi-holes log file.

      wookash wrote:

      it looks like you don't have any uncached queries.. in my case I get these green and blue bars for uncached DNSBench
      At one time, I did too, back when I was running tests and configuring. After running the test a couple times, depending on the cache size and once a server has been up for awhile, all applicable entries may be cached so there may be no uncached lookups. Frankly I don't know, and I don't know how the Gibson Research people are running their DNS tests with their app. Really, IMHO, those details don't matter. Cached performance is what I'm interested in. Again, uncached is a very small percentage of traffic. The very first name look up, as I remember it, took approximately 250ms to cache a name. Thereafter, performance is blazingly fast and users are far less susceptible to DNS attacks. There are real security and privacy benefits in running a recursive DNS server. (If you want to check out your security profile, look at GRC's DNS spoofability test. -> GRC.com/dns/dns.htm The link is at the end of the page, on the conclusions tab.)

      There is a big difference between root DNS servers and a recursive server. ICANN, VeriSign and others run root servers. There's 13 of them worldwide. They contain persistent tables that are quite large.

      BTW: Depending on their size, your ISP may be using unbound or another recursive server. Installing it yourself, cuts their network latency out of the loop and greatly speeds things up. Here's a link for -> tweaking unbound, but I wouldn't recommend changes for home use. It works great out of the box.

      The post was edited 2 times, last by crashtest: edit ().

    • Questions concerning [How To] Install Pi-Hole in Docker

      Agricola wrote:


      I tried it with several other machines with the same situation. Then I went to my router and decided to try some single-switch setting changes. The first modification fixed everything. See the screen shot below. I checked "Use DHCP". So now I have two fully functional piholes. Should I just shutdown one and keep it ready as a backup? Thanks for your suggestion to just statically change one client without going through the router. @flmaxey.


      I configured Pi-Hole & Unbound the same way you did and have to face the same issues with my WiFi Clients(MacBook and iPhones).

      Have you only changed your WiFi settings to the DNS server as your Pi-Hole address and 0.0.0.0 or have you change anything else as ipv6 settings too?

      Thanks and just want to learn from your long journey to a successful setup.
      :!: Odroid HC2 - OMV 4 - 3TB Hard Drive :!: