Questions concerning [How To] Install Pi-Hole in Docker

    • I’m not sure what you mean by IPV6. I don’t use it. All devices in the house (except the servers) use the Pi-hole address for DNS. For iPad/iPhone you have to set the DNS manually from the WiFi tab of your settings. Tap the little blue i with a circle around it and then tap on the Configure DNS. Don’t use a second DNS address thinking you will need it when you leave the house. Each WiFi you join will have its own DNS server supplied from the network’s router.
      Retired. I love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.28-1 on a pair of Odroid hc2's w/ 4TB WD Blue. Running Nextcloud, Plex, & Heimdall - and a Raspberry Pi 3 running Pi-hole.
      Testing OMV 5.1.2-1 beta on an Odroid H2, Acer Aspire T180, HP dx2400, and Nanopi M4.
    • Unfortunately I still don't get unbound to work after I changed the DNS in my iOs devices to the pi hole address.

      I configured unbound & pi-hole as described through the following guides from crashtest:
      [How To] Install Pi-Hole in Docker: Update 02/25/19 - Adding Unbound, a Recursive DNS Server

      My current pi-hole DNS setup:


      If I activate OpenDNS and Cloudflare as DNS upstream server, Pi-hole will work without any problems.

      My unbound config file looks like the following:
      Display Spoiler

      Source Code

      1. server:
      2. # If no logfile is specified, syslog is used
      3. # logfile: "/var/log/unbound/unbound.log"
      4. verbosity: 0
      5. port: 53
      6. do-ip4: yes
      7. do-udp: yes
      8. do-tcp: yes
      9. # May be set to yes if you have IPv6 connectivity
      10. do-ip6: no
      11. # Use this only when you downloaded the list of primary root servers!
      12. root-hints: "/var/lib/unbound/root.hints"
      13. # Trust glue only if it is within the servers authority
      14. harden-glue: yes
      15. # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
      16. harden-dnssec-stripped: yes
      17. # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      18. # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
      19. use-caps-for-id: no
      20. # Reduce EDNS reassembly buffer size.
      21. # Suggested by the unbound man page to reduce fragmentation reassembly problems
      22. edns-buffer-size: 1472
      23. # Perform prefetching of close to expired message cache entries
      24. # This only applies to domains that have been frequently queried
      25. prefetch: yes
      26. # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
      27. num-threads: 1
      28. # Ensure kernel buffer is large enough to not lose messages in traffic spikes
      29. so-rcvbuf: 1m
      30. # Ensure privacy of local IP ranges
      31. private-address: 192.168.0.0/16
      32. private-address: 169.254.0.0/16
      33. private-address: 172.16.0.0/12
      34. private-address: 10.0.0.0/8
      35. private-address: fd00::/8
      36. private-address: fe80::/10
      Display All


      What I really don't understand is that the clients have internet access but I don't can load any page through Safari. But Telegram for example is able to send out text messages.

      Would be real cool to get that to work. Think there is still some minor changes missing. But I am really at the point where I tried everything out and don't know what else to do?! :sleeping:
      Images
      • Bildschirmfoto 2019-10-26 um 22.38.53.png

        116.56 kB, 992×671, viewed 138 times
      :!: Odroid HC2 - OMV 4 - 3TB Hard Drive :!:
    • ChrisBuzz wrote:

      If I change it from # to : I get the following feedback from pi hole:
      Sorry yes, been a long time since I tested this but going back through the thread one of @Agricola images shows #5353 I looked at the original pi hole docs here for unbound it states the port as 5353. TBH I haven't read all the way through this thread just picking up the last two pages.
      Raid is not a backup! Would you go skydiving without a parachute?
    • ChrisBuzz wrote:

      Just the ip address of the pi hole.
      :thumbup: do you have the domain search option set? TBH this is one of the reasons I now have pi-hole running on a pi and a router that will allow me to add pi-holes address and disable the routers dns. The only other option I can of think of is the dns cache needs to be flushed on the iOS device.
      Raid is not a backup! Would you go skydiving without a parachute?
    • ChrisBuzz wrote:

      Just the ip address of the pi hole.
      OMV ip address#53 is only used in pi hole to use unbound as upstream server. So that combination doesn't make sense for me?!
      Did you do the dig tests at the end of Unbounds configuration? One should have failed, the other should have worked.

      I.E.

      dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53dig sigok.verteiltesysteme.net @127.0.0.1 -p 53In the above the first command fails. The second produces an IP address. This confirms that unbound is working.
    • geaves wrote:

      When you go into Configure DNS there is an option search domains I have this set to my omv domain System -> Domain name which is also the same in SMB/CIFS
      Configure DNS in the pi hole settings? Sorry, still don't know how to change that option.

      crashtest wrote:

      Did you do the dig tests at the end of Unbounds configuration? One should have failed, the other should have worked.
      I.E.

      dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53dig sigok.verteiltesysteme.net @127.0.0.1 -p 53In the above the first command fails. The second produces an IP address. This confirms that unbound is working.
      Yes, I have done that and seemed for me that unbound works in background.
      But please have a view on the result on your own:
      Display Spoiler


      Source Code

      1. root@Netzwerkspeicher:~# dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
      2. ; <<>> DiG 9.10.3-P4-Debian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 53
      3. ;; global options: +cmd
      4. ;; Got answer:
      5. ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27384
      6. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      7. ;; OPT PSEUDOSECTION:
      8. ; EDNS: version: 0, flags:; udp: 1472
      9. ;; QUESTION SECTION:
      10. ;sigfail.verteiltesysteme.net. IN A
      11. ;; Query time: 313 msec
      12. ;; SERVER: 127.0.0.1#53(127.0.0.1)
      13. ;; WHEN: Sun Nov 03 13:59:13 CET 2019
      14. ;; MSG SIZE rcvd: 57
      15. root@Netzwerkspeicher:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 53
      16. ; <<>> DiG 9.10.3-P4-Debian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 53
      17. ;; global options: +cmd
      18. ;; Got answer:
      19. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8034
      20. ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
      21. ;; OPT PSEUDOSECTION:
      22. ; EDNS: version: 0, flags:; udp: 1472
      23. ;; QUESTION SECTION:
      24. ;sigok.verteiltesysteme.net. IN A
      25. ;; ANSWER SECTION:
      26. sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
      27. ;; AUTHORITY SECTION:
      28. verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net.
      29. verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net.
      30. ;; ADDITIONAL SECTION:
      31. ns1.verteiltesysteme.net. 3556 IN A 134.91.78.139
      32. ns2.verteiltesysteme.net. 3556 IN A 134.91.78.141
      33. ns1.verteiltesysteme.net. 3556 IN AAAA 2001:638:501:8efc::139
      34. ns2.verteiltesysteme.net. 3556 IN AAAA 2001:638:501:8efc::141
      35. ;; Query time: 34 msec
      36. ;; SERVER: 127.0.0.1#53(127.0.0.1)
      37. ;; WHEN: Sun Nov 03 13:59:57 CET 2019
      38. ;; MSG SIZE rcvd: 195
      Display All


      When I am watching at my pi hole dashboard I am wondering that a part of the queries are already answered through unbound (192.168.178.82). But some still go through other DNS servers:
      :!: Odroid HC2 - OMV 4 - 3TB Hard Drive :!:

      The post was edited 1 time, last by ChrisBuzz ().

    • @ChrisBuzz following are the results from the tests:


      Display Spoiler

      root@OMV-Server:~# dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53

      ; <<>> DiG 9.10.3-P4-Debian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 53
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63400
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1472
      ;; QUESTION SECTION:
      ;sigfail.verteiltesysteme.net. IN A

      ;; Query time: 0 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Sun Nov 03 15:43:20 EST 2019
      ;; MSG SIZE rcvd: 57

      ________________________________________________________

      root@OMV-Server:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 53

      ; <<>> DiG 9.10.3-P4-Debian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 53
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6304
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1472
      ;; QUESTION SECTION:
      ;sigok.verteiltesysteme.net. IN A

      ;; ANSWER SECTION:
      sigok.verteiltesysteme.net. 3600 IN A 134.91.78.139


      ;; AUTHORITY SECTION:
      verteiltesysteme.net. 3216 IN NS ns2.verteiltesysteme.net.
      verteiltesysteme.net. 3216 IN NS ns1.verteiltesysteme.net.

      ;; ADDITIONAL SECTION:
      ns1.verteiltesysteme.net. 3216 IN A 134.91.78.139
      ns2.verteiltesysteme.net. 3216 IN A 134.91.78.141
      ns1.verteiltesysteme.net. 3216 IN AAAA 2001:638:501:8efc::139
      ns2.verteiltesysteme.net. 3216 IN AAAA 2001:638:501:8efc::141

      ;; Query time: 136 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Sun Nov 03 15:49:36 EST 2019
      ;; MSG SIZE rcvd: 195

      root@OMV-Server:~#

      _________________________________________________

      Here's the config file I'm using the OMV server host, located at /etc/unbound/unbound.conf.d/pi-hole.conf


      Display Spoiler
      server:
      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"
      verbosity: 0

      port: 53
      do-ip4: yes
      do-udp: yes
      do-tcp: yes

      # May be set to yes if you have IPv6 connectivity
      do-ip6: no

      # Use this only when you downloaded the list of primary root servers!
      root-hints: "/var/lib/unbound/root.hints"

      # Trust glue only if it is within the servers authority
      harden-glue: yes

      # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
      harden-dnssec-stripped: yes

      # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # see discourse.pi-hole.net/t/unboun…by-or-dnscrypt-proxy/9378 for further details
      use-caps-for-id: no

      # Reduce EDNS reassembly buffer size.
      # Suggested by the unbound man page to reduce fragmentation reassembly problems
      edns-buffer-size: 1472

      # TTL bounds for cache
      cache-min-ttl: 3600
      cache-max-ttl: 86400

      # Perform prefetching of close to expired message cache entries
      # This only applies to domains that have been frequently queried
      prefetch: yes

      # One thread should be sufficient, can be increased on beefy machines
      num-threads: 1

      # Ensure kernel buffer is large enough to not loose messages in traffic spikes
      so-rcvbuf: 1m

      # Ensure privacy of local IP ranges
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      private-address: fd00::/8
      private-address: fe80::/10



      ______________________________________________________________________

      In my setup, I direct all clients to my router, which forwards to pi-hole (running in a docker), which forwards to unbound which is running in a direct install on my OMV server.


      The above also works for DHCP clients - they'll pickup the router's DNS server setting.
      As has been mentioned, only one DNS address (Pi-hole's address) can be used at the router or, under certain circumstances, Pi-hole can be bypassed. If there's more than one entry to fill, any DNS entry at the router should be pi-holes address.

      With that said, as I remember, one user had an Apple router that seemingly ignored the DNS setting and used the ISP's DNS server anyway. All I can say to that is, buy another router that does what you configure it to do. If equipment ignores your settings, nothing can be done about that.

      To stop IPv6 leaks (advertisers are using IPv6 to bypass firewalls and DNS blockers like Pi-hole), add the following line pi-holes config file.
      AAAA_QUERY_ANALYSIS=no (How to do that, with Pi-hole running in a Docker, is in the Pi-hole How-To.)

      The post was edited 1 time, last by crashtest ().

    • crashtest wrote:

      In my setup, I direct all clients to my router, which forwards to pi-hole (running in a docker), which forwards to unbound which is running in a direct install on my OMV server.



      The above also works for DHCP clients - they'll pickup the router's DNS server setting.
      As has been mentioned, only one DNS address (Pi-hole's address) can be used at the router or, under certain circumstances, Pi-hole can be bypassed. If there's more than one entry to fill, any DNS entry at the router should be pi-holes address.

      With that said, as I remember, one user had an Apple router that seemingly ignored the DNS setting and used the ISP's DNS server anyway. All I can say to that is, buy another router that does what you configure it to do. If equipment ignores your settings, nothing can be done about that.

      To stop IPv6 leaks (advertisers are using IPv6 to bypass firewalls and DNS blockers like Pi-hole), add the following line pi-holes config file.
      AAAA_QUERY_ANALYSIS=no (How to do that, with Pi-hole running in a Docker, is in the Pi-hole How-To.)
      I have a very similar set-up, the only real difference is that I have two Unbounds, each running in a Docker container. And I concur, if equipment ignores your settings, replace it. You are the master of your home network, not your ISP.
    • Any ideas why my pi-hole docker container can't ping the OMV host (Raspberry Pi 4 w/ unbound local install)? I've followed the guide closely. Other devices on the network can ping both the Pi-Hole container and OMV as well as utilise unbound via dig @<OMV-host address> but ping <OMV-host address> fails inside the Pihole container.