Questions concerning [How To] Install Pi-Hole in Docker

    • Offizieller Beitrag

    @flmaxey Could you please explain the full path to "delete the file contents of /dockerparms/pihole"?Watchtower broke my pihole install and I cannot seem to find this file to delete it in order to start a fresh install.
    I am guessing from some of your posts that you have pihole running separate from your storage servers on a rpi3. If so, is there a reason for that, and is that the best way to set it up on your network?


    I had another question but cannot recall it at this time.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Offizieller Beitrag

    @flmaxey I remember the other question: In the latest docker pi-hole install notes extra arguments "--dns=127.0.0.1 --dns=1.1.1.1" has been added yet you mention not using 127.0.0.1 down in the unbound section. The docker has been updated 9 days ago. Should I add this to extra arguments, along with the port numbers and --cap-add=NET_ADMIN?

  • delete the /config you define first time in my case /home/dockuser/pihole thats all.


    and remember that latest version of pihole (4.1.1) NEED THAT YOU DEFINE dns!=127.0.0.1 AND dns2=YOUR dns PROVIDER ( IN MY CASE 8.8.8.8)

    • Offizieller Beitrag

    @raulfg3 I noticed from your image you listed the dns in the Environment variables and not along with the other extra arguments below. I just thought they would be added to the other extra arguments at the bottom of the container.

    • Offizieller Beitrag

    pihole appears to be working properly, but when I add unbound and test it I get the following response:

    Zitat

    root@raspberrypi:~# dig pi-hole.net @192.168.1.110 -p 5353


    ; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.net @192.168.1.110 -p 5353
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    192.168.1.110 is the address of my pihole install.


    If I add the command without an address I get the following:

    • Offizieller Beitrag

    @Agricola :


    Sorry, when you used Watchtower, you voided the warranty on this Pi-hole How-To. (See customer service to get your money back. :) )
    While some use Watchtower and like it, I'm not one of them. There's too many variables that Watchtower can't take into account. (As you may have noticed.)
    ______________________________________________________________


    If you created the Pi-hole container in accordance with this "How-To", exactly as written, the folder /dockerparms/pihole should exist. If it's not there, then either there was a deviation from the How-To when the container was created, Watchtower did something or maybe it was gremlins.
    If the host paths to be cleared do not exist, (as mentioned in the How-To), these folders will be recreated when a new container is configured. This is fine.
    ______________________________________________________________


    Regarding unbound:
    For the same reason the How-To instructed you to set OMV's IP address as a custom DNS server in Pi-hole, the command to test unbound dig pi-hole.net @127.0.0.1 -p 5353 will not work. Pi-hole has it's own, separate, IP address that does not exist at 127.0.0.1 (the local host - OMV). Skip this test.


    Thanks for the heads up - I've altered the How-To accordingly.
    ______________________________________________________________


    @raulfg3


    @Agricola was attempting to install and configure unbound to work with Pi-hole, running in a Docker. To get unbound (installed on the OMV host) to work with Pi-hole (in a Docker with a separate IP address), 127.0.0.1 can't be used. The upstream (custom) DNS server is OMV's IP address. Similarly, since the OMV host becomes a Recursive DNS server, users shouldn't add other DNS servers as an environment variable in the Pi-hole container. If they do, unbound is bypassed.

    • Offizieller Beitrag

    Sorry, when you used Watchtower, you voided the warranty

    I do agree...now. This is another topic all together, but how do you update your dockers?


    If it's not there, then either there was a deviation from the How-To

    (Sheepish, red-faced look) I looked and, sure enough. I have been watching @TechnoDadLife s video on pihole, to help visualize some of the fine points. I see now the difference(s). All of his videos involve creating a share called AppData, and then creating the required folders inside it with my computer. So I was setting up the host path /sharedfolders/AppData/Pihole and /sharedfolders/AppData/Pihole/DNSmasq. I am sorry. I will start over, and stick closer solely with your guide. Now, if I insert the host path as directed, will the folders be created in the process? I guess I'll find out here in a minute when I recreate the container. Thanks for the patient help.

    • Offizieller Beitrag


    So is this what I am looking for?
    You stated that the test validations do not work. So how do I know unbound is working?


    And explain this to me: my wifi workes to my laptop, but my mobile devices are blocked, except I can surf around all day on the omv forums. Weirdest thing in the world, but going to all other sites continues to fail.

    • Offizieller Beitrag


    Now, if I insert the host path as directed, will the folders be created in the process?

    Yes (As previously stated.)

    So is this what I am looking for?

    Basically, yes.

    You stated that the test validations do not work.

    No I didn't. I said one command dig pi-hole.net @127.0.0.1 -p 5353 will not work. The name alias "pi-hole.net" works through pi-holes IP address which is different from the OMV host. A command that uses 127.0.0.1, on OMV's command line, will attempt to contact pi-hole.net on the local host. It won't find that name because it's isolated from the OMV host, by the docker.


    So how do I know unbound is working?

    The rest of the tests will work.


    dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

    my wifi workes to my laptop, but my mobile devices are blocked, except I can surf around all day on the omv forums. Weirdest thing in the world, but going to all other sites continues to fail.

    There could be multiple things going on here, to include network settings on the devices themselves. You'll have to check them. If you have trouble with a particular device using Pi-hole, unbound, etc., you can bypass them by setting an IP address, for a public DNS server, in the device's DNS setting. (In most cases, it's set to "automatic".)
    ______________________________________________________________________________


    This is what I have:
    (Setting aside statically addressed devices.)


    1. DHCP Client---to--->Router/DHCP server
    2. The Router's DNS server is set to Pi-holes address 192.168.1.56. (There are no second or third DNS addresses. This can result in bypassing pi-hole)
    3. Pi-hole is set to OMV's address (as a custom DNS server) where unbound is installed. 192.168.1.55#5353


    So the basic flow for DHCP clients is:
    Client ----> Router -----> Pi-hole -----> OMV w/unbound ----> Internet.


    Unbound takes all DNS requests coming in on port 5353. Since it's a DNS server, it traces uncached requests through authoritative DNS servers in the net, and obtains a remote host IP address. That address is added to unbound's cache. Thereafter, requests for that name are local. (And are blindingly fast.)


    If you're configured correctly and have the GRC DNS speed app installed on a Windows client, you'll see the performance. Since your DHCP client connects to your router first (if you're configured that way) your routers IP address will have the fastest uncached DNS lookups bar none. (Uncached is the wide red bar.)

    • Offizieller Beitrag

    I figured how to set my DNS server on my iPhone to my Rpi3's address but I still cannot set pihole DNS settings to unbound without blocking my iPhone from the internet on wifi.
    I am running a Tomato router and I have only the one pihole DNS server listed. I read somewhere that the DNS should be set in the LAN section of the router and NOT the WAN section. I don't seem to be able to find a place under the LAN settings to set a DNS server, only under the WAN.


    Pihole appears to be working some, blocking only about 3%. Pihole has a test page and I still see adds on it, so I,m not sure pihole is set right. Is there some tweaking that needs to be done over time, such as building a blacklist?


    @flmaxey Your guide sets up pihole on the sd card of the Rpi3 with the /dockerparms/. I assumed in the past that all dockers were to be installed outside of the boot drive to prevent unnecessary degradation. I just thought all of the config and data type stuff should reside "outside" so to speak. Not always?


    This whole pihole thing has been a fascinating project. With the exception of a trip to the ER to restart my ticker after I crashed my router, it has been quite educational. I learned all about chmod and how to find and change permissions, how to read the docker release notes, and how to create and find them thar /dockerparms/ with cd and ls. It has also made me more aware of my loss of privacy and the evil of google.

    • Offizieller Beitrag

    When it comes to IPhones - you're the Mac man. :) I can't help you there.

    I read somewhere that the DNS should be set in the LAN section of the router and NOT the WAN section. I don't seem to be able to find a place under the LAN settings to set a DNS server, only under the WAN.

    I try to stay away from anything to do with consumer routers. I worked with data center routers, back in the day. The devices they're selling on the home market are not really routers. The switch part of it is, arguably, as intelligent as the grossly oversimplified layer 3 routing function. As least with tomato, you'll have more intelligence on OS side of it.


    If running Pi-hole, I would set any DNS address setting I found on the router to pi-holes IP which, after pi-hole applies it's blocking function, forwards to the up stream DNS server configured. This was the way it's intended to work. If unbound is installed, and pi-hole is set to forward to it, unbound takes care of the rest by querying authoritative DNS servers direct. While unbound sort of backs into a name lookup (recursive), with the settings used in its' config file, unbound is about as secure as name lookups can get (currently).


    Pihole appears to be working some, blocking only about 3%. Pihole has a test page and I still see adds on it, so I,m not sure pihole is set right. Is there some tweaking that needs to be done over time, such as building a blacklist?

    Never trust a test provided by of the "author" or "maker" of anything, if you're not looking for a rosy result.) Use something external. -> Ad block page In the bottom, pi-hole works. Build your own blacklist? You sure can, but I think it's easier to just add a few black list entries for detestable web sites (like http://www.microsoft.com).


    @flmaxey Your guide sets up pihole on the sd card of the Rpi3 with the /dockerparms/. I assumed in the past that all dockers were to be installed outside of the boot drive to prevent unnecessary degradation. I just thought all of the config and data type stuff should reside "outside" so to speak. Not always?

    Pi-hole mostly parses through existing black lists. Once it loads up (it's very small) the limited writes it performs are mostly log file entries. What degrades solid state media most is "write amplification" where a 1K write can result in 10k or more actually being written media. Obvious, this accelerates wear. The Flash-memory plugin, installed by default in SBC's, takes care of this.


    It has also made me more aware of my loss of privacy and the evil of google.

    Privacy loss? Absolutely. But those who scream the loudest put all of their info "out there" willingly. Facebook is a classic example, along with carrying smart phones around with the GPS function.
    But when compared to government, Google is privacy's patron saint. Google is trying to make money from their "so called" free services. You can't blame them for that and it's relatively easy to protect from their snooping. It's just a question of making your info harder to get, when compared to the next guy. (Let him be the "low hanging fruit".) Government is another matter. My personal info has been "outed" by lackadaisical branches of my own government, at least two times so far. (And this is just what they've admitted to.)

    • Offizieller Beitrag

    @flmaxey Thanks for the detailed reply. You are a wealth of information. On the router topic, they terrify me, so I always tread lightly. the Tomato (thanks @TechnoDadLife for nudging me down that path ... I think.) has about a thousand settings. The Airport Extreme that I was previously using has about three. One thing the two routers have in common is when you call AT&T for assistance they are zero help.


    I have been able to raise pihole's blocking to about 13%. I have added google.com and microsoft.com to the blacklist. Do any other biggies come to mind? Looking over the Query log shows variants of google such as googleapis.l.google.com. Thanks for the test site. Pihole has their own test site which is quite interesting.


    Here is how I have set up my router and iPhone to work with pihole. Maybe it will be helpful to someone in a similar situation:


    On the Tomato router:
    Under Basic Settings —> Network —> Wan Settings set DNS server to Manual and DNS 1 and DNS 2 are both set to 0.0.0.0.
    Under Advanced Settings —> DHCP/DNS Server (LAN):
    Check Use internal DNS. (Default was unchecked.)
    Uncheck Use received DNS with user-entered DNS. (Default was checked.)
    In the Dnsmasq Custom configuration insert server=192.168.1.104 (Your server’s address will probably be different)
    On iPhone/iPad:
    Under Settings —> Wi-Fi —> YourWiFi —> Configure DNS:
    Check Manual
    Click on Add Server
    Insert your server address: 192.158.1.104 (Your server’s address will probably be different.)
    Click Save in the top right hand of the screen.

    I still have not been able to get unbound to play with my mobile devices but I haven't given up. Tell me, is it possible to just run unbound on a separate SBC without pihole? I do still have one unused Rpi3.

    • Offizieller Beitrag

    Under Basic Settings —> Network —> Wan Settings set DNS server to Manual and DNS 1 and DNS 2 are both set to 0.0.0.0.

    Since "auto" usually means use the first up stream DNS server found by the router when using DHCP (on the WAN side), this might be a problem. With the "Manual" setting, I'd set DNS 1 to pi-holes IP. Again, if a DNS setting is available I'd set it to pI-holes IP address.


    I'd look at the other settings for "Internal DNS", other than default. If there's a "yes" choice, I'm guessing an address window should appear where I'd enter pi-holes address.


    There's nothing to lose here. You're looking at a couple of changes than can always be changed back.
    __________________________________________________________________________________________

    I have added google.com and microsoft.com to the blacklist.

    I don't know if I'd do this. (I was just kidding when I said microsoft.com was offensive.) Pi-hole's default black lists already blocks microsoft's telemetry servers. If this were not the case, I'd have abandoned Windows altogether, as of Windows 10. (Win10 is riddled with holes that go directly back to microsoft.) Also, -> google analytics is blocked which are really nothing more than spy servers, for their advertising customers.
    In the bottom line, the folks that compile and maintain these lists watch for offending servers, hackers, etc., and do a very good job of verifying bad behavior before a site, domain, etc., makes the "naughty list".
    __________________________________________________________________________________________



    I have some sort of odd DNS issue myself. (Two statically addressed servers won't resolve outside the LAN for updates, plugin's, etc.) I'm hoping this has nothing to do with unbound, but have yet to run it down.


    If you want to see if unbound is affecting your phones, as a test, use one of the provided DNS servers in Pi-holes Settings/DNS page, uncheck the custom DNS box and save it.

    • Offizieller Beitrag

    Thanks for the tips. I’ll keep fiddling with it and check back.

    Zitat von @flmaxey

    If you want to see if unbound is affecting your phones, as a test, use one of the provided DNS servers in Pi-holes Settings/DNS page, uncheck the custom DNS box and save it.

    I actually did that. Picked the one about halfway down the list (Quad9) and unchecked the custom DNS box. The iPhone worked fine on WiFi. That is the way I have left it.


    Now I need to start a fresh thread. Nextcloud quit yesterday for no apparent reason. Been away all day so haven’t had a chance to poke around. Not that I have the foggiest where or what to look for.


    Thanks again.

    • Offizieller Beitrag

    I finally got home this evening, and checked my pihole desktop panel and it was reading 52.6% blocking! I went to my blacklist and deleted the google and microsoft entries. :whistling:

    • Offizieller Beitrag

    Yes sir. That is why I selected that one:

    • Offizieller Beitrag

    Well, wahoo! Mobile green lights! I did check a couple of extra boxes in my router's advanced/dns settings, but I really think I waited a little longer to see if wifi would come back to my phone. When I change the router settings, the wifi light on my phone always goes amber. I decided to wait a good while and it finally turned back green. I think it has been working all along.

    Thanks again @flmaxey.

  • @flmaxey
    how do you get your Docker pihole Container communicating with the OMV-host which is running unbound (and Docker itself) under macvlan? Normally that should be impossible and doesn't work for me.
    docker exec pihole ping <OMV-IP-address> gives me a "Destination Host unreachable" as I expected.
    I do some testings with a separate unbound Docker Image at the moment which seems to be working together with pihole.

    • Offizieller Beitrag

    Did you see the most recent note in the How-To about port 53 (versus using 5353)? I observed inexplicable network behavior when using the custom port 5353, as outlined in pi-hole's doc's, with unbound and pi-hole in a docker. Using the standard DNS port, 53, corrected the issue.


    The unbound add-on (installed directly to the OMV host) is not a "walk through" type How-To. This is why it's stated, up front, that it's an Intermediate level endeavor. Unbound takes over DNS forwarding function from the host OS which takes in an interesting number of variables, that include conflicts with packages that may already be installed. If unbound doesn't work, all I could recommend is uninstalling it.


    However, in your case, it appears you got it to work by another route (an unbound Docker).
    __________________________________________________________


    Really, I believe the best method of running pi-hole and unbound, together, is a direct install on a dedicated host. At least two other users that I know of are using this approach, which creates a dedicated "DNS appliance". The resource requirements for both packages are very low, so I installed them on an old R-PI, using Diet-PI. It works well and provides fast and secure DNS to clients even if the OMV server is down. While I have unbound and pi-hole in Docker configured and tested, on OMV, that's a standby / fallback.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!