||2 months ago|
|etc-dnsmasq.d||2 months ago|
|etc-pihole||2 months ago|
|stubby||2 months ago|
|unbound||2 months ago|
|Dockerfile||2 months ago|
|LICENSE||2 months ago|
|README.md||2 months ago|
|docker-compose.yml||2 months ago|
Pi-hole + 🐳
This repository holds docker template for Pi-hole with Unbound + Stubby on top, running in my home network as both DNS server and DHCP server (using bridge network). Wireguard is included for convenience.
You should change the variables in
docker-compose.yml file. If you want to change the default IP addresses of the internal network, remember to also replace the forward address in
unbound.conf, and add the new IP range to "access-control" and "private-address" accordingly.
- Clone this repository
- Review the content
docker-compose up -d
- Route DNS traffic from your router to the Pi-hole server
- Turn on Pi-hole's DHCP server and turn off DHCP function in your router
- Add more gravity lists. firebog.net has some good ones
- To check whether recursive DNS is working, you can try running these:
# Check Unbound dig pi-hole.net @10.2.0.200 -p 53 # Check Stubby dig pi-hole.net @10.2.0.150 -p 8053 # Check FTLDNS dig pi-hole.net @127.0.0.1 -p 53
- To display the peer's QR code again, do
docker exec -it wireguard /app/show-peer [peer_name].
- Stubby isn't packaged for Alpine, so I use Voidlinux-musl for now.
- You can omit the hostname variables for pi-hole and unbound in
docker-compose.yml. The pi-hole's one is for the displayed hostname (top right corner) in the web UI. The other one just makes queries logs easier to read.
- You can also run Docker Pi-hole as your DHCP server using host network or Macvlan network. Check the official documentation.
DNSMASQ_LISTENING: allis needed, because Pi-hole will listen on both the host network (for DNS requests), and the subnet
br-pihole. This brings some security risks, so make sure to only run this inside your home network, and do not forward port 53 from your router to the Pi-hole server.
- dhcphelper needs
network_mode: hostbecause it has to be seen by clients on your local network. Though it only needs port 67.
- If you don't like
dhcphelper, here is the diff for using ISC DHCP relay instead:
FROM debian:stable-slim RUN apt update RUN apt install -y isc-dhcp-relay EXPOSE 67 67/udp ENTRYPOINT ["dhcrelay", "-d"]
dhcprelay: build: . restart: unless-stopped network_mode: "host" - command: ["-i", "eth0", "-b", "br-pihole", "-s", "10.2.0.100"] + command: ["-id", "eth0", "-iu", "br-pihole", "10.2.0.100"] cap_add: - NET_ADMIN