folliehiyuki
/
docker-templates
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
This repository has been archived on 2022-08-27. You can view files and clone it, but cannot push or open issues or pull requests.
docker-templates/pi-hole/README.md

78 lines
3.4 KiB
Markdown
Raw Blame History

# Pi-hole + 🐳
## Introduction
This repository holds docker template for [Pi-hole](https://docs.pi-hole.net/) with [Unbound](https://unbound.net) + [Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) on top, running in my home network as both DNS server and DHCP server (using bridge network). [Wireguard](https://www.wireguard.com) is included for convenience.
The DHCP part is yanked from [@DerFetzer](https://discourse.pi-hole.net/t/dhcp-with-docker-compose-and-bridge-networking/17038), with some improvements. The Unbound and Wireguard parts are based on [Wirehole](https://github.com/IAmStoxe/wirehole). You can also check out [this gist](https://gist.github.com/Jiab77/1cdc2896f22791c4db492e87bbf609ff) and the [official Unbound guide](https://docs.pi-hole.net/guides/dns/unbound).
## Deployment
You should change the variables in `docker-compose.yml` file. If you want to change the default IP addresses of the internal network, remember to also replace the forward address in `unbound.conf`, and add the new IP range to "access-control" and "private-address" accordingly.
- Clone this repository
- Review the content
- `docker-compose up -d`
- Route DNS traffic from your router to the Pi-hole server
- Turn on Pi-hole's DHCP server and turn off DHCP function in your router
- Add more gravity lists. [firebog.net](https://firebog.net) has some good ones
- Profit
## Notes
- To check whether recursive DNS is working, you can inspect with `ngrep` or `tcpdump`:
```bash
# Check Unbound
ngrep -d br-pihole port 53 and host 10.2.0.200
# Check Stubby
ngrep -d br-pihole port 8053 and host 10.2.0.150
# tcpdump -vv -x -X -s 1500 -i br-pihole 'port 8053'
# Check FTLDNS
ngrep -d lo port 53
```
- To check DNSSEC validation, use `drill`:
```bash
# You should see 'Error: Bogus DNSSEC signature' with exit code 5
drill -DT sigfail.verteiltesysteme.net
# This command should run successfully
drill -DT sigok.verteiltesysteme.net
```
- To display the peer's QR code again, do `docker exec -it wireguard /app/show-peer [peer_name]`.
- Stubby isn't packaged for Alpine, so I use Voidlinux-musl for now.
- You can omit the hostname variables for **pi-hole** and **unbound** in `docker-compose.yml`. The pi-hole's one is for the displayed hostname (top right corner) in the web UI. The other one just makes queries logs easier to read.
- You can also run Docker Pi-hole as your DHCP server using host network or Macvlan network. Check the [official documentation](https://docs.pi-hole.net/docker/dhcp/).
- `DNSMASQ_LISTENING: all` is needed, because Pi-hole will listen on both the host network (for DNS requests), and the subnet `br-pihole`. This brings some security risks, so make sure to only run this inside your home network, and do not forward port 53 from your router to the Pi-hole server.
- dhcphelper needs `network_mode: host` because it has to be seen by clients on your local network. Though it only needs port 67.
- If you don't like `dhcphelper`, here is the diff for using ISC DHCP relay instead:
**Dockerfile:**
```Dockerfile
FROM debian:stable-slim
RUN apt update
RUN apt install -y isc-dhcp-relay
EXPOSE 67 67/udp
ENTRYPOINT ["dhcrelay", "-d"]
```
**docker-compose.yml:**
```diff
dhcprelay:
build: .
restart: unless-stopped
network_mode: "host"
- command: ["-i", "eth0", "-b", "br-pihole", "-s", "10.2.0.100"]
+ command: ["-id", "eth0", "-iu", "br-pihole", "10.2.0.100"]
cap_add:
- NET_ADMIN
```
## License
MIT
Reference in New Issue View Git Blame Copy Permalink