simono41/docker-pihole-unbound
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: simono41:main
Branches Tags
simono41:main
simono41:2023.11.0
simono41:2023.05.2
simono41:2023.02.2
simono41:2023.01.10
simono41:2022.12
simono41:2022.11.2
simono41:2022.11.1
simono41:2022.10
simono41:2022.09.3
simono41:2022.08.2
simono41:2022.07.1
simono41:2022.07
simono41:2022.05
simono41:2022.04.3
simono41:2022.04.2
simono41:2022.02.1-2
simono41:2022.02.1
simono41:2022.01.1
simono41:2021.12.1
simono41:2021.10.1
simono41:2021.10
simono41:2021.09
simono41:v5.8.1-1
simono41:v5.8.1
simono41:v5.8
simono41:v5.7-bridge
simono41:v5.7
simono41:v5.6
simono41:v5.5.1
simono41:1.0.0
..
compare: simono41:v5.7
Branches Tags
simono41:main
simono41:2023.11.0
simono41:2023.05.2
simono41:2023.02.2
simono41:2023.01.10
simono41:2022.12
simono41:2022.11.2
simono41:2022.11.1
simono41:2022.10
simono41:2022.09.3
simono41:2022.08.2
simono41:2022.07.1
simono41:2022.07
simono41:2022.05
simono41:2022.04.3
simono41:2022.04.2
simono41:2022.02.1-2
simono41:2022.02.1
simono41:2022.01.1
simono41:2021.12.1
simono41:2021.10.1
simono41:2021.10
simono41:2021.09
simono41:v5.8.1-1
simono41:v5.8.1
simono41:v5.8
simono41:v5.7-bridge
simono41:v5.7
simono41:v5.6
simono41:v5.5.1
simono41:1.0.0

1 commit
main ... v5.7

Author SHA1 Message Date
Chris Crowe
abed2d2c1f Update base image to v5.7 2021-02-25 07:43:26 -08:00
11 changed files with 54 additions and 100 deletions
Show stats Expand all files Collapse all files

5
README.md
View file

@ -2,11 +2,10 @@
### Use Docker to run [Pi-Hole](https://pi-hole.net) with an upstream [Unbound](https://nlnetlabs.nl/projects/unbound/about/) resolver.
This repo has 2 different `docker-compose` configs-- choose your favorite. The `two-container` config may work better on Synology due to usage of `macvlan` networking which helps prevent port conflicts with the host.
Changing this repo to support 2 different docker-compose configurations now:
- [`one-container`](one-container/) (new) - Install Unbound directly into the Pi-Hole container
- This configuration contacts the DNS root servers directly, please read the Pi-Hole docs on [Pi-hole as All-Around DNS Solution](https://docs.pi-hole.net/guides/unbound/) to understand what this means.
- With this approach, we can also simplify our Docker networking since `macvlan` is no longer necessary.
- With this approach, we can also simply our networking since `macvlan` is no longer necessary.
- [`two-container`](two-container/) (legacy) - Use separate containers for Pi-Hole and Unbound
- This configuration uses MatthewVance's [unbound-docker](https://github.com/MatthewVance/unbound-docker) container to implement encrypted DNS to third party DNS resolvers (eg Cloudflare). This is arguably less privacy-friendly since you're handing your DNS queries to those 3rd party providers.

45
one-container/README.md
View file

@ -2,56 +2,41 @@
## Description
This Docker deployment runs both Pi-Hole and Unbound in a single container.
This Docker deployment runs both Pi-Hole and Unbound in a single container.
The base image for the container is the [official Pi-Hole container](https://hub.docker.com/r/pihole/pihole), with an extra build step added to install the Unbound resolver directly into to the container based on [instructions provided directly by the Pi-Hole team](https://docs.pi-hole.net/guides/unbound/).
## Usage
First create a `.env` file to substitute variables for your deployment.
First create a `.env` file to substitute variables for your deployment.
### Pi-hole environment variables
> Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/#environment-variables):
### Required environment variables
| Variable | Default | Value | Description |
| -------- | ------- | ----- | ---------- |
| `TZ` | UTC | `<Timezone>` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
| `WEBPASSWORD` | random | `<Admin password>` | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
| `FTLCONF_LOCAL_IPV4` | unset | `<Host's IP>` | Set to your server's LAN IP, used by web block modes and lighttpd bind address.
| `REV_SERVER` | `false` | `<"true"\|"false">` | Enable DNS conditional forwarding for device name resolution |
| `REV_SERVER_DOMAIN` | unset | Network Domain | If conditional forwarding is enabled, set the domain of the local network router |
| `REV_SERVER_TARGET` | unset | Router's IP | If conditional forwarding is enabled, set the IP of the local network router |
| `REV_SERVER_CIDR` | unset | Reverse DNS | If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`) |
| `WEBTHEME` | `default-light` | `<"default-dark"\|"default-darker"\|"default-light"\|"default-auto"\|"lcars">`| User interface theme to use.
> Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/):
| Docker Environment Var | Description|
| --- | --- |
| `ServerIP: <Host's IP>`<br/> | **--net=host mode requires** Set to your server's LAN IP, used by web block modes and lighttpd bind address
| `TZ: <Timezone>`<br/> | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
| `WEBPASSWORD: <Admin password>`<br/> | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
| `REV_SERVER: <"true"\|"false">`<br/> | Enable DNS conditional forwarding for device name resolution
| `REV_SERVER_DOMAIN: <Network Domain>`<br/> | If conditional forwarding is enabled, set the domain of the local network router
| `REV_SERVER_TARGET: <Router's IP>`<br/> | If conditional forwarding is enabled, set the IP of the local network router
| `REV_SERVER_CIDR: <Reverse DNS>`<br/>| If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`)
Example `.env` file in the same directory as your `docker-compose.yaml` file:
```
FTLCONF_LOCAL_IPV4=192.168.1.10
ServerIP=192.168.1.10
TZ=America/Los_Angeles
WEBPASSWORD=QWERTY123456asdfASDF
REV_SERVER=true
REV_SERVER_DOMAIN=local
REV_SERVER_TARGET=192.168.1.1
REV_SERVER_CIDR=192.168.0.0/16
HOSTNAME=pihole
DOMAIN_NAME=pihole.local
PIHOLE_WEBPORT=80
WEBTHEME=default-light
```
### Using Portainer stacks?
> 2022-3-11: I'm being told that the advice below is no longer true in Portainer. If you're using Portainer, first try it without removing the volumes declaration and see if it works.
Portainer stacks are a little weird and don't want you to declare your named volumes, so remove this block from the top of the `docker-compose.yaml` file before copy/pasting into Portainer's stack editor:
```yaml
volumes:
etc_pihole-unbound:
etc_pihole_dnsmasq-unbound:
```
### Running the stack

41
one-container/docker-compose.yaml
View file

@ -1,35 +1,32 @@
version: '3.0'
version: '2'
volumes:
etc_pihole-unbound:
etc_pihole_dnsmasq-unbound:
services:
pihole:
container_name: pihole
image: cbcrowe/pihole-unbound:latest
hostname: ${HOSTNAME}
domainname: ${DOMAIN_NAME}
hostname: pihole
domainname: pihole.local
ports:
- 443:443/tcp
- 53:53/tcp
- 53:53/udp
- ${PIHOLE_WEBPORT:-80}:80/tcp #Allows use of different port to access pihole web interface when other docker containers use port 80
# - 5335:5335/tcp # Uncomment to enable unbound access on local server
- 443/tcp
- 53/tcp
- 53/udp
- 80/tcp
# - 22/tcp # Uncomment to enable SSH
environment:
- FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
- TZ=${TZ:-UTC}
- WEBPASSWORD=${WEBPASSWORD}
- WEBTHEME=${WEBTHEME:-default-light}
- REV_SERVER=${REV_SERVER:-false}
- REV_SERVER_TARGET=${REV_SERVER_TARGET}
- REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN}
- REV_SERVER_CIDR=${REV_SERVER_CIDR}
- PIHOLE_DNS_=127.0.0.1#5335
- DNSSEC="true"
- DNSMASQ_LISTENING=single
ServerIP: ${ServerIP}
TZ: ${TZ}
WEBPASSWORD: ${WEBPASSWORD}
REV_SERVER: ${REV_SERVER}
REV_SERVER_TARGET: ${REV_SERVER_TARGET}
REV_SERVER_DOMAIN: ${REV_SERVER_DOMAIN}
REV_SERVER_CIDR: ${REV_SERVER_CIDR}
DNS1: 127.0.0.1#5335 # Hardcoded to our Unbound server
DNS2: 127.0.0.1#5335 # Hardcoded to our Unbound server
DNSSEC: "true" # Enable DNSSEC
network_mode: "host"
volumes:
- etc_pihole-unbound:/etc/pihole:rw
- etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
restart: unless-stopped

1
one-container/pihole-unbound/99-edns.conf
View file

@ -1 +0,0 @@
edns-packet-max=1232

11
one-container/pihole-unbound/Dockerfile
View file

@ -1,12 +1,9 @@
ARG PIHOLE_VERSION
FROM pihole/pihole:${PIHOLE_VERSION:-latest}
FROM pihole/pihole:v5.7
RUN apt update && apt install -y unbound
COPY lighttpd-external.conf /etc/lighttpd/external.conf
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pi-hole.conf
COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf
RUN mkdir -p /etc/services.d/unbound
COPY unbound-run /etc/services.d/unbound/run
ENTRYPOINT ./s6-init
COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
RUN chmod +x start_unbound_and_s6_init.sh
ENTRYPOINT ./start_unbound_and_s6_init.sh

2
one-container/pihole-unbound/VERSION
View file

@ -1 +1 @@
2023.05.2
v5.7

5
one-container/pihole-unbound/build_and_push.sh
View file

@ -1,7 +1,6 @@
#!/bin/bash
# Run this once: docker buildx create --use --name build --node build --driver-opt network=host
PIHOLE_VER=`cat VERSION`
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:$PIHOLE_VER --push .
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:`cat VERSION` --push .
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .

3
one-container/pihole-unbound/start_unbound_and_s6_init.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash -e
/etc/init.d/unbound start
/s6-init

7
one-container/pihole-unbound/unbound-pihole.conf
View file

@ -34,7 +34,7 @@ server:
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1232
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
@ -44,8 +44,7 @@ server:
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
# Be aware that if enabled (requires CAP_NET_ADMIN or privileged), the kernel buffer must have the defined amount of memory, if not, a warning will be raised.
#so-rcvbuf: 1m
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
@ -53,4 +52,4 @@ server:
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
private-address: fe80::/10

25
one-container/pihole-unbound/unbound-run
View file

@ -1,25 +0,0 @@
#!/command/with-contenv bash
s6-echo "Starting unbound"
NAME="unbound"
DESC="DNS server"
DAEMON="/usr/sbin/unbound"
PIDFILE="/run/unbound.pid"
HELPER="/usr/lib/unbound/package-helper"
test -x $DAEMON || exit 0
# Override this variable by editing or creating /etc/default/unbound.
DAEMON_OPTS=""
if [ -f /etc/default/unbound ]; then
. /etc/default/unbound
fi
$HELPER chroot_setup
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
$DAEMON -d $DAEMON_OPTS

9
two-container/docker-compose.yaml
View file

@ -16,9 +16,10 @@ services:
- 80/tcp
- 22/tcp
environment:
- FTLCONF_LOCAL_IPV4=192.168.1.5
- WEBPASSWORD=${WEBPASSWORD}
- PIHOLE_DNS_=192.168.1.6;192.168.1.13
ServerIP: 192.168.1.5
WEBPASSWORD: ${WEBPASSWORD}
DNS1: 192.168.1.6
DNS2: 192.168.1.13
volumes:
- /volume1/docker/pihole-unbound/pihole/volume:/etc/pihole:rw
- /volume1/docker/pihole-unbound/pihole/config/hosts:/etc/hosts:ro
@ -51,4 +52,4 @@ networks:
config:
- subnet: 192.168.1.0/24
gateway: 192.168.1.1
ip_range: 192.168.1.5/30 # 192.168.1.5 and 192.168.1.6
ip_range: 192.168.1.5/30 # 192.168.1.5 and 192.168.1.6