3 KiB
Pi-Hole + Unbound on Docker
(Synology-compatible!)
Description
Running Pi-Hole in Docker can be challenging due to networking requirements by Pi-Hole, this is especially true when the ports that Pi-Hole uses are shared by the host it's running on (this is true for Synology in the default configuration).
This project uses a macvlan
Docker network to place your containers on your main network, with their own IP addresses and MAC addresses. Pi-Hole uses Unbound as it's resolver, and Unbound uses Cloudflare (1.1.1.1) upstream in order to support DNSSEC and DNS-over-TLS.
- This docker-compose runs the following 2 containers
- Pi-Hole (pihole/pihole) - Official from Pi-Hole
- Unbound (mvance/unbound) - There are several choices here but I like this one the best
Instructions
Hold your horses and configure some stuff first...
- Update docker-compose to match your environment, eg. IP addresses/subnets.
- Take note of the
networks.home.driver_opts.parent
value, the default value ofovs_eth1
is for using the 2nd ethernet port on a Synology NAS withOpen vSwitch
enabled, if disabled useeth1
instead, or whichever other interface you might be using in your setup.
- Take note of the
- Add a
.env
file next to the docker-compose.yaml so you can pass in the${WEBPASSWORD}
- this is your Pi-Hole admin password. You can optionally leave this step out and set the password via CLI (pihole -a -p
) after the Pi-Hole is running - Update the secondary/backup nameserver in the
resolv.conf
file, or remove it if you don't have a backup (would recommend having one!) - Lastly, optionally, you can provide some manual DNS entries in the
dnsmasq.conf
and/orhosts
files
Run it!
sudo docker-compose up -d
Test it!
Test your configuration with dig
Note
: change the IP to your new Pi-Hole's IP
dig google.com @192.168.1.248
# Expecting "status: NOERROR"
You can also test for DNSSEC functionality:
dig sigfail.verteiltesysteme.net @192.168.1.248
# Expecting "status: SERVFAIL"
dig sigok.verteiltesysteme.net @192.168.1.248
# Expecting "status: NOERROR"
Serve it!
If all looks good, configure your router/DHCP server to serve your new Pi-Hole IP address (192.168.1.248
) to your clients.
Note: it may take some time for the current DHCP leases to renew and for clients to get the new DNS service info -- generally the default is 24 hours or less.