Skip to content

Instantly share code, notes, and snippets.

@brccabral

brccabral/01_README.md

Last active April 7, 2024 18:24
Show Gist options
  • Save brccabral/7af7955efd7d41f11bef62c605fce6f0 to your computer and use it in GitHub Desktop.
Save brccabral/7af7955efd7d41f11bef62c605fce6f0 to your computer and use it in GitHub Desktop.
Download ZIP
Pihole
Raw
01_README.md

Pihole

Before anything, check your docker log settings. I had Unbound consuming 17GB alone.
https://docs.docker.com/config/containers/logging/json-file/
/etc/docker/daemon.json

{
  "log-opts": {
    "max-size": "20m",
    "max-file": "3"
  }
}

Save as local volume /etc/pihole/, /etc/dnsmasq.d/, /etc/resolv.conf.

In case you have other process listening port 53, set Docker to listen ports only in your local IP 192.168.12.240.
I had Virt-Manager listening to 192.168.122.1:53 so it can manage IP's for VM's.
Port 67 conflicts with Virt-Manager.

I set my host /etc/hosts to map PiHole one with ro read only attribute. Any change in the host /etc/hosts need to restart PiHole container.

I changed healthcheck command to 127.0.0.11 because this is the default DNS nameserver, and if Unbound is in a subnet, the original command fails because it uses 127.0.0.1.

Use Unbound as upstream DNS. Save unbound.conf into the mounted volume as per below configuration.

If you don't set the ip in the port 53, need to explicity set DNS, otherwise it can't connect to internet. That is because the host will have /etc/resolf.conf set to nameserver 192.168.12.240 and the container needs to find it.
53:53 -> set dns
192.168.12.240:53 -> don't need dns

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    platform: linux/arm64
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "192.168.12.240:53:53/tcp"
      - "192.168.12.240:53:53/udp"
      #- "192.168.12.240:67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "192.168.12.240:9999:80/tcp"
    environment:
      TZ: 'America/Los_Angeles'
      WEBPASSWORD: 'bruno123456'
      FTLCONF_LOCAL_IPV4: '172.19.0.2'
      PIHOLE_DNS_: '172.19.0.3#5335'
      #DNSSEC: 'true'
      #PIHOLE_DOMAIN: lan
    # Volumes store your data between container upgrades
    volumes:
      - '/home/<username>/Docker/pihole/etc-pihole:/etc/pihole'
      - '/home/<username>/Docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
      - '/home/<username>/Docker/pihole/etc-resolv.conf:/etc/resolv.conf'
      - '/etc/hosts:/etc/hosts:ro'
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.19.0.2
    #dns:
     #- 172.19.0.1

  unbound:
    container_name: unbound
    hostname: unbound
    image: mvance/unbound-rpi:latest
    volumes:
      - '/home/<username>/Docker/unbound/etc-unbound:/opt/unbound/etc/unbound'
    ports:
      - "5335:53/tcp"
      - "5335:53/udp"
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.19.0.3
    #dns:
      #- 172.19.0.1
    healthcheck:
      test: ["CMD-SHELL", "drill @127.0.0.11 cloudflare.com || exit 1"]


networks:
  default:
    name: pihole-default
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16
          gateway: 172.19.0.1

Enable firewall for your other docker subnets.

sudo ufw allow from 172.19.0.0/12 to any port 53
Raw
commands.md 
nslookup microsoft.com
dig msn.com @172.19.0.6 -p 5335
sudo lsof -i -P -n
Raw
unbound.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/opt/unbound/etc/unbound/unbound.log"
# Level 0: No verbosity, only errors.
# Level 1: Gives operational information.
# Level 2: Gives detailed operational information including short information per query.
# Level 3: Gives query level information, output per query.
# Level 4: Gives algorithm level information.
# Level 5: Logs client identification for cache misses.
verbosity: 5
interface: 0.0.0.0@5335
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Set the working directory for the program.
directory: "/opt/unbound/etc/unbound"
###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow
# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
chroot: "/opt/unbound/etc/unbound"
###########################################################################
# WILDCARD INCLUDE
###########################################################################
#include: "/opt/unbound/etc/unbound/*.conf"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment