Docker compose: PiHole and Unbound [arm64]

Locked
User avatar
Mihai Romania
Posts: 62
Joined: 2023 May 03, 14:12
Location: ROMANIA
Contact:
Contact Mihai

Docker compose: PiHole and Unbound [arm64]

Post by Mihai »

PiHole and Unbound docker compose install and configuration:
  • Docker network inteface creation

Code: Select all

docker network create -d macvlan \
  --ipv6 \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  --subnet=fd53:50:50::/64 \
  --gateway=fd53:50:50::1 \
  -o parent=eth0 \
  lan_ipv6
  • docker-compose.yml

Code: Select all

services:
  unbound:
    container_name: unbound
    image: crazymax/unbound:latest
    platform: linux/arm64
    networks:
      lan_ipv6:
        ipv4_address: 192.168.1.51
        ipv6_address: fd53:50:50::51
    restart: unless-stopped
    volumes:
      # CrazyMax uses the /config folder for custom settings
      - /apps/docker-containers/pi-hole/unbound:/config

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: dns-pole.local
    ports:
      - "53/tcp"
      - "53/udp"
      - "192.168.1.50:8081:80/tcp" # Allow HTTP UI connection to PiHole
      - "192.168.1.50:443:443/tcp" # Allow HTTPs UI connection to PiHole
    environment:
      TZ: 'Europe/Bucharest'
#      FTLCONF_webserver_api_password: 'correct horse battery staple'
      FTLCONF_dns_listeningMode: 'ALL'
      FTLCONF_webserver_port: '80o,[::]:80o'
      FTLCONF_RATE_LIMIT: '5000/0'
    volumes:
      - '/apps/docker-containers/pi-hole/etc-pihole:/etc/pihole'
      - '/apps/docker-containers/pi-hole/etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN
      - SYS_TIME
      - SYS_NICE
    restart: unless-stopped
    networks:
      lan_ipv6:
        ipv4_address: 192.168.1.50
        ipv6_address: fd53:50:50::50
#     cloudflare_tunnel:
#       ipv4_address: 172.70.70.3

networks:
  lan_ipv6:
    external: true
#  cloudflare_tunnel:
#    external: true
:!: Uncomment the cloudflare_tunnel network settings if you want to expose the PiHole UI over the internet via a cloudflare tunnel. Adjust the settings based on your configuration.
  • Unbound configuration file path /apps/docker-containers/pi-hole/unbound/unbound.conf

Code: Select all

server:
    interface: 0.0.0.0
    interface: ::0
    port: 5335
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    prefer-ip6: no
    # ... other settings ...
    so-rcvbuf: 0
    so-sndbuf: 0
    # Allow queries from your local network subnets
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.1.0/24 allow
    access-control: fd53:50:50::/64 allow
    # Privacy and Security
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    # ... Custom ...
    incoming-num-tcp: 40
    outgoing-num-tcp: 40
    outgoing-range: 1024
    num-queries-per-thread: 4096
    use-caps-for-id: no
    prefetch: yes
    rrset-roundrobin: yes
    num-threads: 2
    msg-cache-size: 256m
    rrset-cache-size: 512m
  • Network configuration where above docker containers are running
Set eth0 to promisc mode ON

Code: Select all

sudo ip link set eth0 promisc on
  • Network enable ip v4 and v6 Routing

Code: Select all

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=2
Configure the "Proxy NDP" (The "Announcer" Fix)
  • Enable NDP Proxying in the kernel

Code: Select all

sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo sysctl -w net.ipv6.conf.eth0.proxy_ndp=1
  • Add Proxy NDP

Code: Select all

sudo ip -6 neigh add proxy fd53:50:50::50 dev eth0
sudo ip -6 neigh add proxy fd53:50:50::51 dev eth0
  • Check echo reply from docker containers ip

Code: Select all

ping6 fd53:50:50::50
ping6 fd53:50:50::51
  • Check functionality from a different linux machine
Check the "Neighbor" (ARP) Table

Code: Select all

ip -6 neigh show
output should be:

Code: Select all

> fe80::1 dev eth0 lladdr c0:9f:a1:41:38:9a router REACHABLE
If NOT REACHABLE follow next procedure
  • Clear the old failed attempts

Code: Select all

sudo ip -6 neigh flush all
  • Ping the Pi-hole

Code: Select all

ping6 fd53:50:50::50
  • Verify the Routing Table on the Linux PC

Code: Select all

ip -6 route get fd53:50:50::50
  • If unreachable add route on the Linux PC (replace eth0 with its network interface name) to skip the primary settings from the principal router

Code: Select all

sudo ip -6 route add fd53:50:50::/64 dev eth0
Windows settings
  • Identify your Interface Index

Code: Select all

Get-NetIPInterface -AddressFamily IPv6
  • Add the Static Route (This gives your PC a source address to talk to the Pi-hole)

Code: Select all

New-NetIPAddress -IPAddress "fd53:50:50::100" -PrefixLength 64 -InterfaceIndex 9 -AddressFamily IPv6
  • Check the table

Code: Select all

Get-NetRoute -AddressFamily IPv6
  • Test the Ping

Code: Select all

ping -6 fd53:50:50::50
PiHole UI Configuration
  • Login into PiHole via web on one of the following IPs setup previously

Code: Select all

ipv4_address: 192.168.1.50
ipv6_address: fd53:50:50::50
  • Go to Settings > DNS > Uncheck all Upstream DNS Servers
  • On Custom DNS servers add the IPs v4 and v6 from Unbound

Code: Select all

192.168.1.51#5335
fd53:50:50::51#5335
Master / Principal router DNS Settings (Connected to the ISP)
  • LAN > DHCP Server
Un-check Assign IspDNS
DNS Server1 IP Address:

Code: Select all

192.168.1.50
DNS Server2 IP Address (In case of PiHole DNS Fail)

Code: Select all

1.1.1.1
DNS Server3 IP Address (In case CloudFlare DNS Fail)

Code: Select all

192.168.1.1
PiHole Lists
Migrated from /etc/pihole/adlists.list
Multi
Blocks pop-up ads
Threat intelligence (malware, phishing, cryptojacking)
Fake and scam sites
Extended protection including telemetry and free hosts
Extended protection including telemetry and free hosts
URLhaus Malware Blocklist
scams, fraud, and phishing

OVERVIEW
Image
Attachments
Overview PiHole Dashboard
Overview PiHole Dashboard
PiHole Overview.png (300.74 KiB) Viewed 72192 times
I'm on LinkedIn
Top
Locked

Return to “Docker”