Docker compose: PiHole and Unbound [arm64]
Posted: 2026 Jan 17, 14:58
PiHole and Unbound docker compose install and configuration:
Uncomment the cloudflare_tunnel network settings if you want to expose the PiHole UI over the internet via a cloudflare tunnel. Adjust the settings based on your configuration.
Configure the "Proxy NDP" (The "Announcer" Fix)
output should be:
If NOT REACHABLE follow next procedure
Windows settings
PiHole UI Configuration
Master / Principal router DNS Settings (Connected to the ISP)
DNS Server1 IP Address:
DNS Server2 IP Address (In case of PiHole DNS Fail)
DNS Server3 IP Address (In case CloudFlare DNS Fail)
PiHole Lists
Migrated from /etc/pihole/adlists.list
Multi
Blocks pop-up ads
Threat intelligence (malware, phishing, cryptojacking)
Fake and scam sites
Extended protection including telemetry and free hosts
Extended protection including telemetry and free hosts
URLhaus Malware Blocklist
scams, fraud, and phishing
OVERVIEW
- Docker network inteface creation
Code: Select all
docker network create -d macvlan \
--ipv6 \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
--subnet=fd53:50:50::/64 \
--gateway=fd53:50:50::1 \
-o parent=eth0 \
lan_ipv6
- docker-compose.yml
Code: Select all
services:
unbound:
container_name: unbound
image: crazymax/unbound:latest
platform: linux/arm64
networks:
lan_ipv6:
ipv4_address: 192.168.1.51
ipv6_address: fd53:50:50::51
restart: unless-stopped
volumes:
# CrazyMax uses the /config folder for custom settings
- /apps/docker-containers/pi-hole/unbound:/config
pihole:
container_name: pihole
image: pihole/pihole:latest
hostname: dns-pole.local
ports:
- "53/tcp"
- "53/udp"
- "192.168.1.50:8081:80/tcp" # Allow HTTP UI connection to PiHole
- "192.168.1.50:443:443/tcp" # Allow HTTPs UI connection to PiHole
environment:
TZ: 'Europe/Bucharest'
# FTLCONF_webserver_api_password: 'correct horse battery staple'
FTLCONF_dns_listeningMode: 'ALL'
FTLCONF_webserver_port: '80o,[::]:80o'
FTLCONF_RATE_LIMIT: '5000/0'
volumes:
- '/apps/docker-containers/pi-hole/etc-pihole:/etc/pihole'
- '/apps/docker-containers/pi-hole/etc-dnsmasq.d:/etc/dnsmasq.d'
cap_add:
- NET_ADMIN
- SYS_TIME
- SYS_NICE
restart: unless-stopped
networks:
lan_ipv6:
ipv4_address: 192.168.1.50
ipv6_address: fd53:50:50::50
# cloudflare_tunnel:
# ipv4_address: 172.70.70.3
networks:
lan_ipv6:
external: true
# cloudflare_tunnel:
# external: true
- Unbound configuration file path /apps/docker-containers/pi-hole/unbound/unbound.conf
Code: Select all
server:
interface: 0.0.0.0
interface: ::0
port: 5335
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
prefer-ip6: no
# ... other settings ...
so-rcvbuf: 0
so-sndbuf: 0
# Allow queries from your local network subnets
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
access-control: fd53:50:50::/64 allow
# Privacy and Security
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
# ... Custom ...
incoming-num-tcp: 40
outgoing-num-tcp: 40
outgoing-range: 1024
num-queries-per-thread: 4096
use-caps-for-id: no
prefetch: yes
rrset-roundrobin: yes
num-threads: 2
msg-cache-size: 256m
rrset-cache-size: 512m
- Network configuration where above docker containers are running
Code: Select all
sudo ip link set eth0 promisc on
- Network enable ip v4 and v6 Routing
Code: Select all
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=2
- Enable NDP Proxying in the kernel
Code: Select all
sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo sysctl -w net.ipv6.conf.eth0.proxy_ndp=1
- Add Proxy NDP
Code: Select all
sudo ip -6 neigh add proxy fd53:50:50::50 dev eth0
sudo ip -6 neigh add proxy fd53:50:50::51 dev eth0
- Check echo reply from docker containers ip
Code: Select all
ping6 fd53:50:50::50
ping6 fd53:50:50::51
- Check functionality from a different linux machine
Code: Select all
ip -6 neigh show
Code: Select all
> fe80::1 dev eth0 lladdr c0:9f:a1:41:38:9a router REACHABLE
- Clear the old failed attempts
Code: Select all
sudo ip -6 neigh flush all
- Ping the Pi-hole
Code: Select all
ping6 fd53:50:50::50
- Verify the Routing Table on the Linux PC
Code: Select all
ip -6 route get fd53:50:50::50
- If unreachable add route on the Linux PC (replace eth0 with its network interface name) to skip the primary settings from the principal router
Code: Select all
sudo ip -6 route add fd53:50:50::/64 dev eth0
- Identify your Interface Index
Code: Select all
Get-NetIPInterface -AddressFamily IPv6
- Add the Static Route (This gives your PC a source address to talk to the Pi-hole)
Code: Select all
New-NetIPAddress -IPAddress "fd53:50:50::100" -PrefixLength 64 -InterfaceIndex 9 -AddressFamily IPv6
- Check the table
Code: Select all
Get-NetRoute -AddressFamily IPv6
- Test the Ping
Code: Select all
ping -6 fd53:50:50::50
- Login into PiHole via web on one of the following IPs setup previously
Code: Select all
ipv4_address: 192.168.1.50
ipv6_address: fd53:50:50::50
- Go to Settings > DNS > Uncheck all Upstream DNS Servers
- On Custom DNS servers add the IPs v4 and v6 from Unbound
Code: Select all
192.168.1.51#5335
fd53:50:50::51#5335
- LAN > DHCP Server
DNS Server1 IP Address:
Code: Select all
192.168.1.50
Code: Select all
1.1.1.1
Code: Select all
192.168.1.1
Migrated from /etc/pihole/adlists.list
Multi
Blocks pop-up ads
Threat intelligence (malware, phishing, cryptojacking)
Fake and scam sites
Extended protection including telemetry and free hosts
Extended protection including telemetry and free hosts
URLhaus Malware Blocklist
scams, fraud, and phishing
OVERVIEW