Running PiHole via Docker on Ubuntu 18.04

Notes on Networking and Ports

PiHole acts as a DNS server for Bespin, listening on port 53 by default. This complicates things for us:

• We already set up dnsmasq to run as a DNS and DHCP server for the wireless AP hotspot
• If we hadn't set up dnsmasq, Ubuntu already has a built-in DNS server (systemd-resolvd) running on port 53 (see Ubuntu/Bespin for instructions to disable)
• Previously, we dealt with the problem of having two DNS servers trying to use port 53 by killing one of them (systemd-resolvd). But we don't have that option this time.

PiHole on Non-Standard Port

Given that dnsmasq is already using port 53 to handle DNS queries for the wifi AP, we need to figure out an alternative approach.

One possibility would be to run dnsmasq on port 53, and run the PiHole DNS server on port 5353, and set the PiHole DNS as an upstream DNS server. Pretty slick, huh?

Turns out that doesn't work. dnsmasq gets its upstream nameservers from /etc/resolv.conf, which does not allow any non-standard ports. Every IP address in that list has to have a DNS server running on port 53.

So, using a non-standard port is out.

PiHole on Non-Standard Loopback IP

Given that we need the PiHole to listen on port 53, but we don't want it clashing with dnsmasq, we can assign the PiHole to listen for DNS queries on a non-standard loopback IP address.

• The standard loopback IP address is 127.0.0.1. That's set up and available by default, and works like "localhost".
• But you can ALSO use any in the CIDR block 127.0.0.0/8 to create a new loopback IP address. That's a lot of IPs.

The plan is still the same: set up the PiHole running on 127.0.10.1, and set 127.0.10.1 as the only upstream DNS server for dnsmasq to use in /etc/resolv.conf.

The dnsmasq server passes along DNS requests it doesn't know how to resolve. We define the upstream DNS servers that dnsmasq uses. Instead of using 1.1.1.1 or 8.8.8.8, we can point to the PiHole DNS server.

Now, if a client on the AP requests "github.com", the request will go to dnsmasq. dnsmasq will not find it in /etc/hosts so it will pass the request on to the upstream DNS server - the PiHole. The PiHole checks whether the request should be filtered, and whether it can answer the request. If not, it forwards the request on to another DNS server.

In other words, the PiHole sits between the system DNS server and external DNS servers and acts as a kind of DNS proxy.

Install Stuff

Docker

Thanks to the Ansible step covered on the Ubuntu/Bespin page, Docker is already installed on Bespin.

$ which docker
/usr/bin/docker

$ which docker-compose
/usr/local/bin/docker-compose

PiHole Docker Image

Pull the latest pihole docker image:

docker pull pihole/pihole:latest

Create Docker Compose File

  pihole:
    container_name: pihole
    domainname: docker
    hostname: pihole
    image: pihole/pihole:latest
    ports:
      - '53:53/tcp'
      - '53:53/udp'
      # - '67:67/udp'
      - '80:80'
      - '443:443'
    restart: unless-stopped
    volumes:
      - ${USERDIR}/docker/pihole/pihole:/etc/pihole
      # - ${USERDIR}/docker/pihole/pihole.log:/var/log/pihole.log
      - ${USERDIR}/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN
    environment:
      - ServerIP=${SERVER_IP}
      - TZ=${TZ}
      - WEBPASSWORD=PIHOLEWEBPASSWORD
      - DNS1=127.0.0.1
      - DNS2=1.1.1.1

Create Startup Service

Create a startup service:

/etc/systemd/system/pihole.service

[Unit]
Description=PiHole Docker Pod
Requires=docker.service
After=docker.service

[Service]
Restart=always
StandardError=null
StandardOutput=null
ExecStart=/usr/local/bin/docker-compose -f /path/to/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose  -f /path/to/docker-compose.yml stop

[Install]
WantedBy=default.target

Enable it:

sudo systemctl enable pihole
sudo systemctl start pihole

Related Flags

• Ubuntu/Bespin
• Raspberry Pi