Ubuntu/Bespin/PiHole: Difference between revisions
From charlesreid1
| Line 35: | Line 35: | ||
<pre> | <pre> | ||
+-------- | +--------+-----------------------------------------------------------------------------------------------------------------------+ | ||
| | | bespin - host machine | | ||
| | | | | | ||
| | | | | | ||
| Line 48: | Line 48: | ||
| | | port | address 127.0.10.1 port 53, so the client | | | | | port | address 127.0.10.1 port 53, so the client | | ||
| | | 53 | DNS request is received by the PiHole. | | | | | 53 | DNS request is received by the PiHole. | | ||
| +----------------+---+- | | +----------------+---+-++ | | ||
| | | | | | 5. PiHole will decide whether to filter the request, | | ||
| +-------------------------+ | | +-------------------------+ | and will forward any DNS requests it cannot serve | | ||
| | | | | | to other upstream servers. | | ||
| | | | | | | | ||
| | | | | +---------------------------------------------------------------------------------+ | | ||
| | | | | | | | ||
| | +------------------------+ | | | +------------------------+ 6. DNS requests to | | | ||
| | | | | | | | | upstream servers | | | ||
| | | dnsmasq | | | | | dnsmasq | are sent out over | | | ||
| | | | | | | | | the VPN tunnel | | | ||
| | | +-------+ 2. dnsmasq is bound to the wlan1 (and loopback) | | | | +-------+ 2. dnsmasq is bound to the wlan1 (and loopback) | | | ||
| | | | port | interfaces, so DNS request is received on | | | | | port | interfaces, so DNS request is received on | | | ||
| | | | 53 | port 53 | | | | | 53 | port 53 +------------+-------+ | | ||
| | +----------------+---+--++ | | | +----------------+---+--++ | | | | ||
| | | | 3. dnsmasq cannot fulfill the request, so it | | | | | 3. dnsmasq cannot fulfill the request, so it | OpenVPN | | | ||
| | | | forwards the request to the upstream server | | | | | forwards the request to the upstream server | | | | ||
| | | | in /etc/resolv.conf, 127.0.10.1 | | | | | in /etc/resolv.conf, 127.0.10.1 | (+encryption) | | | ||
| | | | | | | | | | | | | ||
| | | +-------------------------+ | | | | +-------------------------+ +------------+-------+ | | ||
| +-----------+ | | | | +-----------+ | | 7. VPN traffic is sent out | | | ||
| | | | | | | | | through an encrypted tunnel | | | ||
| | | | | | | | | +----------+ | | | ||
| | | | | | | | | | | | | | ||
| +---------------------------+ +-----------------+ +----------------+ | | +---------------------------+ +-----------------+ +------------------+ +-----------------+ | | ||
| | | | | | wlan1 | | | wlan0 | | | | | | | | wlan1 | | | wlan0 | | | | tun0 | | | | ||
| | | loopback | | | AP wifi|card | | internet gw | | | | | loopback | | | AP wifi|card | | internet gw | | | | VPN tunnel | | | ||
| | | | | | | | | wifi card | | | | | | | | | | | wifi card | | | | | | | | ||
| +----+-------+-----+--------+ +----------+------+ +----------------+ | | +----+-------+-----+--------+ +----------+------+ +----------------+-+ +--+---------+----+ | | ||
| | 127.0.10.1 | 127.0.0.1 | | 192.168.10.1 | | 192.168.0.199 | | | | 127.0.10.1 | 127.0.0.1 | | 192.168.10.1 | | 192.168.0.199 | | 10.8.0.17 | | | ||
+----------+------------+--------------+--------+---------+-------+---------+----------------+- | +----------+------------+--------------+--------+---------+-------+---------+----------------+-+-----+-----------------+---------+ | ||
^ | ^ | | ||
4. The request is passed | | 4. The request is passed | | | ||
from loopback 127.0.0.1 | | from loopback 127.0.0.1 | | | ||
to loopback 127.0.10.1 | 1. A client on the AP asks | to loopback 127.0.10.1 | 1. A client on the AP asks | | ||
| for DNS info for a domain, | | for DNS info for a domain,| | ||
| e.g., "github.com" | | e.g., "github.com" | | ||
+-----------+-----------+ | +-----------+-----------+ | | ||
| | | | | | | ||
| client DNS request | | | client DNS request | | | ||
| from 192.168.10.5 | | | from 192.168.10.5 | | | ||
| for | | | for | | | ||
| "github.com" | | | "github.com" | | | ||
| | | | | | | ||
+-----------------------+ | +-----------------------+ | | ||
v | |||
+-------------+------------+ | |||
| | | |||
| OpenVPN Server | | |||
| + External DNS | | |||
| | | |||
| | | |||
+--------------------------+ | |||
</pre> | </pre> | ||
Revision as of 00:29, 8 July 2020
Main article: Ubuntu/Bespin
Running PiHole via Docker on Ubuntu 18.04
Notes on Networking and Ports
PiHole acts as a DNS server for Bespin, listening on port 53 by default. This complicates things for us:
- We already set up dnsmasq to run as a DNS and DHCP server for the wireless AP hotspot
- If we hadn't set up dnsmasq, Ubuntu already has a built-in DNS server (systemd-resolvd) running on port 53 (see Ubuntu/Bespin for instructions to disable)
- Previously, we dealt with the problem of having two DNS servers trying to use port 53 by killing one of them (systemd-resolvd). But we don't have that option this time.
PiHole on Non-Standard Port
Given that dnsmasq is already using port 53 to handle DNS queries for the wifi AP, we need to figure out an alternative approach.
One possibility would be to run dnsmasq on port 53, and run the PiHole DNS server on port 5353, and set the PiHole DNS as an upstream DNS server. Pretty slick, huh?
Turns out that doesn't work. dnsmasq gets its upstream nameservers from /etc/resolv.conf, which does not allow any non-standard ports. Every IP address in that list has to have a DNS server running on port 53.
So, using a non-standard port is out.
PiHole on Non-Standard Loopback IP
Given that we need the PiHole to listen on port 53, but we don't want it clashing with dnsmasq, we can assign the PiHole to listen for DNS queries on a non-standard loopback IP address.
- The standard loopback IP address is 127.0.0.1. That's set up and available by default, and works like "localhost".
- But you can ALSO use any in the CIDR block 127.0.0.0/8 to create a new loopback IP address. That's a lot of IPs.
The plan is still the same: set up the PiHole running on 127.0.10.1, and set 127.0.10.1 as the only upstream DNS server for dnsmasq to use in /etc/resolv.conf.
Now, if a client on the AP requests "github.com", the request will go via port 53 to dnsmasq on bespin. dnsmasq will not find it in /etc/hosts so it will look up the upstream nameserver in /etc/resolv.conf (the PiHole at 127.0.10.1 port 53) and will pass the DNS request on to the PiHole. The PiHole will determine what to do, and will pass the DNS request upstream if it cannot resolve it.
Diagram
+--------+-----------------------------------------------------------------------------------------------------------------------+
| bespin - host machine |
| |
| |
| |
| |
| +-----------------------+ |
| | | |
| | PiHole | |
| | | |
| | +------+ 4. PiHole is bound to the loopback interface, |
| | | port | address 127.0.10.1 port 53, so the client |
| | | 53 | DNS request is received by the PiHole. |
| +----------------+---+-++ |
| | | 5. PiHole will decide whether to filter the request, |
| +-------------------------+ | and will forward any DNS requests it cannot serve |
| | | to other upstream servers. |
| | | |
| | +---------------------------------------------------------------------------------+ |
| | | |
| | +------------------------+ 6. DNS requests to | |
| | | | upstream servers | |
| | | dnsmasq | are sent out over | |
| | | | the VPN tunnel | |
| | | +-------+ 2. dnsmasq is bound to the wlan1 (and loopback) | |
| | | | port | interfaces, so DNS request is received on | |
| | | | 53 | port 53 +------------+-------+ |
| | +----------------+---+--++ | | |
| | | | 3. dnsmasq cannot fulfill the request, so it | OpenVPN | |
| | | | forwards the request to the upstream server | | |
| | | | in /etc/resolv.conf, 127.0.10.1 | (+encryption) | |
| | | | | | |
| | | +-------------------------+ +------------+-------+ |
| +-----------+ | | 7. VPN traffic is sent out | |
| | | | through an encrypted tunnel | |
| | | | +----------+ | |
| | | | | | | |
| +---------------------------+ +-----------------+ +------------------+ +-----------------+ |
| | | | | | wlan1 | | | wlan0 | | | | tun0 | | |
| | | loopback | | | AP wifi|card | | internet gw | | | | VPN tunnel | |
| | | | | | | | | wifi card | | | | | | |
| +----+-------+-----+--------+ +----------+------+ +----------------+-+ +--+---------+----+ |
| | 127.0.10.1 | 127.0.0.1 | | 192.168.10.1 | | 192.168.0.199 | | 10.8.0.17 | |
+----------+------------+--------------+--------+---------+-------+---------+----------------+-+-----+-----------------+---------+
^ |
4. The request is passed | |
from loopback 127.0.0.1 | |
to loopback 127.0.10.1 | 1. A client on the AP asks |
| for DNS info for a domain,|
| e.g., "github.com" |
+-----------+-----------+ |
| | |
| client DNS request | |
| from 192.168.10.5 | |
| for | |
| "github.com" | |
| | |
+-----------------------+ |
v
+-------------+------------+
| |
| OpenVPN Server |
| + External DNS |
| |
| |
+--------------------------+
Install Stuff
Docker
Thanks to the Ansible step covered on the Ubuntu/Bespin page, Docker is already installed on Bespin.
$ which docker /usr/bin/docker $ which docker-compose /usr/local/bin/docker-compose
PiHole Docker Image
Pull the latest pihole docker image:
docker pull pihole/pihole:latest
Main article: Ubuntu/Bespin
Create Docker Compose File
pihole:
container_name: pihole
domainname: docker
hostname: pihole
image: pihole/pihole:latest
ports:
- '53:53/tcp'
- '53:53/udp'
# - '67:67/udp'
- '80:80'
- '443:443'
restart: unless-stopped
volumes:
- ${USERDIR}/docker/pihole/pihole:/etc/pihole
# - ${USERDIR}/docker/pihole/pihole.log:/var/log/pihole.log
- ${USERDIR}/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
environment:
- ServerIP=${SERVER_IP}
- TZ=${TZ}
- WEBPASSWORD=PIHOLEWEBPASSWORD
- DNS1=127.0.0.1
- DNS2=1.1.1.1
Create Startup Service
Create a startup service:
/etc/systemd/system/pihole.service
[Unit] Description=PiHole Docker Pod Requires=docker.service After=docker.service [Service] Restart=always StandardError=null StandardOutput=null ExecStart=/usr/local/bin/docker-compose -f /path/to/docker-compose.yml up ExecStop=/usr/local/bin/docker-compose -f /path/to/docker-compose.yml stop [Install] WantedBy=default.target
Enable it:
sudo systemctl enable pihole sudo systemctl start pihole