Accessing Dockerized Pi-Hole from other Container without Exposing Ports

The issue I am facing:
Unable to connect to pi-hole docker container from another container without first allowing port 53 on host.

Details about my system:
I have Pi-Hole running in a Docker container using the following docker-compose:

version: "2"

services:
  pi-hole:
    container_name: pi-hole
    image: pihole/pihole:latest
    restart: unless-stopped
    volumes:
        - /volume1/docker/pi-hole/etc/dnsmasq.d:/etc/dnsmasq.d
        - /volume1/docker/pi-hole/etc/pihole:/etc/pihole
    ports:
      - "443/tcp"
      - "53/tcp"
      - "53/udp"
      - "67/udp"
      - "80/tcp"
    environment:
      - ServerIP=192.168.2.4
      - DNS1='192.168.2.3#5054'
      - DNS2=''
      - IPv6=false
      - DNSMASQ_LISTENING=local
    networks:
      macvlan_private:
        ipv4_address: 192.168.2.4
      bridge_to_nas:
        ipv4_address: 192.168.20.4
    hostname: pi-hole
    dns:
      - 127.0.0.1
      - 1.0.0.2
    cap_add:
      - NET_ADMIN

networks:
  macvlan_private:
    external: true
  bridge_to_nas:
    external: true

There is a macvlan network to avoid port conflicts when other devices try to access Pi-Hole, and a bridge network to allow the host machine to also use the Pi-Hole container as a DNS.

My understanding is that by using a bridge network, other docker containers should be able to access the Pi-Hole. However, using the following example docker-compose for another container, this doesn't quite work:

version: "2.1"
services:
  freshrss:
    image: linuxserver/freshrss
    container_name: freshrss
    environment:
      - PUID=1026
      - PGID=100
      - TZ=America/New_York
    volumes:
      - /volume1/docker/freshrss:/config
    networks:
      - bridge_to_nas
    dns:
      - 192.168.20.4
    hostname: freshrss
    restart: unless-stopped

networks:
  bridge_to_nas:
    external: true

The two containers are on the same bridge network, however the RSS container is only able to access the pi-hole container when I make a firewall exception for port 53 on the host machine.

Is this the correct behavior? I would have thought this would not be necessary since they should both be on the same bridge network.

Since you've configured bridge_to_nas as external to both your containers, which additional container is responsible for bringing up that network?

And probably not significant, but your docker-compose version: do not match and also differ from the version used in our sample configs.

Good catch on the version, will fix that.

The relevant network creation:

bridge_to_nas:
  ipam:
    config:
      - subnet: 192.168.20.16/28

You may want to tie your Pi-hole container to a specific version (instead of using latest ) in order to avoid surprises by unintentionally upgrading to a newer release when simply restarting your container.

You sort of avoided answering my question.

You've instructed both your containers to join a pre-defined external network by stating bridge_to_nas as external. Hence that network has to be brought up externally and be available for your two containers to join it.
Note that joining a bridge network is only possible if your containers are managed by the same Docker daemon. If you spread your containers over different machines running Docker, you'd have to create an overlay network instead.

Since this is more of a Docker networking than a Pi-hole issue, you should consider consulting Docker resources as well.

I had originally created that network manually, and then attached the Pi-Hole and other containers as indicated. These are all on the same host, and do appear to be on the same bridge_to_nas network.

Good point on the Docker resources, will submit there as well.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.