Expected Behaviour:
I have a Raspberry Pi 5 whose IP in LAN is 192.168.1.99. I run pihole on it using docker. Alongside pihole I also use traefik and pivpn. I use pihole exclusively as a DNS server, no DHCP. I expect to be able to use
the pihole dns from the container to ping the internet. Basically, when I am in the shell created by docker run -it busybox I want to do a nslookup google.com 192.168.1.99 and receive
the address of google.com. Furthermore, if I do a dns lookup from the raspberry pi, not from the busybox docker container, I do receive the IP address:
nstefan@RaspberryPi ~/PiHole nslookup google.com 192.168.1.99
Server: 192.168.1.99
Address: 192.168.1.99#53
Non-authoritative answer:
Name: google.com
Address: 142.251.39.46
Name: google.com
Address: 2a00:1450:400d:80d::200e
Actual Behaviour:
When I docker run into busybox and try to do a dns lookup it says no servers could be reached:
/ # nslookup google.com 192.168.1.99
;; connection timed out; no servers could be reached
However, I can ping 192.168.1.99:
/ # ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: seq=0 ttl=64 time=0.141 ms
64 bytes from 192.168.1.99: seq=1 ttl=64 time=0.060 ms
And netcat says that port 53 is open:
/ # nc -nvz 192.168.1.99 53
192.168.1.99 (192.168.1.99:53) open
Why does this happen and how can I fix this?
Possible useful information
The docker-compose file I use to deploy pihole:
The docker-compose file which I use to deploy pihole is the following:
nstefan@RaspberryPi ~/PiHole cat docker-compose.yml
services:
main:
image: pihole/pihole:latest
restart: unless-stopped
ports:
- 53:53/tcp
- 53:53/udp
dns:
- 8.8.8.8
- 8.8.4.4
volumes:
- /etc/timezone:/etc/timezone:ro
- ./storage/etc/dnsmasq.d:/etc/dnsmasq.d
- ./storage/etc/pihole:/etc/pihole
environment:
- TZ=Europe/Bucharest
- DNSMASQ_LISTENING=all
- FTLCONF_LOCAL_IPV4=192.168.1.99
- VIRTUAL_HOST=pi.hole
- HOSTNAME=pi.hole
- PROXY_LOCATION=pi.hole
networks:
- traefik_default
labels:
traefik.http.routers.pihole.entrypoints: web
traefik.http.routers.pihole.rule: Host(`pihole.rpi`)
traefik.http.services.pihole.loadbalancer.server.port: 80
networks:
traefik_default:
external: true
The iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 10.92.109.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
ACCEPT all -- 10.92.109.0/24 anywhere /* wireguard-forward-rule */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere pi.hole tcp dpt:domain
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:https
ACCEPT udp -- anywhere pi.hole udp dpt:domain
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The IP address of busybox is 172.17.0.3:
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
The /etc/resolv.conf of the Raspberry Pi:
nstefan@RaspberryPi ~/PiHole cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.99
The /etc/resolv.conf of the busybox:
/ # cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 192.168.1.99
# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []
After I installed pihole and traefik I installed pivpn. It is just a theory, but maybe pivpn changed the iptables and now I am unable to ping from a container.
Also the IP 172.17.0.3 or even its gateway (172.17.0.1) do not appear in the logs of pihole. Instead when I try to nslookup, 172.19.0.1 appears instead of 172.17.0.3.
172.17.0.1 is the IP address of gateway for traefik. So maybe the packets are forwarded by traefik, but they they never come back because there is no rule set or something like this?
If that's the case how can I add a rule in such a way it doesn't interfere too much with the system?