Deaf pi-hole / unbound dockered instance

thewag · December 28, 2025, 4:57pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Fairly new to this. Running a docker as follows and have installed both pihole and unbound from a single compose file. Containers are healthy for both the pihole and unbound but will not process queries if the recommended setting in DNS is used (Allow only local requests
Allows only queries from devices that are at most one hop away (local devices)).

If I select one of the other “Potentially dangerous options”, pi-hole will spring into life with queries. The “potentially dangerous” bit is slightly unnerving so for now I’ve switched back to deaf mode (allow only local requests).

The host machine is hardwired to the router which itself runs a firewall so on this basis, I should be able to run the potentially dangerous options. However, I’d like to understand why the default local request setting doesn’t work - is this because it is dockered and related to the network bridge between pihole container and the unbound container - does this effectively create an additionally hop or two hence no longer “local”.

13.2 Trixie
Raspberry PI 4 Model B Rev 1.5
Combined Pi-Hole / Unbound (Klutchell) compose file
29.1.3

Apologies for the potentially daft question.

Debug Token:

https://tricorder.pi-hole.net/grlnu70x/

Bucking_Horn · December 29, 2025, 5:10pm

In certain network modes (e.g. in its default bridge mode), Docker will isolate your Pi-hole container in its own network, i.e. your container will be on a different, Docker-internal subnet, and Docker will route traffic between your home and its internal network.

In such a configuration, you can safely enable one of the potentially dangerous options in Pi-hole's Interface settings.

I'd probably go for Respond only on interface first, as that would restrict DNS requests originating from IP ranges your machine hosting Docker carries a matching IP for.
If that doesn't work, you could opt to enable Permit all origins.

Alternatively, configure and start your Pi-hole container in a Docker network mode that has your container join your existing home network (e.g. macvlan or ipvlan), where it will carry an IP address from your home subnet range.

thewag · December 29, 2025, 8:54pm

Thanks for the reassurance - this supports my thoughts re: more than one hop.

system · January 19, 2026, 8:54pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.