Docker image uses 8.8.8.8 as DHCP, why?

MartinH80 · May 22, 2024, 3:36pm

I believe that I'm using pi-hole for a common reason: prevent annoying ads, protect my privacy, keep malware outside.

Now I want all devices in my to use pihole, which runs as a container on my TrueNAS box. I have configured it to use my unbound resolver (on the Opnsense firewall) as upstream DNS.

Now I noticed that the pihole image has 8.8.8.8 (google dns) in its /etc/resolv.conf.

I am not sure when this dns server will be used, but I can imagine this is for updating the block lists, and check for pihole updates.

I wonder: is using the google DNS the best option we have? (especially to guard ones privacy)

Other options could be:

Use Quad9
Use the DNS server provided by DHCP
.. ?

What do you think?

rdwebdesign · May 22, 2024, 4:58pm

This is not the default value.

Starting a container without configuring docker --dns option should result in this /etc/resolv.conf:

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options ndots:0

If your container is showing 8.8.8.8 some configuration is setting this value.

Can you please post your full compose file or docker run command used to start the container?

MartinH80 · May 23, 2024, 6:31pm

Thanks, that should be good news to me

I use Truenas GUI to set it up, so had to dive into the k3s and kubectl commands, but here it is:

root@nas[/home/admin]# k3s kubectl get pod pihole-ix-chart-658db48b8c-xmvrw --namespace=ix-pihole
NAME                               READY   STATUS    RESTARTS   AGE
pihole-ix-chart-658db48b8c-xmvrw   1/1     Running   0          45h
root@nas[/home/admin]# k3s kubectl get pod pihole-ix-chart-658db48b8c-xmvrw --namespace=ix-pihole -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "ix-net",
          "interface": "eth0",
          "ips": [
              "172.16.0.190"
          ],
          "mac": "ca:64:2a:b5:8c:62",
          "default": true,
          "dns": {},
          "gateway": [
              "172.16.0.1"
          ]
      },{
          "name": "ix-pihole/ix-pihole-0",
          "interface": "net1",
          "ips": [
              "192.168.24.24"
          ],
          "mac": "c6:fb:11:a4:ec:e6",
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks: ix-pihole-0
    rollme: tLoRA
  creationTimestamp: "2024-05-21T20:53:17Z"
  generateName: pihole-ix-chart-658db48b8c-
  labels:
    app.kubernetes.io/instance: pihole
    app.kubernetes.io/name: ix-chart
    pod-template-hash: 658db48b8c
  name: pihole-ix-chart-658db48b8c-xmvrw
  namespace: ix-pihole
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: pihole-ix-chart-658db48b8c
    uid: d1ab3959-7929-4427-b4bc-c1010e5f0b04
  resourceVersion: "54173361"
  uid: 8ba16284-aef0-4f69-8b33-043a85afe066
spec:
  containers:
  - env:
    - name: TZ
      value: Europe/Amsterdam
    - name: WEBPASSWORD
      value: <secret>
    - name: MAXDBDAYS
      value: "14"
    image: pihole/pihole:2024.05.0
    imagePullPolicy: Never
    name: ix-chart
    resources:
      limits:
        amd.com/gpu: "0"
        gpu.intel.com/i915: "0"
        nvidia.com/gpu: "0"
      requests:
        amd.com/gpu: "0"
        cpu: 10m
        gpu.intel.com/i915: "0"
        memory: 50Mi
        nvidia.com/gpu: "0"
    securityContext:
      privileged: false
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /etc/dnsmasq.d
      name: ix-host-path-pihole-0
    - mountPath: /etc/pihole
      name: ix-host-path-pihole-1
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-564vz
      readOnly: true
  dnsConfig: {}
  dnsPolicy: Default
  enableServiceLinks: true
  nodeName: ix-truenas
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - hostPath:
      path: /mnt/pool1/custom-containers/pihole/etc-dnsmasq.d
      type: ""
    name: ix-host-path-pihole-0
  - hostPath:
      path: /mnt/pool1/custom-containers/pihole/etc-pihole
      type: ""
    name: ix-host-path-pihole-1
  - name: kube-api-access-564vz
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-05-21T20:59:03Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-05-21T20:59:31Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-05-21T20:59:31Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-05-21T20:59:03Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://b4abbbcc55f2c78e33fca04cac2a42c280f1e376fa5371e0452280dc475e39d2
    image: docker.io/pihole/pihole:2024.05.0
    imageID: docker.io/pihole/pihole@sha256:8b1f31f46d94c3c1b8f509b302f28b4028483009bd27a9cbfd9b80185dd0687d
    lastState: {}
    name: ix-chart
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-05-21T20:59:31Z"
  hostIP: 192.168.24.100
  phase: Running
  podIP: 172.16.0.190
  podIPs:
  - ip: 172.16.0.190
  qosClass: Burstable
  startTime: "2024-05-21T20:59:03Z"

I have checked again and /etc/resolv.conf still has 8.8.8.8.

In the GUI the pihole container is configured with a static network interface without a dns setting.

At the moment TrueNAS itself is using 8.8.8.8 as its dns server too; is that where it comes from?

To test I have changed that to 9.9.9.9 and restarted the pihole container.

And yes: pi-hole now has 9.9.9.9.

But how does it get that? (I'll change the truenas DNS server to the pihole, but for that I first need to create a bridge interface so it can connect; still working on that)

rdwebdesign · May 23, 2024, 7:59pm

Yes.

I can't say for sure because I've never used TrueNAS.

Bucking_Horn · May 23, 2024, 9:22pm

By default, Docker containers would use DNS servers as defined in the host system's /etc/resolv.conf, either directly by copying the file into a container or indirectly via Docker's internal DNS resolver using the nameservers from /etc/resolv.conf as upstreams, depending on a container's network mode.

See also Networking overview | Docker Docs.

Note that Pi-hole itself would only ever use the upstream DNS servers it has been configured for.

MartinH80 · May 24, 2024, 8:36pm

thanks a lot for sharing this knowledge and the link to the documentation!

I have by now created the bridge and updated the host to use the pihole; pihole /etc/resolv.conf now uses pihole as well.