Getting started with Portainer, and Pi-hole docker image

Hello,

yesterday I installed Pi-hole via portainer with the following settings:

Image: pihole/pihole:latest
Ports published (left one is host, right one is docker port):

• 53:53 TCP
• 53:53 UDP
• 8090:80 TCP
  Volumes (left one is host, right one is docker path):
• /var/lib/docker/Containers/pi_hole_config/_data:/etc/pihole
• /var/lib/docker/Containers/pi_hole_dnsmasq/_data:/etc/dnsmasq.d
  Env:
• TZ: Europe/Berlin
• WEBPASSWORD: WonTTellU

Everything else stood as is initially is.

The docker logs for Pi-hole look as follows:

s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[i] Applying the following caps to pihole-FTL:
* CAP_CHOWN
* CAP_NET_BIND_SERVICE
* CAP_NET_RAW
[i] Ensuring basic configuration by re-running select functions from basic-install.sh
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[i] Installing /etc/dnsmasq.d/01-pihole.conf...
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
[i] Installing latest logrotate script...
[i] Existing logrotate file found. No changes made.
[i] Assigning password defined by Environment Variable
[✓] New password set
[i] Added ENV to php:
"TZ" => "Europe/Berlin",
"PIHOLE_DOCKER_TAG" => "",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "b02394b4e335",
[i] Using IPv4 and IPv6
[i] Installing latest Cron script...
[✓] Installing latest Cron script
[i] setup_blocklists now setting default blocklists up:
[i] TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
[i] Blocklists (/etc/pihole/adlists.list) now set to:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
[i] Existing DNS servers detected in setupVars.conf. Leaving them alone
[i] Applying pihole-FTL.conf setting LOCAL_IPV4=0.0.0.0
[i] FTL binding to default interface: eth0
[i] Enabling Query Logging
[i] Testing lighttpd config: Syntax OK
[i] All config checks passed, cleared for startup ...
[i] Docker start setup complete
[i] pihole-FTL (no-daemon) will be started as pihole
s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
s6-rc: info: service legacy-services successfully started
[i] Neutrino emissions detected...

[✓] Pulling blocklist source list into range
[i] Preparing new gravity database...
[✓] Preparing new gravity database
[i] Creating new gravity databases...
[✓] Creating new gravity databases
[i] Using libz compression
[i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
[i] Status: Pending...
[✓] Status: Retrieval successful

[✓] Parsed 136349 exact domains and 0 ABP-style domains (ignored 1 non-domain entries)
Sample of non-domain entries:
- "0.0.0.0"
[i] List has been updated
[i] Building tree...
[✓] Building tree
[i] Swapping databases...
[✓] Swapping databases
[✓] The old database remains available
[i] Number of gravity domains: 136349 (136349 unique domains)
[i] Number of exact blacklisted domains: 0
[i] Number of regex blacklist filters: 0
[i] Number of exact whitelisted domains: 0
[i] Number of regex whitelist filters: 0
[i] Cleaning up stray matter...
[✓] Cleaning up stray matter
[✓] FTL is listening on port 53
[✓] UDP (IPv4)
[✓] TCP (IPv4)
[✓] UDP (IPv6)
[✓] TCP (IPv6)
[i] Pi-hole blocking will be enabled
[i] Enabling blocking

[✓] Pi-hole Enabled
Pi-hole version is v5.17.1 (Latest: v5.17.1)
AdminLTE version is v5.20.1 (Latest: v5.20.1)
FTL version is v5.23 (Latest: v5.23)
Container tag is: 2023.05.2

To me it looks everything was successfully installed. The admin section is running.

When I change my network interface settings on my windows laptop to use DNS 10.50.50.115 (which is the IP of my raspberry pi), I expected to see no advertisement on several pages. Nevertheless, I see advertisment and the Pi-hole dashboard shows me no Queries, Query Types, Upstream Servers,...

Could you please help me to get it work? When it works with my laptop's network interface, I'd like to add Pi-hole as the default DNS in my OpenWrt router, but for getting it running, I would stick to the current interface only.

Thanks and kind regards,

Peter

No queries registering in Pi-hole would imply that your Pi-hole is being by-passed via another DNS server.

Run from a client in your network, what is the output of:

nslookup pi.hole

And if you happen to run Windows on such a client, have a closer look at the ouput of

ipconfig /all

In particular, you should scrutinise the DNS server section of that output.

Thanks for your response, Bucking_Horn!

Running nslookup, while I have configured Pi-hole as the DNS server for my laptop's wifi connection, tells me:

Server: my_raspi.lan (changed internal "domain" name)
Address: abcd:1234:5678::9 (changed ipv6 address)

*** pi.hole wurde von my_raspi.lan nicht gefunden: Non-existent domain.
The message says "pi.hole was not found by my_raspi.lan: Non-existent domain."

The ipconfig /all output for my wifi adapter is (values marked with asterisk were changed for the forum)

Drahtlos-LAN-Adapter WiFi:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Intel(R) Wi-Fi 6 1234 160MHz*
Physische Adresse . . . . . . . . : AB-12-3C-D4-E5-FF*
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv6-Adresse. . . . . . . . . . . : fd70:6dc7:cae0::fae(Bevorzugt)*
Lease erhalten. . . . . . . . . . : Montag, 25. September 2023 19:25:25
Lease läuft ab. . . . . . . . . . : Freitag, 2. November 2159 05:11:32
IPv6-Adresse. . . . . . . . . . . : abcd:1234:5678::9(Bevorzugt)*
Temporäre IPv6-Adresse. . . . . . : abcd:1234:5678::9(Bevorzugt)*
Verbindungslokale IPv6-Adresse . : abcd:1234:5678::9(Bevorzugt)*
IPv4-Adresse . . . . . . . . . . : 10.20.20.40(Bevorzugt)*
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 10.20.20.1*
DHCPv6-IAID . . . . . . . . . . . : 123456*
DHCPv6-Client-DUID. . . . . . . . : 00-00-00-00-00-00-00-00-00-00-00-00-00-00*
DNS-Server . . . . . . . . . . . : abcd:1234:5678::9*
10.20.20.115*
NetBIOS über TCP/IP . . . . . . . : Aktiviert

So it seems, the DNS server is set correctly?!

Likely not.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Thank you, Bucking_Horn.

Here is the debug token: https://tricorder.pi-hole.net/GhKPKEML/

I saw the missing light httpd conf problem, which doesn't seem to be one running Pi-hole on Debian.
I also saw the No IPv6 address(es) found on the eth0 interface and checked via https://ipv6-test.com/ -> IPv6 is not supported.

Your earlier nslookup demonstrates that abcd:1234:5678::9 is not your Pi-hole, or else it would have replied with your Pi-hole host machine's IP (which you haven't set yet for your Pi-hole container, see FTLCONF_LOCAL_IPV4 in Recommended Variables).

Commonly, an IPv6 address showing up as DNS server when using a dockered Pi-hole is reason for concern, as Docker is IPv4 only by default (and your debug log confirms that to also be true for your Pi-hole container).

Run from your machine hosting Docker, check the output of:

ip - 6 address

Does abcd:1234:5678::9 show up there?

Also, what's the output of:

nslookup abcd:1234:5678::9 10.20.20.1

Thank you, Bucking_Horn.

In advance, I made an error "masking" my outputs. The nslookup command you asked me to execute previously doesn't show my_raspi.lan as host, but my_router.lan. Sorry for that.

I set the FTLCONF_LOCAL_IPV4 environment variable in portainer for the Pi-hole docker container to 10.20.20.2. After re-deploying Pi-hole, I am not able to ping 10.20.20.2, because host is not reachable.

EDIT: I perhaps/probably misunderstood the FTLCONF_LOCAL_IPV4 description. I only set it to the docker container, but my raspberry pi had another IP. So what I now did was setting the IP I added to the env variable (10.50.50.2) as static ip to the raspberry pi. I restarted my router and the raspberry pi and now see 135 queries, two blocked. But when I call a internet page in my browser the number of queries doesn't increase. No clue, where exactly this 135 queries come from.

Nevertheless for any reason I made progress: the Pi-hole admin mask now shows two queries from which two were blocked. No clue, where they came from. When I call internet pages from my browser, the dashboard doesn't show any additional queries / blocked queries and ads are still displayed on the called internet pages.

In the ip - 6 address output, the unmasked/real IPv6 address of the nslokup output doesn't appear..
The nslookup abcd:1234:5678::9 10.20.20.1 shows

Server: my_router.lan
Address: 10.20.20.1

Name: my_router.lan
Address: abcd:1234:5678::9

my_router.lan is configured as gateway for every network interface.

Your router is advertising its own IPv6 address as DNS server, allowing your IPv6 clients to by-pass Pi-hole.

You'd have to find a way to configure your router to stop advertising its own IPv6 as DNS server.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you do not otherwise depend on IPv6.

If your router doesn't support that either, your clients will always be able to bypass Pi-hole via IPv6.

Thank you, Bucking_Horn.

I'm using OpenWrt, so I'm almost sure there must be a solution for that.

Thanks a lot for your time and your support. It was a big help.