In the past, I have been running pihole with local unbound natively on a Pi (and second Pi as backup DNS).
Since I am restructuring my network a bit, I want to take the opportunity to move Pihole to docker.
Before I spend a lot of time figuring out how to combine pihole with unbound in docker, I wanted to ask if there is a working guide out there. Thank you for any hints.
I don't know any tutorials, but there are many compose file examples, like this one:
If you'd want to run unbound in a container as well, you should be aware that there is no official unbound Docker image.
Instead, you'd have to pick your personal favourite from several third-party images coming in different flavours, combining features as their respective creators saw fit.
Our unbound guide covers configuration of unbound on the same machine as a bare metal Pi-hole.
If you'd want to keep running unbound bare metal, you could work from that configuration, but you'd have to adopt it to your specific scenario, e.g. I've added the following lines to my /etc/unbound/unbound.conf.d/pi-hole.conf:
interface: 192.168.127.53
(…)
access-control: 192.168.127.0/24 allow_snoop
access-control: 172.16.0.0/12 allow
where 192.168.127.53 is the IP of the machine running Docker, and 192.168.127.0/24 is the local subnet, and 172.16.0.0/12 should cover Docker's internal IPs (unless you'd configured your Docker to use some other private IP range). The latter wouldn't be strictly required if you'd run your Docker containers in host, ipvlan or macvlan network modes.
@rdwebdesign thanks your reply.
In the meantime, I have have started to "develop" a docker compose file - didn't see your reply in time...
And yes, the idea was to run unbound as docker container as well. I could have done unbound natively too. The unbound container actually gave the most trouble. I first tried the mvance/unbound image, but had to change it to klutchell/unbound:latest as the docker host is on aarch64, which isn't a supported arch by mvance/unbound.
For reference, I am sharing my docker-compose.yml here.
services:
unbound:
container_name: unbound
image: klutchell/unbound:latest
restart: unless-stopped
networks:
pihole_net:
ipv4_address: 172.20.0.2
volumes:
- ./unbound:/etc/unbound/custom.conf.d/
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "8080:80/tcp" # Web GUI port remapped to 8080
environment:
TZ: 'Europe/Berlin'
PIHOLE_DNS_: '172.20.0.2#53' # IP Unbound container
FTLCONF_LOCAL_IPV4: '127.0.0.1'
FTLCONF_dns_listeningMode: 'all' # this is important for FTL to talk to external clients
volumes:
- ./etc-pihole:/etc/pihole
- ./etc-dnsmasq.d:/etc/dnsmasq.d
networks:
pihole_net:
ipv4_address: 172.20.0.3
depends_on:
- unbound
networks:
pihole_net:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24
To set the webui password, I used docker exec -it pihole pihole setpassword - I am sure there is a smarter config way, but this one works too.
I am very open to feedback and suggestions to improve container file and unbound config.
You can use an environment variable in your compose file:
FTLCONF_webserver_api_password: 'YourPasswordHere'
You don't need to use IPs for your containers. Docker can use the container_name, like shown here: