I'm trying to use unbound as my upstream DNS server, and I'm using docker for both pihole and unbound. I know I can create a docker network and manually assign static IP addresses for both containers, but I can't quite figure out why I can't set my DNS server to a hostname...
Is there any way to interpolate the unbound's IP address when building the container?
Here is my current docker config:
version: "3.7"
services:
pihole:
depends_on: [unbound]
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "80:80/tcp"
- "443:443/tcp"
hostname: pihole.lan
dns:
- 127.0.0.1
- unbound.lan # Points to unbound
environment:
TZ: $TZ
DNS1: unbound.lan # Unbound IP
DNS2: unbound.lan # # If we don't specify two, it will auto pick google.
volumes:
- "./pihole/:/etc/pihole/"
- "./dnsmasq.d/:/etc/dnsmasq.d/"
cap_add:
- NET_ADMIN
restart: unless-stopped
unbound:
image: "mvance/unbound-rpi:latest"
container_name: unbound
restart: unless-stopped
hostname: unbound.lan
volumes:
- "./unbound:/opt/unbound/etc/unbound/"
environment:
PUID: $PUID
PGID: 995
cap_add:
- NET_ADMIN
- SYS_MODULE
unbound.lan
doesn't mean anything to anyone, so it can't be used as the name. If you want to refer to other containers then you need to use their container_name
.
So first step would be to change unbound.lan
to just unbound
since that is the containers name.
Off the top of my head I don't know if you can use a FQDN in the DNS1
or 2
environment variables, but we can see.
And you may need to expose the port from unbound
s container for others to use it.
If you're going to use the default bridge then you're going to have to do some things that are not quite docker suggested and may break if docker changes behaviors.
And please do not use the latest
tag for Pi-hole, pin to a versioned tag.
Yeah, I could expose the unbound
way, but was wondering if using container_names is possible, I would prefer that.
Would unbound
(the container name) still be considered a FQDN?
I did try that separately (DNS1=unbound
and DNS2=unbound
) and found the same error.
dnsmasq: bad address...
If you're going to use the default bridge then you're going to have to do some things that are not quite docker suggested and may break if docker changes behaviors.
What do you mean by "do some things that are not quite docker suggested"?
And thank you! I changed my tag from latest
to v5.1.2-armhf-buster
.
You'll have to use the container link feature, which is discouraged.
I see. Isn't that very similar to just putting them on the same bridge network?
And are there any security concerns with exposing unbound as a service?
I suppose my only two options are to:
Otherwise, there's no way to set an environment variable or anything, right?
They already are on the same bridge network.
On the same private network that you've exposed Pi-hole? If only your trusted users are on it then you'll have to rate them as a security concern.
Well, you're trying to tell dnsmasq
|pihole-FTL
to use a FQDN as an upstream so it needs some way of knowing how to ask itself what the FQDN resolves to.
Easier solution:
Tell us what you're trying to achieve and why you've chosen this current setup and maybe we can find a better way.
Thanks for the detail!
In short, I'm trying to set up my Raspberry Pi to host some docker container instances of the following services:
- Pihole
- Pointing to Unbound as an upstream DNS server
- I would like to use Pihole locally while at home, as well as while I'm out of the house.
- Wireguard
- To access home network while away (from laptop and phones)
- Points to Pihole as DNS
- One tunnel for only local devices on my router's subnet (using local DNS hostnames in Pihole)
- One tunnel for all other web traffic (to utilize Pihole's ad-blocking)
For use with Dynamic DNS to access home network from afar, and setting Pihole to DNS)
- Unbound (For use with Pihole). Using Cloudflare as an upstream
- Dynamic DNS updater (updates my dynamic dns provider with my current IP address) to access Wireguard remotely. Ideally the only port I would forward on my router would be for Wireguard.
Then I would theoretically set my router to use Pihole as my DNS server (by pointing it to my raspberry pi's IP address).
I'm not really sure why I've chosen that exact set up other than I have some experience with docker (and would like to know more) and have used some of the services separately and like what they provide in theory.
I was mostly trying to see if I could get away without explicitly setting an IP address for each service on my raspberry pi. I guess it would add consistency, but it also feels kind of weird for some reason too. I guess it they're all on the same subnet, they would only be able to talk to each other unless they were exposed on the raspberry pi, right?
There's nothing in your description that indicates unbound
needs to be isolated away from access. Can you just use the host networking mode and configure unbound
to be on a non-53 port?
That did the trick! Thank you very much!