How can I use a docker hostname as my Upstream DNS server?

octalsandroses · November 5, 2020, 7:45pm

I'm trying to use unbound as my upstream DNS server, and I'm using docker for both pihole and unbound. I know I can create a docker network and manually assign static IP addresses for both containers, but I can't quite figure out why I can't set my DNS server to a hostname...
Is there any way to interpolate the unbound's IP address when building the container?
Here is my current docker config:

version: "3.7"

services:
  pihole:
    depends_on: [unbound]
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    hostname: pihole.lan
    dns:
      - 127.0.0.1
      - unbound.lan # Points to unbound
    environment:
      TZ: $TZ
      DNS1: unbound.lan # Unbound IP
      DNS2: unbound.lan # # If we don't specify two, it will auto pick google.
    volumes:
      - "./pihole/:/etc/pihole/"
      - "./dnsmasq.d/:/etc/dnsmasq.d/"
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

  unbound:
    image: "mvance/unbound-rpi:latest"
    container_name: unbound
    restart: unless-stopped
    hostname: unbound.lan
    volumes:
      - "./unbound:/opt/unbound/etc/unbound/"
    environment:
      PUID: $PUID
      PGID: 995
    cap_add:
      - NET_ADMIN
      - SYS_MODULE

DanSchaper · November 5, 2020, 8:10pm

unbound.lan doesn't mean anything to anyone, so it can't be used as the name. If you want to refer to other containers then you need to use their container_name.

So first step would be to change unbound.lan to just unbound since that is the containers name.

Off the top of my head I don't know if you can use a FQDN in the DNS1 or 2 environment variables, but we can see.

DanSchaper · November 5, 2020, 8:13pm

And you may need to expose the port from unbounds container for others to use it.

If you're going to use the default bridge then you're going to have to do some things that are not quite docker suggested and may break if docker changes behaviors.

And please do not use the latest tag for Pi-hole, pin to a versioned tag.

octalsandroses · November 5, 2020, 8:38pm

Yeah, I could expose the unbound way, but was wondering if using container_names is possible, I would prefer that.
Would unbound (the container name) still be considered a FQDN?
I did try that separately (DNS1=unbound and DNS2=unbound) and found the same error.
dnsmasq: bad address...

If you're going to use the default bridge then you're going to have to do some things that are not quite docker suggested and may break if docker changes behaviors.

What do you mean by "do some things that are not quite docker suggested"?

And thank you! I changed my tag from latest to v5.1.2-armhf-buster.

DanSchaper · November 5, 2020, 9:04pm

You'll have to use the container link feature, which is discouraged.

octalsandroses · November 5, 2020, 9:10pm

I see. Isn't that very similar to just putting them on the same bridge network?
And are there any security concerns with exposing unbound as a service?
I suppose my only two options are to:

Set an IP address
Expose unbound and point pihole to 127.0.0.1:

Otherwise, there's no way to set an environment variable or anything, right?

DanSchaper · November 5, 2020, 10:15pm

They already are on the same bridge network.

On the same private network that you've exposed Pi-hole? If only your trusted users are on it then you'll have to rate them as a security concern.

Well, you're trying to tell dnsmasq|pihole-FTL to use a FQDN as an upstream so it needs some way of knowing how to ask itself what the FQDN resolves to.

Easier solution:

Tell us what you're trying to achieve and why you've chosen this current setup and maybe we can find a better way.

octalsandroses · November 6, 2020, 3:56pm

Thanks for the detail!
In short, I'm trying to set up my Raspberry Pi to host some docker container instances of the following services:

Pihole
- Pointing to Unbound as an upstream DNS server
- I would like to use Pihole locally while at home, as well as while I'm out of the house.
Wireguard
- To access home network while away (from laptop and phones)
- Points to Pihole as DNS
- One tunnel for only local devices on my router's subnet (using local DNS hostnames in Pihole)
- One tunnel for all other web traffic (to utilize Pihole's ad-blocking)
  For use with Dynamic DNS to access home network from afar, and setting Pihole to DNS)
Unbound (For use with Pihole). Using Cloudflare as an upstream
Dynamic DNS updater (updates my dynamic dns provider with my current IP address) to access Wireguard remotely. Ideally the only port I would forward on my router would be for Wireguard.

Then I would theoretically set my router to use Pihole as my DNS server (by pointing it to my raspberry pi's IP address).
I'm not really sure why I've chosen that exact set up other than I have some experience with docker (and would like to know more) and have used some of the services separately and like what they provide in theory.
I was mostly trying to see if I could get away without explicitly setting an IP address for each service on my raspberry pi. I guess it would add consistency, but it also feels kind of weird for some reason too. I guess it they're all on the same subnet, they would only be able to talk to each other unless they were exposed on the raspberry pi, right?

DanSchaper · November 7, 2020, 7:15am

There's nothing in your description that indicates unbound needs to be isolated away from access. Can you just use the host networking mode and configure unbound to be on a non-53 port?

octalsandroses · November 10, 2020, 2:18pm

That did the trick! Thank you very much!