No DNS resolution on Docker with pihole + unbound

Help docker
1

My docker-compose file is in this gist. The TLDR is:

  • pihole container is listening on ports 53 TCP and UDP
  • unbound container is listening on port 5053 and forwarding it to port 53
  • a bridge docker network is setting up fixed ip addresses between these containers
  • I have traefik running as a reverse proxy, and the admin interface is accessed via it (that works just fine)

When I test the DNS using pihole I am trying the commands bellow (192.168.1.200 is the fixed IP address of my mac, where I am running the commands).

I get a timeout response from pihole, but the DNS resolves when I query unbound via port 5053.

When I look at the pihole query log I see the following status for each dig query: OK (sent to unbound.pi-hole_dns_net#5053).

Why do I get a timeout?

➜  pi-hole git:(v1.0) ✗ dig google.com @192.168.1.200

; <<>> DiG 9.10.6 <<>> google.com @192.168.1.200
;; global options: +cmd
;; connection timed out; no servers could be reached


➜  pi-hole git:(v1.0) ✗ dig google.com @192.168.1.200 -p 5053

; <<>> DiG 9.10.6 <<>> google.com @192.168.1.200 -p 5053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48020
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	172.217.24.46

;; Query time: 141 msec
;; SERVER: 192.168.1.200#5053(192.168.1.200)
;; WHEN: Sun Jan 19 20:01:15 NZDT 2025
;; MSG SIZE  rcvd: 55
2

The tail of the pihole.log file only includes this information:

Jan 19 20:00:14: query[A] google.com from 172.19.0.1
Jan 19 20:00:14: forwarded google.com to 172.23.0.8#5053
Jan 19 20:00:16: query[A] pi.hole from 127.0.0.1
Jan 19 20:00:16: Pi-hole hostname pi.hole is 0.0.0.0
3

I didn't had the time to check the details, but there is an unknown environment variable:

HOST_IP_V4_ADDRESS: ${LOCAL_NETWORK_DOCKER_HOST_IP}

Did you mean:

FTLCONF_LOCAL_IPV4

Also, where are you running docker? In a Linux machine or in your Mac, using Docker Desktop?

4

The variables are defined in a .env file (which is loaded in the docker-compose file and is resolved as well). The docker services are running on docker desktop on macOS (i.e. I actually named the variable in the .env file with a different name just to make sure it was being resolved).

5

That's nice to know - still, HOST_IP_V4_ADDRESS isn't one of Pi-hole' valid environment variables. While you should change that (probably to FTLCONF_LOCAL_IPV4), it's not likely to contribute to your observation.

That would indicate that Pi-hole has forwarded the query, but never received a response.

Note that unbound has to be configured correctly to accept queries from Pi-hole.
You should check whether and how unbound has been receiving and processing the query, which likely would require to enable unbound's logging and adjust its verbosity levels, if that's not already active.

On a side note, do you intend to use your unbound as a recursive resolver?
If so, mvance/unbound probably isn't the right choice, as that's not configuring unbound as a recursive resolver, but as a DoT forwarder.

EDIT:

Since you've put your Pi-hole and unbound container's on the same Docker internal network, did you try to have Pi-hole talk to unbound on port 53 directly, e.g. PIHOLE_DNS_: '172.23.0.8#53'?

6

#facepalm! Yeah, I meant to write FTLCONF_LOCAL_IPV4 (which doesn't change any behaviour on the pihole itself).

On my raspberry pi I used to have this setup. But now looking at the comments of the blog post (and your comment above), I see that it's not a perfect configuration.

If I don't mount any files on the unbound container it seems that these will be the configuration files that are baked into the image, which is a forwarder to cloudflare DNS servers.

So, it seems that I need to do some digging through unbound's documentation to understand the configuration settings.

7

Did you try my later edit to have Pi-hole talk to unbound on port 53 directly yet?

1 Like
8

That was it, thank you @Bucking_Horn !