Hello, I am currently trying to run pihole raspap and unbound. to prevent conflicts between raspap and pihole i have chose to run pihole in docker. This has generally been successfull. pihole takes port 80 for web services so raspap takes 8080. raspap takes 53 and 5353 so pihole runs on 5352. that all works fine. now for the issue. unbound isnt running in docker but it is running on a different port. it runs on port 5351. From both raspberry pi OS and the pihole docker container i can dig either 10.0.1.1 -p 5351 or 172.17.0.1 -p 5351 depending on the unbound config and it works. The issue is that when i try and put either of those in the pihole web interface e.g. 172.17.0.1#5351 it doesnt work. pihole wont connect to anything and digging port 5352 just results in an error. I cant seem to figure out why pihole cant reach unbound from either adress but the container its running in can do it just fine. Any help wih this issue would be greatly appreciated as i am new to docker and this is really starting to confuse me.
For reference this is the output of digging on the unbound port. ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> google.com @10.0.1.1 -p 5351
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22777
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 0 msec
;; SERVER: 10.0.1.1#5351(10.0.1.1)
;; WHEN: Wed Oct 28 15:31:18 EDT 2020
;; MSG SIZE rcvd: 12
Add below line in /etc/unbound/unbound.conf.d/pi-hole.conf (might need to adjust /24 mask):
access-control: 172.17.0.0/24 allow
EDIT: ow sorry, might need below for the ACL:
access-control: 10.0.1.0/24 allow
Likely, your issue is about integrating your two Docker containers into the same network. Having raspap hogging port 53 further complicates your setup. As an access point, raspap would only be required to handle DHCP ports.
Depending on your chosen Docker network modes, different solution approaches would apply. You may want to familiarise yourself with Docker's network modes before continuing.
Wow. Im kinda shocked it was that simple. I added access-control: 172.17.0.0/12 allow and 10.0.1.0/8 allow. and both port 5351 and 5352 now retuurn success. Thank you!
I am only really running one docker container. RaspAP and Unbound arent in docker. RaspAp's reliance on 53 and 5353 is because it uses dnsmasq to handle dhcp. Rather than figure out how to solve that issue i figured it best to just choose different ports. I do plan on reading into docker more though but this is a first project for me. Thank you for replying.
I believe you can also only allow a single IP if want to lockdown/secure:
pi@ph5:~ $ man unbound.conf
[..]
access-control: <IP netblock> <action>
The netblock is given as an IP4 or IP6 address with /size
appended for a classless network block. The action can be
deny, refuse, allow, allow_setrd, allow_snoop,
deny_non_local or refuse_non_local. The most specific
netblock match is used, if none match deny is used.
[..]
I will take note of that if i ever try this in a production environment. however this is just a personal project and security isnt a big concern.
Your clients will query on port 53, thus they will be talking to the other dnsmasq process and not Pi-hole.
This issue was resolved as stated above. However this specific issue is not a problem either way as the clients are reciving their dns servers from raspap's dhcp server. if i really wanted to im sure that i could do dhcp on pihole and then have raspap in bridged mode but it isnt entirely nessesary. this is how both pihole and unbound dont run on port 53 they run on 5352 and 5351 respectivly. the link between raspap and pihole was actually the functional part it seems, while the connection between pihole and unbound was not.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.