So unbound complains about not being granted resources that it requested, specfically so-rcvbuf. That's an unbound configuration option, but apparently, not one that the mvance/unbound.conf would request by default?
If you have an active line so-rcvbuf in your unbound.conf, you could consider to adjust its value.
Alternatively, you could try if explicitly granting your unbound container additional capabilities may help, e.g. by by adding NET_ADMIN to your docker compose like:
I replaced the default unbound.conf with the one found in the documentation here.
Though that is not for a docker container, so that may be what I'm running into with unbound. I'll try reverting back to the default conf file after work today.
I thought NET_ADMIN was only required for DHCP.
It would appear that after fixing my router by adding this new pihole docker to my DNS group I can now nslookup from my PC using google as the upstream.
Just have to work on unbound now. I'll check it out after work. Thanks everybody for all your help. Seems a majority of this is self-inflicted.
For Pi-hole, yes.
But we are trying to address issues with your unbound container.
You may want to consult with mvance/unbound maintainers.
From browsing through their docs, it seems they are assuming a whole set of configuration files expected in specific places if you are going to customise their container.
In addition, their docker image is configuring unbound as a DoT resolver, rather than as a recursive resolver, with the latter being what Pi-hole's unbound guide aims to configure. If that is what you want to achieve, you may want to discuss with them whether and how configuring their container into a recursive resolver would be possible.
I think I got everything working, at least with the default unbound.conf file. I can successfully dig from 127.0.0.1 on both ports 53 and 5335 from the host and I can nslookup from my desktop using the IP of the host on both ports.
Copying the unbound.conf from the pi-hole documentation breaks the unbound container, so I still have things to play around with it. Once I get that working I can redirect pi-hole to unbound and after that work on the root.hints file. One step at a time.
Below is my updated yaml file.
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
hostname: guardian
image: pihole/pihole:latest
networks:
- pihole-unbound
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
# Default HTTP Port
- "81:80/tcp"
# Default HTTPs Port. FTL will generate a self-signed certificate
#- "443:443/tcp"
environment:
# Set the appropriate timezone for your location (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones), e.g:
TZ: 'America/Chicago'
# Set a password to access the web interface. Not setting one will result in a random password being assigned
FTLCONF_webserver_api_password: ''
# Configure DNS upstream server, e.g:
# FTLCONF_dns_upstreams: 'unbound'
# Volumes store your data between container upgrades
volumes:
# For persisting Pi-hole's databases and common configuration file
- './etc-pihole:/etc/pihole'
# Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards
#- './etc-dnsmasq.d:/etc/dnsmasq.d'
restart: unless-stopped
unbound:
container_name: unbound
image: mvance/unbound:latest
networks:
- pihole-unbound
ports:
- "5335:53/tcp"
- "5335:53/udp"
environment:
TZ: 'America/Chicago'
volumes:
- type: bind
read_only: true
source: ./unbound/unbound.conf
target: /opt/unbound/etc/unbound/unbound.conf
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
pihole-unbound:
Thank you everyone for all your help. It was really appreciated.