Pi4/ubuntu/docker/nginx - Pihole won't block a thing

prototowb · July 19, 2022, 9:57am

Hi

I can see all my clients (after setting 'permit all origins'), but it's not blocking anything (For example on canyoublickit.com). I set the Pi4 as DNS server in my FritzBox, fiddled a bit with the setup (set '127.0.0.1#8053' as " Custom 1 (IPv4)" upstream DNS server and removed the checked ones) and docker-compose.yml, but so far that's the most functional state I could reach. also gave the Ubuntu Server install the special treatment mentioned in the repo readme, running Ubuntu 20.04, with Pihole in Docker.

not sure why debug says :80 and :53 are occupied, there isn't running anything else.

docker-compose.yml,
container start-up,
debug-log:

version: "3"

# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md

services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    ports:
      - '8080:80'
    environment:
      DEFAULT_HOST: pihole.pp.net
    volumes:
      - '/var/run/docker.sock:/tmp/docker.sock'
    restart: always

  pihole:
    image: pihole/pihole:latest
    ports:
      - '53:53/tcp'
      - '53:53/udp'
      - '8053:80/tcp'
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN
    environment:
      ServerIP: 192.168.0.44
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.pp.net
      VIRTUAL_PORT: 80
    extra_hosts:
      # Resolve to nothing domains (terminate connection)
      - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
      # LAN hostnames for other docker containers using nginx-proxy
      - 'pp.net:192.168.0.44'
      - 'pihole pihole.pp.net:192.168.0.44'
    restart: always

Container start-up:

nginx-proxy_1  | Info: running nginx-proxy version 1.0.1-6-gc4ad18f
nginx-proxy_1  | Setting up DH Parameters..
nginx-proxy_1  | forego      | starting dockergen.1 on port 5000
nginx-proxy_1  | forego      | starting nginx.1 on port 5100
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: using the "epoll" event method
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: nginx/1.21.6
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: OS: Linux 5.4.0-1066-raspi
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker processes
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 23
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 24
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 25
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 26
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:12 Template error: open /etc/nginx/certs: no such file or directory
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:12 Generated '/etc/nginx/conf.d/default.conf' from 7 containers
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:12 Running 'nginx -s reload'
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: signal 1 (SIGHUP) received from 29, reconfiguring
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: reconfiguring
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:12 Watching docker events
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: using the "epoll" event method
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker processes
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 32
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 33
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 34
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:12 [notice] 18#18: start worker process 35
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:13 Template error: open /etc/nginx/certs: no such file or directory
nginx-proxy_1  | dockergen.1 | 2022/07/19 09:26:13 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 23#23: gracefully shutting down
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 24#24: gracefully shutting down
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 25#25: gracefully shutting down
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 26#26: gracefully shutting down
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 25#25: exiting
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 23#23: exiting
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 24#24: exiting
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 26#26: exiting
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 25#25: exit
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 23#23: exit
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 24#24: exit
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 26#26: exit
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: signal 17 (SIGCHLD) received from 24
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: worker process 23 exited with code 0
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: worker process 24 exited with code 0
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: worker process 26 exited with code 0
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: signal 29 (SIGIO) received
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: signal 17 (SIGCHLD) received from 26
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: signal 17 (SIGCHLD) received from 25
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: worker process 25 exited with code 0
nginx-proxy_1  | nginx.1     | 2022/07/19 09:26:13 [notice] 18#18: signal 29 (SIGIO) received
pihole_1       | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
pihole_1       | [s6-init] ensuring user provided files have correct perms...exited 0.
pihole_1       | [fix-attrs.d] applying ownership & permissions fixes...
pihole_1       | [fix-attrs.d] 01-resolver-resolv: applying...
pihole_1       | [fix-attrs.d] 01-resolver-resolv: exited 0.
pihole_1       | [fix-attrs.d] done.
pihole_1       | [cont-init.d] executing container initialization scripts...
pihole_1       | [cont-init.d] 05-changer-uid-gid.sh: executing...
pihole_1       | [cont-init.d] 05-changer-uid-gid.sh: exited 0.
pihole_1       | [cont-init.d] 20-start.sh: executing...
pihole_1       |  ::: Starting docker specific checks & setup for docker pihole/pihole
pihole_1       |
pihole_1       |   [i] Installing configs from /etc/.pihole...
pihole_1       |   [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
pihole_1       | Existing DNS servers detected in setupVars.conf. Leaving them alone
pihole_1       | ::: Assigning password defined by Environment Variable
pihole_1       |   [✓] New password set
pihole_1       | DNSMasq binding to default interface: eth0
pihole_1       | Added ENV to php:
pihole_1       |                        "PIHOLE_DOCKER_TAG" => "2022.07.1",
pihole_1       |                        "PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
pihole_1       |                        "ServerIP" => "192.168.0.44",
pihole_1       |                        "CORS_HOSTS" => "",
pihole_1       |                        "VIRTUAL_HOST" => "pihole.pp.net",
pihole_1       | Using IPv4 and IPv6
pihole_1       | ::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
pihole_1       | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
pihole_1       | ::: Testing lighttpd config: Syntax OK
pihole_1       | ::: All config checks passed, cleared for startup ...
pihole_1       | ::: Enabling Query Logging
pihole_1       |   [i] Enabling logging...
  [✓] Logging has been enabled!
pihole_1       |  ::: Docker start setup complete
pihole_1       |   Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
pihole_1       |   Pi-hole version is v5.11.4 (Latest: v5.11.4)
pihole_1       |   AdminLTE version is v5.13 (Latest: v5.13)
pihole_1       |   FTL version is v5.16.1 (Latest: v5.16.1)
pihole_1       |   Container tag is: 2022.07.1
pihole_1       | [cont-init.d] 20-start.sh: exited 0.
pihole_1       | [cont-init.d] done.
pihole_1       | [services.d] starting services
pihole_1       | Starting crond
pihole_1       | Starting pihole-FTL (no-daemon) as pihole
pihole_1       | Starting lighttpd
pihole_1       | [services.d] done.

Debug log:

Moderator edit: explicit debug log removed

Bucking_Horn · July 19, 2022, 10:05am

(Just post the token, please. For your own privacy and security, do not post the full, unsanitised debug log output here.)

Those may not be accurate, and that would be common for a dockered Pi-hole - Docker imposes some restrictions on diagnostics. Nothing to worry about.

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_DNS_1=127.0.0.1#8053

What upstream DNS are you intending to reach via 127.0.0.1#8053?

The 127.0.0.1 loopback address would point to Pi-hole's container, and there is nothing listening on port 8053 in the official Pi-hole image.

And in case you'd instead use the outward facing IP of Pi-hole's container, note that you would then have redirected DNS requests to your Pi-hole container's HTTP port.

Both resolution paths would always result in upstream DNS resolution failure.

EDIT:
And as you are not complaining about failing DNS resolution, but ineffective blocking, that would suggest that your clients aren't (yet) using Pi-hole for DNS (but another DNS server with working resolution, but no blocking. )

prototowb · July 19, 2022, 12:19pm

thanks for the heads-up (and action). I altered IPs and name entries, wasn't sure about the code - now I know.

ugh. that makes total sense. just gave up too quickly today because I had to leave.

so, I just removed the custom DNS entry and rechecked Google servers. Pihole now indicates my devices are using its DNS (green highlighted), but still no blocking. do I miss anything here?

I guess my docker-compose.yml might need some improvements... but, I think it is simply because their sources are not included in the standard list, right?

But, no, also when I add a site to the blocklist, I am still able to reach it

Bucking_Horn · July 19, 2022, 5:15pm

Run from a client, what is the output of:

nslookup pi.hole

nslookup flurry.com

prototowb · July 19, 2022, 5:35pm

Server:  8528ed1390e6
Address:  10.0.0.243

*** 8528ed1390e6 can't find pi.hole: Non-existent domain

Server:  8528ed1390e6
Address:  10.0.0.243

Non-authoritative answer:
Name:    flurry.com
Addresses:  212.82.100.150
          98.136.103.23
          74.6.136.150

Bucking_Horn · July 19, 2022, 5:52pm

That client is not using your Pi-hole (presumably at 192.168.0.44) for DNS, but 10.0.0.243.

Did you configure your router to make your network take advantage of Pi-hole yet?

prototowb · July 19, 2022, 6:03pm

yes, I set Pihole's device local ip as DNS server in the FritzBox.
I just noticed fritz.box isn't reachable anymore, only via ip.

Bucking_Horn · July 21, 2022, 10:43am

Did you cross-check whether your client renewed its DHCP lease to receive the new settings by re-running those nslookups?

prototowb · July 21, 2022, 8:25pm

I did, response didn't change.
I uploaded a debug log: prIqB239

Bucking_Horn · July 21, 2022, 8:32pm

If the response didn't change, then your client is still using 10.0.0.243 for DNS, either because it hasn't renewed its DHCP lease yet, or because your router is still distributing that IP as DNS server.

Since you mention using a FritzBox router, have a look at our configuration suggestions at Fritz!Box (EN) - Pi-hole documentation.

prototowb · July 23, 2022, 11:49am

thx for the reference. But setting the Pi as DNS server in the FritzBox is the first thing I did.

I can only imagine that this IP comes from the docker environment or maybe the hub somehow, the Pi is sitting on.

Bucking_Horn · July 23, 2022, 12:11pm

Run from the same client, what's the output of

nslookup pi.hole 192.168.0.44

nslookup flurry.com 192.168.0.44

(assuming your Pi-hole is still residing at 192.168.0.44)

prototowb · July 23, 2022, 5:17pm

timeout

But I'm able to reach the admin dashboard (only via IP) and ssh into it.
And also, the domain name resolution seems to work fine for wlan devices.

Bucking_Horn · July 24, 2022, 9:27am

Please share the full output for both commands, including the actual commands.

As that is a (partial) screenshot rather than text (as your previous result):
Was that nslookup run from the same client?

Your screenshot would suggest that the client it was run from cannot reach your dockered Pi-hole at 192.168.0.44 at all (if you did use that IP), perhaps because your Pi-hole now resides at a different IP address. Your debug logs would suggest that you've changed Pi-hole's IP address prior to each debug run. Make sure you've reflected those changes in your router and other relevant networking equipment.

Pi-hole requires a stable IP address that is reachable from all your networks that you want to use it for DNS:

The 10.0.0.243 that your client is using for DNS is neither from Docker's default subnet range nor part of your 192.168.0.0/24 home network. Without a respective route, a client from that 10.0.0.0 subnet wouldn't be able to communicate with your other network(s).

If that is somehow related to your additional network equipment, you may have to figure how to configure that to make use of Pi-hole. You mention a hub, but that would just blindly forward traffic to all connected nodes, with next to no configuration requirements. Now, if that would be a smarter device like a switch or a router, it may offer configuration options for DNS: