Pihole uses upstream port 53 along the single defined one is this ok?

hugalafutro · April 9, 2022, 7:55am

Hi,
on my router I have ISP dns disabled, run an unbound instance on it (which uses mullvad dns over tls as upstream) and the router is set to use the unbound resolver as upstream on 127.0.0.1:5354. After I added pi-hole to my network I set the pi-hole to use the unbound on router as upstream (192.168.1.1#5354) too and set the dhcp on router to serve the pi-hole as dns server.

Everything works ok but I notice the pihole keeps resolving from 192.168.1.1:53 alongside 192.168.1.1:5354 even though 192.168.1.1#5354 is the single upstream defined for pi-hole. Is this because of the conditional forwarding when the pi-hole resolves the hostnames?

and this is the docker-compose.yml:

version: "3"

# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md

services:
  pihole:
    container_name: pihole
    hostname: pihole1-docker
    image: pihole/pihole:latest
#    privileged: true
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
#    network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
#      - "443:443/tcp"
    environment:
      TZ: ${TZ}
      WEBPASSWORD: ${PIHOLE_PASSWD}
      PIHOLE_DNS_: ${DNS_1}
      REV_SERVER: ${COND_FORWARD}
      REV_SERVER_TARGET: ${ROUTER_IP}
      REV_SERVER_DOMAIN: ${ROUTER_DOMAIN}
      REV_SERVER_CIDR: ${ROUTER_REVERSE}
      ServerIP: ${SERVER_IP}
#      ServerIPv6: ${SERVER_IP6}
      VIRTUAL_HOST: ${V_HOST}
# Volumes store your data between container upgrades
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# run `touch ./var-log/pihole.log` first unless you like errors
# - './var-log/pihole.log:/var/log/pihole.log'
    cap_add:
      - NET_ADMIN
      - SYS_NICE    # needed for negative nice

    restart: unless-stopped

and the .env:

PIHOLE_PASSWD=[REDACTED]
TZ=Europe/London

DNS_1="192.168.1.1#5354"

COND_FORWARD=true
ROUTER_DOMAIN=lan
ROUTER_IP=192.168.1.1
ROUTER_REVERSE=192.168.1.0/24

SERVER_IP=192.168.1.101
SERVER_IP6=

V_HOST=pi-hole
FTLCONF_REPLY_ADDR4=192.168.1.101

Bucking_Horn · April 9, 2022, 8:17am

You have enabled Conditional Forwarding to 192.168.1.1:

That would use port 53 by default.

Commonly, a router handling DHCP would inject hostnames as requested by DHCP clients into its own DNS server (and unbound would be completely unaware of those local names). However, be aware that not all routers would do so.

If your router updates its DNS from DHCP leases, I'd stick with the default.

If you'd like unbound to be the CF target instead, configure Pi-hole's CF for the dedicated port, as you did for your custom upstream. Make sure that unbound actually can provide resolution for the names you intend to resolve via CF.

hugalafutro · April 9, 2022, 8:40am

Thanks for the quick reply. On the router I use openwrt which links unbound with dnsmasq there so unbound knows about the hostnames, but if the pi-hole only talks to router on :53 to resolve the hostnames I guess it does not make much difference if I change it as whatever comes to router at :53 gets answered by :5354 anyway (confirmed by turning off unbound on router which completely shuts down name resolution for the whole network).

I was just worried if it's not indicative of some device "bypassing" pihole or some such.

Bucking_Horn · April 9, 2022, 9:17am

If either your unbound knows about local names or your router's dnsmasq would use unbound as upstream, you could disable CF altogether and just use either 192.168.1.1#5354 or 192.168.1.1#53 as Pi-hole's sole upstream.

You'd also have to untick Never forward reverse lookups for private IP ranges in Pi-hole's DNS settings for that to work. Unticking Never forward non-FQDN A and AAAA queries would also be recommended, especially if your router does not distribute a local search domain.