Powerdns recurser and pihole with docker on a raspberry pi

Sam_Lambert · July 10, 2024, 11:14pm

I'm trying to setup powerdns-recursor and pihole in docker containers on the same raspberry pi.

I want my pihole to either block certain traffic, or forward it to powerdns in the other container. I want powerdns to work as a recursive resolver, but if it can't find a DNS record, forward requests to cloudflare resolver at 1.1.1.1. And if pihole is down, just forward requests to cloudflare.

I have the following docker-compose.yml and conf files.

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    environment:
      TZ: 'MyCity/MyCountry'  # e.g., 'America/New_York'
      WEBPASSWORD: '<PASSWORD>'  # Set your web interface password
    volumes:
      - './pihole/resolv.conf:/etc/resolv.conf'
      - './pihole/setupVars.conf:/etc/pihole/setupVars.conf'
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - '53:53/tcp'
      - '53:53/udp'
      - '80:80'
    restart: unless-stopped
    networks:
      - my_custom_network
  powerdns:
    container_name: powerdns
    image: powerdns/pdns-recursor-51
    volumes:
      - './recursor.conf:/etc/powerdns/recursor.conf'
    ports:
      - '5354:53/tcp'
      - '5354:53/udp'
    restart: unless-stopped
    networks:
      - my_custom_network
networks:
  my_custom_network:
    driver: bridge

The recursor.conf

local-address=0.0.0.0
local-address=[::]
include-dir=/etc/powerdns/recursor.d
forward-zones-recurse=.=1.1.1.1
allow-from=<my network's IP>/24
loglevel=9

And this is my setupVars.conf

PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=172.19.0.3
IPV6_ADDRESS=
PIHOLE_DNS_1=powerdns#5354
PIHOLE_DNS_2=1.1.1.1
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
WEBPASSWORD=<some password>
BLOCKING_ENABLED=true

When I spin up the containers and docker exec into the pihole container the setupVars are completely different, defaulting to 8.8.8.8 as the upstream DNS server. As a result, nothing is hitting the powerdns resolver.

I don't want to have to exec into the container each time to update the values, or use the web admin host, I'd just like to be able to setup a conf file and then spin up the containers. Is this possible?

rdwebdesign · July 11, 2024, 3:44am

Since you don't want to use the web interface, you need to use a volume (bind mount) to store Pi-hole files and access setupVars.conf from the host machine.

Sam_Lambert · July 11, 2024, 4:43am

Sorry, I'm annoyed at myself, I have volumes mounted for pihole, but when i run docker-compose up -d these volumes aren't being mounted and some default values are being placed in setupVars.conf

I've updated my initial question with the correct config

Bucking_Horn · July 11, 2024, 8:55am

Pi-hole writes to setupVars.conf upon user interaction, it is not intended to be manually edited.

To configure your Pi-hole Docker container, populate its respective Environment Variables instead.

This won't work as you intend it, for two reasons:
If you provide a set of DNS servers to be used, each of them may be used arbitrarily.
And switching to another DNS server can happen for any request, and may be triggered e.g. by the current one being unresponsive.
However, inability to provide a DNS record is a common occurence in DNS, in which case a server would be fully responsive, replying with a perfectly valid NXDOMAIN or SERVFAIL.

That's not possible with DNS.

As explained, if your clients would be aware of another DNS server in addition to Pi-hole, then clients could by-pass Pi-hole at any time, at their own discretion.

In order to reliably filter your network's DNS traffic, Pi-hole has to be the sole DNS server for your network.

Consequently, if your Pi-hole is inoperational, then its clients won't be able to resolve DNS names anymore.