I replaced my NAS with a Pi4 and took the opportunity to rebuild everything.
This also includes Pihole and unbound, which I have moved into a bridge network: 172.20.0.0/24. The gateway is: 172.20.0.1.
Unbound got a fixed IP: 172.20.0.53, Pihole uses this IP as upstream DNS server.
The Pihole container has the correct env: ServerIP=192.168.42.9. The current document indicates ServerIP as deprecated, so I also set FTLCONF_REPLY_ADDR4=192.168.42.9.
The name resolution works wonderfully, I only have one problem that is actually not one:
I see an excessive number of requests from IP 172.20.0.1 in the log, which are also answered correctly.
I guess I only missed a little thing, can someone give me a tip, why I do not see the correct client IP address?
The behavior is present in both the stable and the dev tag
Docker is NATing requests to your Pi-hole and unbound container's brigde network via its 172.20.0.1 gateway, i.e. requests from your local network will make it to Pi-hole correctly, they just will be aggregated via that IP.
You could consider one of Docker's network modes that don't do subnet isolation for your Pi-hole container to avoid that.
Alternatively, you may try to configure your Docker host's resolv.conf to add EDNS(0) support and see if that would make Docker supply client IP address information to its DNS requests.
Ok, NAT was the keyword, but different:
Apparently, these were the requests that came via IPv6, which were accepted by the Pi. By magic, they then landed on the Pihole as a v4 request with the IP from the Docker network.
The combination of DSlight and Docker drives me crazy. Let's see if I will find a clever solution for this, I would like to have a DNS accessible via v6.
You should be aware that Docker is IPv4-only by default.
You'd have to explicitly enable IPv6 for your both your Docker daemon and containers, which may not be available on all host system's OSs. See Docker's documentation for details.
Note that an IPv6 address for your dockered Pi-hole wouldn't be strictly required, as Pi-hole can still provide A and AAAA records as requested by clients when communicating via IPv4.
In any case, you'd have to watch out that your router does not advertise an alternate IPv6 address like its own (i.e. for a DNS server that's not Pi-hole), or else clients would by-pass Pi-hole via IPv6 (regardless whether Pi-hole is listening on an IPv6 address or not).
Jep, I know.
Right now I'm playing around with Docker and a Docker host which is reachable via v6 would be fine.
Nevertheless, it's not a problem from Pihole and my initial post was addressed incorrectly. Thanks for the tip
