Ok, just tried removing my resolv.conf mount and I'm back to being unable to start the docker. Yes, I did remember to set the Synology DNS server to forward to 8.8.8.8 after I undid the resolv mount and before I tried restarting the pihole. I KNOW the pihole has resolution as if I put back the resolv.conf with just nameserver 127.0.0.1, it works. Very strange.
Deleted*
Not sure which variables you mean, sorry. My replacement resolv.conf now only has 127.0.0.1. The clients are all looking to the Synology DNS server on 192.168.0.2 which has a forwarder to 192.168.101.2 which is the bridge network to the pihole. This config works. If I change the forwarder in DNS to point to 8.8.8.8 and then start the pihole with no resolv.conf mounted, it will reboot every two minutes as it is unable to resolve any DNS. As soon as I mount the resolve.conf and put the forwarder back to 192.168.101.2 and restart, the pihole works perfectly. I'm just happy it works!
Edit: It looks as you have a pretty untypical layout. The only real advice I can give to you is that the only way anything on your synology(including docker images) can talk to pihole is through the bridge network that you created. Other pieces of equipment can talk to pihole with no issues.
You will have to figure out a way to loop the communications around your network following those rules as the way it is now it is getting stuck somewhere.
You may have to draw a small picture and figure one way for your dns out. Such as everything talk to the domain controller and then it loops it through the bridge to pihole.
Thanks for taking the time to think and post about this. What you suggest is what I have, the Synology runs the domain DNS server which the Synolgy and all the clients use. The Syno DNS server forwards to the gateway to the pihole. The pihole talks to the router and all is good. I just have to force the resolv.conf, which now I've limited to 127.0.0.1 and made writeable, I'm happy with. Clients aren't seeing ads, I broke facebook and youtube (fixed with the whitelist in pihole), so I know it's working 
Plenty of traffic in the pihole interface (damn you Nvidia!) so it's case closed as far as I'm concerned. Once again, thanks to you and Bucking_horn.
Well hopefully it works as you need. Networks can be very complicated. My synology talks to pihole through the bridge but then pihole goes back through the bridge to talk to my cloudflared https docker image and then that shoots out for internet dns resolution. Adding domain controllers and multiple layer networks can make things very difficult to follow.
1 Like
Beefyfish Alex_Wright great guide and got me up and running very quickly on my Synology
I followed Alex's guide, just changing my Pi-hole IP and Maclaven network to .20
Its been running great, but I'd like to also use docker Unbound for my pi-hole DNS .
Do I need to put this in the maclaven network as the pi-hole .
I used the /32 when setting this up so it restricted to one IP , I'd need to change this if so, but not sure how ?
Any help would be greatly appreciated ..
Install Unbound on your HOST docker network. Once that is all setup you can point your pihole to the Pihole_Bridge Gateway and Port like shown on THIS POST
I have pihole going back to cloudflared DNS installed on the HOST network but unbound should work the same.
thanks Beefyfish , So I had installed Unbound on by docker bridge network , port 53 mapped to port 5335 on the host (in the 172.172.0.x range in docker)
I have the pihole pointed to the pihole_Bridge gateway and port . 192.168.100.1#5335 .
I am still able to resolve DNS .
Should I redeploy the Unbound docker to the HOST docker network. ?
If it works then run with it. The thing with docker is depending on what/whos image your using setups can vary alot and accomplish the same end goal.
Hello Beefyfish
Thank you for this amazing how-to which works like a charm on my DS918+.
I followed your advice and ran the visibilityspots/cloudflared image, checked "Use the same Network as Docker Host" and set my upstream DNS to 10.0.100.1#5054.
Everything works well but I would like to understand why does the upstream DNS needs to points towards 10.0.100.1, which, when following your how-to, is the IP of the Macvlan bridge gateway.
Since we checked the "Use the same Network as Docker Host" I have a hard time understanding why we are using this IP address here.
So I'm not reporting any issue here but just trying to understand and learn!
Thanks again for your amazing work!
Cheers!
Also, I just noted something strange.
Since I created the "Pi-hole_Bridge" and "Pi-hole network", all containers associated to my original "bridge" network do not have access to internet anymore.
I realized that modifying the container and checking the "Use the same Network as Docker Host" solved the issue, but I do not understand why this "bridge" network is not working anymore.
The docker host is not allowed to talk to the macvlan on your network for security reasons built inside docker. We use a Docker bridge network to circumvent this restriction.
As towards your other bridge network not having internet did you point your synology DNS to the Pihole_Bridge? If you did not do this your synology will ask the router for the DNS location and it will try and send it to the macvlan and timeout because it is not allow to talk to it. Also make sure you set a static IP on your synology if you have not.
If you have all this setup did you reboot? I have had many times when doing complex things that the ip tables would not update on my synology and a simple reboot would correct them.
Thanks for your quick response!
I did everything, pointing the synology DNS towards 10.0.100.2 (the IP range, not the gateway as indicated in the how-to), my NAS has also a static IP address with DHCP reservation. I also rebooted the NAS and when going to Network -> Static Route, I can see the following in the "Main table" menu:
Any idea?
Does your package center have internet?
Yes it seems to as it retrieves the list of community packages.
Also, I rebooted once, it seemed to solve the problem as one of my package connected to the bridge (Ombi) got internet back.
I rebooted once again and am now back to the same situation, but package center still has access to internet.
If you are ok with everything installed on the synology using an outside DNS without pihole you can set the DNS to something other then the bridge such as google.
Otherwise there seems to be an issue with the bridge networks communicating. Example: The Synology is telling the default docker bridge to use the Pihole_Bridge for the DNS but it doesnt have any idea where that ip is.
I have not tried this or even sure if it will allow it but try setting up an ip table for:
Network Desination: 172.17.0.0
Gateway: 10.0.100.0
Netmask: 255.255.255.0
Interface: Docker
Other ways to look into this could be removing pihole from the pihole_bridge and installing onto the default bridge. (shutdown container and remove from Pihole_Bridge and add it to bridge.) The only issue I would have here is knowing what the IP would be. You may or may not be able to use 172.17.0.1 for the DNS of the synology.
Either way let me know.
Thanks for your help Beefyfish
I tried to setup an ip table as you recommended, but I can only select "Bond 1" as an interface. Is there a way to create one using ssh?
The problem with your other solution - I had similar issue in the past - is that there is no way to create a static ip address within the default bridge. All containers get assigned a series of IPs in random order at every reboot, which makes it unreliable as the Pihole address might change after a reboot.
I have been reading a whole bunch of threads online but was not able to find any viable solution yet. This is really frustrating as Pi-hole and everything else is working really well.
I ended up setting CloudFlare's DNS on the Synology which works as you suggested, but too bad I'm not able to rely on Pihole for my containers. I'll keep looking for a solution!
Last thing, after rebooting my NAS several time, I noticed that the Pihole settings "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges" are reset after every reboot, and that the "Interface listening behavior" is reset to "Listen on all interfaces" although I set it to "Listen on all interfaces, permit all origins".
Any idea on how to make these settings persistent?