Just curious since I'm not using Docker, I'm not exactly sure what is breaking.
I don't mean I see anything broken, it works just fine with those settings, but on GitHub it is mentioned multiple times to set it to 'all', and not to 'local' so was wondering if something is silently breaking in the background or if I am exposing myself somehow by having it set to 'local'.
Also, is 'Interface listening behavior' on GitHub's README the same as 'Interface binding behavior' in the Pi-hole documentation? I'm not very good at reading so I could have missed something in the documentation.
Edit: Forgot key detail, I meant when Docker uses the default 'bridge' network setting.
That would mainly depend on Docker's network mode that you've configured for the container.
When using a mode that is isolating the container into its own, docker-internal network, you should try the Respond only on interface option before Permit all origins. For the interface specific option to work, you may also have to pass the correct network interface into your Pi-hole container.
When using a mode that exposes your container to your host's actual network, sticking with the recommended Allow only local requests should be fine.
I always forget the key details, I meant bridge network, that is:
Use the Pi-hole web UI to change the DNS settings Interface listening behavior to "Listen on all interfaces, permit all origins", if using Docker's default bridge network setting. (This can also be achieved by setting the environment variable DNSMASQ_LISTENING to all)
As far as I can tell, rootless Podman, seems to be running exactly the same as my Raspberry Pi, with Allow only local requests, and I thought it wouldn't. I saw a post earlier about Podman, where someone was saying they preferred a rootful container, so it could have its own IP address and I think that muddled up my understanding of what it said on GitHub.
But now that I'm reading your message, I think I had misunderstood what was said in GitHub. I thought what it was saying is that you had to have an IP address, rather than exposing a port, but as you just said '...that exposes your container...' I'm realizing maybe --publish DNS is enough.
Thanks for clarifying both scenarios though. I might switch to Docker at some point but was concerned that it would function differently or not at all. Currently hesitant to switch because installing Docker forcefully removes ~200 packages from my system, a lot of which I use on a daily basis. But good to know I can keep the default bridge network, expose the ports and still 'Allow only local requests.'