uncategorized

Run Pi-Hole in a Docker Container

I’m probably one of the last to setup a pi-hole and still not convinced it’s such a good idea. Will evaluate for a few weeks and then decide on what to do.

The pi-hole is setup as the primary DNS service for all DHCP connected devices. It will forward to my internal DNS (Windows AD) infrastructure which in turn forwards to the router (UBNT EdgeRouter). The Firewall forwards to OpenDNS. For the rylander.io domain, my internal DNS has a split personality and serveral sub domains are delegated to Cloudflare DNS which also duplicates some hostnames due to LetsEncrypt validation.

Dock distribution

I’m using the execellent distribution of https://github.com/diginc/docker-pi-hole which contains complete documentation. I’m using a minimal Photon VM and using the Alpine x86 release.

I did craft the docker-compose.yml myself, but only because I didn’t read carefully to see there is already one existing.

docker-compose

It’s recommended to keep the data and confguration on the host in order to easily upgrade the container when new realases come out. It’s as simple as destroying the running container (docker-compose down) and then do a docker pull diginc/pi-hole:alpine followed by a docker-compose up -d.

version: '2'
services:
pihole:
container_name: pihole
restart: unless-stopped
image: diginc/pi-hole:alpine
environment:
- ServerIP=10.0.1.9
- TZ=Europe/Stockholm
- WEBPASSWORD=*redacted*
- DNS1=10.0.1.6
- DNS2=10.0.1.22
- VIRTUAL_HOST=pihole.rylander.io
volumes:
- /root/pihole/:/etc/pihole/
- /root/pihole/dnsmasq.d/:/etc/dnsmasq.d/
ports:
- "80:80"
- "53:53/tcp"
- "53:53/udp"

I’ve registered pihole.rylander.io in my internal DNS (Windows AD). As I run this on a minimal host, it’s easy to expose non-conflicting ports.

The docker-compose file is placed in the /root/pihole folder.

docker-compose up

just to verify it starts without errors, then restart as daemon.

Update list of ad-serving domains

It’s a good idea to update the list so it’s current.

Tailing the log

In order to verify, you can also tail the log for DNS requests.