SeanD: Pi-hole Docker Install

I'm a big fan of Docker and run a small stack of containers on the proverbial server under the stairs for some personal projects at home. I recently installed a Pi-hole container closely following the docker-compose.yml configuration recommendations.


version: '3'

services:

  pihole:

    container_name: pihole

    image: pihole/pihole:latest

    ports:

      - 53:53/tcp

      - 53:53/udp

      - 67:67/udp

      - 80:80/tcp

      - 443:443/tcp

    environment:

      TZ: Europe/Dublin

      WEBPASSWORD: my_secret_password

      VIRTUAL_HOST: pi.hole

    volumes:

       - './volumes/pihole/etc-pihole/:/etc/pihole/'

       - './volumes/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'

    dns:

      - 127.0.0.1

      - 1.1.1.1

    # Recommended but not required (DHCP needs NET_ADMIN)

    # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

    cap_add:

      - NET_ADMIN

    restart: unless-stopped

A common problem encountered when starting the container is to get binding errors for ports 53 and 67. This is due to the Pi-hole container trying to use DNS and DHCP ports that conflict with the docker host server.


ERROR: for pihole  Cannot start service pihole: driver failed programming external connectivity on endpoint pihole (7857e8772bc195543e50602a8033bfc): Error starting userland proxy: listen udp 0.0.0.0:67: bind: address already in use

To determine the service on the host server using these ports I ran netstat command on the Docker server.


$ sudo netstat -tulpn



  Active Internet connections (only servers)

  Proto Recv-Q Send-Q Local Address    Foreign Address    State    PID/Program name

  tcp        0      0 0.0.0.0:53       0.0.0.0:*          LISTEN   14337/dnsmasq

  ...

  udp        0      0 0.0.0.0:53       0.0.0.0:*                   14337/dnsmasq

  udp        0      0 0.0.0.0:67       0.0.0.0:*                   14337/dnsmasq

  ...

The above output shows that the Docker server is running a dnsmasq DNS service. Stopping and disabling this service on the host should allow the Pi-hole container to start.

$ systemctl stop dnsmasq

$ systemctl disable dnsmasq

Finally update the DNS server settings on your devices to use Pi-hole (this will typically be the IP address of your Docker server).

After running Pi-hole for a number of days it is interesting to see how chatty some devices on my home network are. The biggest surprise so far is my Samsung Smart TV insists on calling home to cdn.samsungcloudsolution.com every 30 sec. If I blacklist the url on Pi-hole then TV apps like Netflix wont start.

SeanD

Pages

Sunday, 12 July 2020

Pi-hole Docker Install

No comments:

Post a Comment