[Support] devzwf - pihole DoT/DoH

[ZappyZap]

why do you think it is something with the images?
there is many people using it and do not have this issue.

Let try debug it....
what did you try to conclude it is the image who is the culprit ?

[Alyred]

Hi @ZappyZap thanks for updating the container!  Do you post changelogs for it anywhere? I couldn't find one but I might just not be looking in the same place. Seems to be working fine but was just curious on the latest changes that have had a few updates this week.

 

Thanks again!

[ZappyZap]

4 hours ago, Alyred said:

Hi @ZappyZap thanks for updating the container!  Do you post changelogs for it anywhere? I couldn't find one but I might just not be looking in the same place. Seems to be working fine but was just curious on the latest changes that have had a few updates this week.

 

Thanks again!

Yup

https://github.com/devzwf/pihole-dot-doh

[kinghill]

Hi, thanks for providing this!

 

I'm pretty new to Unraid and Pi hole. But I finally managed to get it all up and running, and Pi hole is blocking away. 👍

One thing though. My dashboard reports a number of active clients.

Clicking on the link, the Network overview page is empty, I only see the message "No data available in table"

I did a lot of googling but can't seem to find an applicable cause or a solution.
Any ideas what might cause this for me? What additional info would you potentially need from me? Again, pretty noob here....
Thanks!

[ZappyZap]

I will have to dig a bit on this one as i coulr not reproduce 

[kinghill]

On 2/1/2024 at 5:23 PM, ZappyZap said:

I will have to dig a bit on this one as i coulr not reproduce 

Just wanted to let you know that I went with the official pihole docker now and have my Fritzbox do the dot lookups. Works very well and here all clients are showing fine.
So, as far as I'm concerned, no need to look into this any further.

[bmartino1]

looks like there is an application update for dot/doh applicaiton wiht in the docker image. for stuby/cloudfare
pihole docker log:

s6-rc: info: service legacy-services successfully started
[23:37:19.416499] STUBBY: Stubby version: Stubby 0.3.0
[23:37:19.417683] STUBBY: Read config from file /config/stubby.yml
2024-03-24T23:37:19Z INF Version 2024.2.1
2024-03-24T23:37:19Z INF GOOS: linux, GOVersion: go1.21.5, GoArch: amd64
2024-03-24T23:37:19Z INF Settings: map[config:/config/cloudflared.yml proxy-dns:true proxy-dns-address:127.1.1.1 proxy-dns-port:5153 proxy-dns-upstream:[https://doh.opendns.com/dns-query https://dns.google/dns-query https://1.1.1.1/dns-query https://1.0.0.1/dns-query]]
2024-03-24T23:37:19Z INF Adding DNS upstream url=https://doh.opendns.com/dns-query
2024-03-24T23:37:19Z INF Adding DNS upstream url=https://dns.google/dns-query
2024-03-24T23:37:19Z INF Adding DNS upstream url=https://1.1.1.1/dns-query
2024-03-24T23:37:19Z INF Adding DNS upstream url=https://1.0.0.1/dns-query
2024-03-24T23:37:19Z INF Starting DNS over HTTPS proxy server address=dns://127.1.1.1:5153
2024-03-24T23:37:19Z INF cloudflared will not automatically update if installed by a package manager.
2024-03-24T23:37:19Z WRN Your version 2024.2.1 is outdated. We recommend upgrading it to 2024.3.0

[ZappyZap]

I will look at it and update

[ZappyZap]

Container updated ....

21.03.2024 01:16:19 cloudflared version 2024.3.0 (built 2024-03-20-1010 UTC) installed for amd64
21.03.2024 01:16:19 Unbound Version 1.19.3 installed for amd64
21.03.2024 01:16:20 Built from pihole/pihole with tag latest

and while we are at it ,  container also unbound ready for your use it listening on "127.0.0.1#5335"

thanks

 

[bmartino1]

Awesome. Deeply appreciate your work sir!

 

Moved from test daisy to your image, as you seem to be maintaining and keeping things up-to-date.

 

Docker log:

s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun pihole-dot-doh (no readiness notification)
s6-rc: info: service legacy-services successfully started
[19:26:46.861570] STUBBY: Stubby version: Stubby 0.3.0
[19:26:46.862711] STUBBY: Read config from file /config/stubby.yml
2024-03-25T19:26:46Z INF Version 2024.3.0
2024-03-25T19:26:46Z INF GOOS: linux, GOVersion: go1.21.5, GoArch: amd64
2024-03-25T19:26:46Z INF Settings: map[config:/config/cloudflared.yml proxy-dns:true proxy-dns-address:127.1.1.1 proxy-dns-port:5153 proxy-dns-upstream:[https://doh.opendns.com/dns-query https://dns.google/dns-query https://1.1.1.1/dns-query https://1.0.0.1/dns-query]]
2024-03-25T19:26:46Z INF Adding DNS upstream url=https://doh.opendns.com/dns-query
2024-03-25T19:26:46Z INF Adding DNS upstream url=https://dns.google/dns-query
2024-03-25T19:26:46Z INF Adding DNS upstream url=https://1.1.1.1/dns-query
2024-03-25T19:26:46Z INF Adding DNS upstream url=https://1.0.0.1/dns-query
2024-03-25T19:26:46Z INF Starting DNS over HTTPS proxy server address=dns://127.1.1.1:5153
2024-03-25T19:26:46Z INF cloudflared will not automatically update if installed by a package manager.
  Starting docker specific checks & setup for docker pihole/pihole
  Setting capabilities on pihole-FTL where possible
  Applying the following caps to pihole-FTL:
        * CAP_CHOWN
        * CAP_NET_BIND_SERVICE
        * CAP_NET_RAW
        * CAP_NET_ADMIN
        * CAP_SYS_NICE
  Ensuring basic configuration by re-running select functions from basic-install.sh

  Installing configs from /etc/.pihole...
  Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf

  Installing latest logrotate script...
        Existing logrotate file found. No changes made.
  Assigning password defined by Environment Variable
  [✓] New password set
  Added ENV to php:
                    "TZ" => "American/Chicago",
                    "PIHOLE_DOCKER_TAG" => "",
                    "PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
                    "CORS_HOSTS" => "",
                    "VIRTUAL_HOST" => "PIHOLEDOHDOT",
  Using IPv4 and IPv6

  [✓] Installing latest Cron script
  Preexisting ad list /etc/pihole/adlists.list detected (exiting setup_blocklists early)
  Converting DNS1 to PIHOLE_DNS_
  Converting DNS2 to PIHOLE_DNS_
  Setting DNS servers based on PIHOLE_DNS_ variable
  Applying pihole-FTL.conf setting LOCAL_IPV4=192.168.1.10
  FTL binding to default interface: eth0
  Enabling Query Logging
  Testing lighttpd config: Syntax OK
  All config checks passed, cleared for startup ...
  Docker start setup complete

  pihole-FTL (no-daemon) will be started as pihole

  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Starting unbound
Starting stubby
Starting cloudflared
  Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database

 

Testing unbound now. Decided to leave docker template alone and just add another server by adding a config to dnsmasq folder: (Not sure if i can add that ip to the template.)

 

 

Here I can add 99-upstream.conf to add unbound DNS server to test.

 

root@BMM-Unraid:/mnt/user/appdata/Unraid-PiholeDOHDOT/dnsmasq# cat 99-upstreamdns.conf 
#Unbound
server=127.0.0.1#5335

 

Edited March 25 by bmartino1

[ZappyZap]

Any time.
For stubby, i am installing the version from debian repo.
and seems it has not been updated there...... 
I could of course compiled from source , i will will see.

thanks

[ZappyZap]

Quote

Testing unbound now. Decided to leave docker template alone and just add another server by adding a config to dnsmasq folder: (Not sure if i can add that ip to the template.)

I have to edit the template.
will be done soon, just working on something else at the moment

remove DNS1 and DNS2 Variable
and add : PIHOLE_DNS_
with value : 127.0.0.1#5335
 

Edited March 26 by ZappyZap
clarification

[bmartino1]

Thank you for taking a look at this.

 

I'm not sure stubby needs to be updated, as Debian does follow the CVE security.

Yes I think your correct it may need to be compiled form source but not worth the hassle if there is no CVE security issue.

 

https://dnsprivacy.org/dns_privacy_daemon_-_stubby/

 

https://github.com/getdnsapi/stubby
It also depends on dev you folow for stubby dns api for dot:

https://github.com/getdnsapi/stubby/releases
 

https://docs.pi-hole.net/guides/dns/unbound/
I usual follow the pihole documentation for the unbound docker data...

I'm ecstatic to see doh/dot and unbound working. Ran pihole on a pie before had unbound working, had trouble with DOH/DOT which is why I went to dockers. I run a Firewall device which has unbound and a weird version of Cloudflare for doh. I fixed some template settings as I said I came from running test daisy and cross-referenced your image and it just worked as a template overlay including some of my fixes and template edits for my network and settings.

I run a macvlan network docker setup and specify a hostname and mac address with extra options.
I had issues with edmac per pihole documentation added the dnsmasq. I have quite a few ad list / domains, network and dns settings. For me to use unbound in this state, it was better for me to leave the template alone and use dnsmasq settings to use unbound. I also had a memory issue and had to use the other option to set SHM size.




Here is my docker run for example:

docker run
  -d
  --name='Pihole-DoT-DoH'
  --net='bond0'
  --ip='192.168.1.10'
  --privileged=true
  -e TZ="America/Chicago"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="BMM-Unraid"
  -e HOST_CONTAINERNAME="Pihole-DoT-DoH"
  -e 'TCP_PORT_53'='53'
  -e 'UDP_PORT_53'='53'
  -e 'UDP_PORT_67'='67'
  -e 'TCP_PORT_80'='80'
  -e 'TCP_PORT_443'='443'
  -e 'DNS1'='127.2.2.2#5253'
  -e 'DNS2'='127.1.1.1#5153'
  -e 'TZ'='American/Chicago'
  -e 'WEBPASSWORD'='removed for privacy'
  -e 'INTERFACE'='eth0'
  -e 'ServerIP'='192.168.1.10'
  -e 'IPv6'='True'
  -e 'DNSMASQ_LISTENING'='all'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:80]/admin'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/devzwf/unraid-docker-templates/main/images/pihole-logo-bw.png'
  -v '/mnt/user/appdata/Unraid-PiholeDOHDOT/Pihole/':'/etc/pihole/':'rw'
  -v '/mnt/user/appdata/Unraid-PiholeDOHDOT/dnsmasq/':'/etc/dnsmasq.d/':'rw'
  -v '/mnt/user/appdata/Unraid-PiholeDOHDOT/config/':'/config':'rw'
  -v '/mnt/user/appdata/Unraid-PiholeDOHDOT/other1for1/error-pihole.log':'/var/log/lighttpd/error-pihole.log':'rw'
  --cap-add=NET_ADMIN
  --restart=unless-stopped
  --mac-address 02:42:C0:A8:01:0A
  --hostname PIHOLEDOHDOT
  --shm-size="3G" 'devzwf/pihole-dot-doh:latest'
ddc4ecf2729013df8fd95f09eeea6c72c729a61d08144e3e471d3bfc2ba9c755

The command finished successfully!

Piehole specific settings such as dns name record to fix routing and name search dns queries:



attached our my config folder settings and extra dnsmasq settings to fix some small issues I encountered and how to fix them:

I'm quite happy with where things are at with this image. I have no problem keeping some setting, killing this template and downloading your image from the community App Store when its ready for all there uses of doh/dot/unbound.

Thank you for your support

cloudflared.yml forward-records.conf stubby.yml unbound.conf 99-upstreamdns.conf 99-edns.conf

Edited March 26 by bmartino1

[ZappyZap]

my pleasure

[ArstenA]

@ZappyZap will you update your docker to include unbound like @bmartino1 has implemented?

[ZappyZap]

Hi,

It is my plan to do it this week
to be clear ,  the image is  already updated.

i need to update the template, i hope that's what you mean ?

Edited March 27 by ZappyZap

[ArstenA]

@ZappyZap I will be honest, I just installed PiHole on unRAID. I have for years been using a raspberry Pi with PiHole and Unbound, but my Pi died. So I decided to move it to unRAID.

 

I have a Ubiquiti network setup so I am routing all DNS (port 53) traffic to Pi Hole.  I also block all requests from NOT using the PiHole.

 

I saw your template had DOT and DOH, which I have not used before. But I noticed it did not have Unbound and I just found this forum thread.

 

Question about DOT and DOH, since my network routes all DNS traffic to Pi Hole, does PiHole convert it to DOH/DOT? Or do I need to do similar Ubiquiti configs to route all that traffic to PiHole too?

 

I have been trying to do reading on how it works but I don't understand it.

[ZappyZap]

@ArstenA short answer Yes 
Long answer , is yes and now it also include unbound.
so  to use 

• DOT/DOH : you set the variable PIHOLE_DNS_ to

127.2.2.2#5253;127.1.1.1#5153

• Unbound : you set the variable PIHOLE_DNS_ to

127.0.0

127.0.0.1#5335

 

Of course, you can also configure the in the DNS tab of the pihole settings.

[ArstenA]

Ok, so is it not possible to use DOT/DOH with Unbound?

[bmartino1]

7 hours ago, ArstenA said:

Ok, so is it not possible to use DOT/DOH with Unbound?

 

it depends on the dns queries that comes in.

In my setup, I have dot/doh via docker template handling the queries, but unbound will overtake as a recursive dns. It will still use my dot/doh settings but all dns queries now run through unbound.

[bmartino1]

10 hours ago, ArstenA said:

@ZappyZap I will be honest, I just installed PiHole on unRAID. I have for years been using a raspberry Pi with PiHole and Unbound, but my Pi died. So I decided to move it to unRAID.

 

I have a Ubiquiti network setup so I am routing all DNS (port 53) traffic to Pi Hole.  I also block all requests from NOT using the PiHole.

 

I saw your template had DOT and DOH, which I have not used before. But I noticed it did not have Unbound and I just found this forum thread.

 

Question about DOT and DOH, since my network routes all DNS traffic to Pi Hole, does PiHole convert it to DOH/DOT? Or do I need to do similar Ubiquiti configs to route all that traffic to PiHole too?

 

I have been trying to do reading on how it works but I don't understand it.

 

To implement my setup, add 99-upstreamdns.conf and 99-edns.conf to the (dnsmasq.d folder) under appdata in unraid path via your template. The other configs exist in the /config path location

 

99 Upstreams contains other pihole dns server that it can use for DNS queries. The docker template should use dot/doh, and you can see that it is implementing the dot/doh under pihole > setting > dns. If you place a checkbox to other dns severe to use here, it would write to a config that is replaced on docker reboot the option I want to use can be added to another config which is the 99-upstreamdns.conf

the severer option in this config is the same as selecting the other checkbox and not to use custom. the template regenerates this based on an option set in the template.

 

Unfortunate, its up to pihole / dns query that comes in to then determine the dns system that it uses.

This mean that Upstreams dns config may become the primary DNS server. as you can see in my piehole site which server is used more, in my case unbound is used more. And the server to doh/dot are listed and available when needed.

Per the template data, unbound config is using pihole_dns and is using (stuby/cloudfare) dot/doh server setting for queries when needed. To help ease this, I add a dns record for piohole_dns to 127.0.0.1(Localhost) to help point it to local host for these queries.

Edited March 27 by bmartino1

[bmartino1]

It not known or really talked about... so here is Some side networking information:
Then to use pihole as some device I can't manually set. I use the ICS DCHP (https://www.isc.org/blogs/isc-dhcp-eol/) server to set dhcp option 6 while it is EOL it is still the defeat known reliable. But atm may be subject to CVE security issues.

 

DHCP Option 6 set the dns servers your network and devices can talk to.
Each router is different. using custom router firmware ddwrt/openwrt, or a PC router pfsense/opensense/ipfire/openwrt/etc...
My network is using a firewalla purple device. So I add this option for firewalla(a ubuntu router)

 

Firewalla ap:
Network > Lan > edit > add dchp option:
option code 6

option value: ipdns,ipdns,ipdns

 

ddwrt:

web UI > service tab > other dnsmasq options...

dhcp-option=6, x.x.x.x, y.y.y.y

 

openwrt was a dhcp config edit

 

Ipfire no longer supports dhcp option 6 due to ICS DHCP discontinued and new ICS KEA implementation:

https://www.isc.org/dhcp_migration/

 

pfSense is in the middle of changing over to it. atm ICS KEA doesn't have full support for dhcp options.

I like dhcp option 6 as my dhcp server giving out ip can give all the dns server i want a client on my network access to to use as a domain/search domain. Usually piehole IP first, then router, then third party such as opendns, google, cloudfare...

With doh implementation and some device and apps uses a coded dns server... such as kindles, e-readers, etc that don't have a interface to manually set ip address settings it good to have this DHCP option 6 set to assign them via the server and not at each client.

PSA: It is unknown at this time if wifi routers manufactures(netgear, tplink, linksys, belkin, wavelink...etc) are still use isc dhcp over ics kea. Nor an announcement of newer devices and which dhcp server they use... Regardless, look into your routers manufacture and information as it may need to be replaced.

I mention this as pihole does have a dhcp server that is forked from dnsmas built upon ICS DHCP

Edited March 27 by bmartino1