Pi-hole running in a Docker container
I was on my mobile, looking up a few recipes, I was amazed at the number of intrusive ads I was getting, which made reading the web pages almost impossible.
Decided it was time to investigate Pi-hole, as I'd heard good things about it.
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.
These instructions are assuming you already have Docker installed, and configured for non-root users to be able to deploy Docker containers.
In my case, I’m running Docker on an Ubuntu server host.
However, the documentation for the Docker container of Pi-hole mentions a 'gotcha' if you're using an Ubuntu Docker host (I am):
Modern releases of Ubuntu (17.10+) include
systemd-resolvedwhich is configured by default to implement a caching DNS stub resolver. This will prevent pi-hole from listening on port 53. The stub resolver should be disabled.
The workaround is to change one file, and then change the symlink for another file.
Two ways of doing this: the manual way, and the copy/paste a command way.
The Manual Way:
- Edit the /etc/systemd/resolved.conf file, and change the line that reads:
#DNSStubListener=yes
To read:
DNSStubListener=no
- Change the /etc/resolv.conf symlink to point to /run/systemd/resolve/resolv.conf:
sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
- Restart the systemd-resolved process:
sudo systemctl restart systemd-resolved
The Easy Way:
- Run these commands, which accomplish the same thing as above, just with a little Linux-fu:
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
sudo systemctl restart systemd-resolved
Contents of the pi-hole.yaml file:
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- 53:53/tcp
- 53/udp
- 80/tcp
- 443/tcp
environment:
TZ: America/Denver #change to your local timezone
WEBPASSWORD: Changeme123!
# The 'etc-pihole' and 'etc/dnsmaq.d' directories are in the '/mnt/configs/pihole/'
# directory, to keep my home directory a bit more tidy.
healthcheck:
test:
- CMD
- curl
- -f
- http://192.168.1.5/admin/
interval: 10s
timeout: 10s
retries: 5
networks:
Internal:
ipv4_address: 172.28.0.3
mynet192:
ipv4_address: 192.168.1.5
volumes:
- /mnt/.configs/pihole/etc-pihole/:/etc/pihole/
- /mnt/.configs/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
dns:
- 127.0.0.1
- 1.1.1.1
# the NET_ADMIN is only needed if using DHCP
#cap_add:
# - NET_ADMIN
restart: unless-stopped
networks:
mynet192:
external: true
Internal:
external: true
I added the Internal network so that the Docker host that Pi-hole resides on, can use this Pi-hole instance, as the mynet192 is a MACVLAN network and host <----> Docker container is blocked by a kernel restriction.
Download/configure/build the Pi-hole container:
docker-compose -f ./pihole.yaml up -d
If you didn’t set a WEBPASSWORD in the yaml file, log into the Pi-hole container and set it:
docker exec -it pihole /bin/bash
And from within the Pi-hole Docker container:
pihole -a -p
Log into the web GUI by logging into http://[Docker IP]/admin/
The oisd domain blocklist has a LOT of domains, and it advertised to be free of false positives, so we'll add it, then update Gravity (list of blocked domains).
The address to add is https://dbl.oisd.nl
After adding the adlist from https://oisd.nl, we're now blocking almost 20x as many domains!
Now that Pi-hole is set up and running, go into your router and change the DNS IP address to the IP of the Docker host for both the router, and the DHCP server settings.
Before and after screenshots (mobile)
Before and after screenshots (Windows 10)
References
Pi-hole - Network-wide Ad blocking https://pi-hole.net/