search

aleksanderbl29 / docker-pihole-unbound

Run Pi-Hole + Unbound on Docker
https://hub.docker.com/r/aleksanderbl/pihole-unbound
24 stars 6 forks source link

No internet after setup #48

Closed diddiman closed 2 months ago

diddiman commented 6 months ago

So this is probably more of an issue on my side, but any help would be greatly appreciated.

So atm i have a raspberry pi on IP 192.168.10.168 which is running the pihole and unbound. I also have my router running at 192.168.10.1. In my router i have configured 192.168.10.168 as my LAN DNS server

My compose look like this:

version: '3.5'

services:
  pihole:
    container_name: "pihole"
    image: aleksanderbl/pihole-unbound:2024.02.0
    hostname: "pihole"
    domainname: "pihole.local"
    ports:
      - "443:443/tcp"
      - "53:53/tcp"
      - "53:53/udp"
      - "81:80/tcp" #Allows use of different port to access pihole web interface when other docker containers use port 80
      - "5335:5335/tcp" # Uncomment to enable unbound access on local server
      # - 22/tcp # Uncomment to enable SSH
    environment:
      FTLCONF_LOCAL_IPV4: "192.168.10.168"
      TZ: "Europe/Stockholm"
      WEBPASSWORD: "my-secret-password"
      WEBTHEME: "default-dark"
      REV_SERVER: true
      REV_SERVER_TARGET: "192.168.10.1"
      REV_SERVER_DOMAIN: "local"
      REV_SERVER_CIDR: "192.168.0.0/16"
      PIHOLE_DNS_: "127.0.0.1#5335"
      DNSSEC: true
      DNSMASQ_LISTENING: single
      HOSTNAME: "pihole"
      DOMAIN_NAME: "pihole.local"
      VIRTUAL_HOST: "pihole.box"
    dns:
      - 127.0.0.1
    volumes:
      - "/home/sami/pihole/etc-pihole:/etc/pihole:rw"
      - "/home/sami/pihole/etc-dnsmasq:/etc/dnsmasq.d:rw"
    restart: unless-stopped

So the PIhole works and all, but for some reason my internet stops working unless i enable another DNS server in pihole. So now i have the setup above but i have also enabled Google (ECS, DNSSEC) for IPV4 now.

Any idea what it could be or how to debug this issue?

aleksanderbl29 commented 6 months ago

Hi @diddiman - Thanks for reaching out.

To my eyes, your compose file looks just fine. I have a couple of ideas of what could be causing the issue.

It sounds like the issue is either in the connection between pihole and unbound (in the container itself) or in unbounds dns resolution.

When I first deployed the original pihole container I had an issue with the builtin resolved in ubuntu interfering so there is a possibility that that could be it as well.

To help you debug the issue you can go through the following few steps either all together or separately:

Let me know how it goes and I'm happy to help if none of my suggestions mediates the issue.

diddiman commented 5 months ago

Hi again @aleksanderbl29, really appreciate your time here!

Generated the debug log, don't really see anything obvious myself (this is after the changes suggested) debug_no_internet.log

And to summarize my changes, just to make sure they look correct

And with the above changes i unfortunately get the same behavior!

aleksanderbl29 commented 5 months ago

HI @diddiman - Happy to help :)

From the debug log it seems that pihole is functioning properly, as you have concluded, but unbound does not seem to be responding correctly

The changes seem to be correct. That is approximately how I run it.

Please try setting DNSSEC=false for testing

Do you have other dns-services running on your install? Something like systemd-resolved or dnsmasq?

I have found these suggestions from pihole that you can follow as well - I would docker exec -it them into the container

diddiman commented 5 months ago

Hi!

Setting DNSSEC to false does not seem to do anything.

Do you have other dns-services running on your install? Something like systemd-resolved or dnsmasq? Should not be anything like that running

So when i do it from the machine i run pihole on:

; <<>> DiG 9.16.48-Raspbian <<>> google.com localhost -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

;; connection timed out; no servers could be reached

And i get the same for all 3.

If i try to do it on my current laptop towards the server i run pihole:

dig google.com 192.168.10.168 -p 5335
;; communications error to 127.0.0.53#5335: connection refused
;; communications error to 127.0.0.53#5335: connection refused
;; communications error to 127.0.0.53#5335: connection refused

; <<>> DiG 9.18.24 <<>> google.com 192.168.10.168 -p 5335
;; global options: +cmd
;; no servers could be reached

;; communications error to 127.0.0.53#5335: connection refused
;; communications error to 127.0.0.53#5335: connection refused
;; communications error to 127.0.0.53#5335: connection refused
;; no servers could be reached

I have found these [suggestions from pihole](https://docs.pi-hole.net/guides/dns/unbound/#disable-resolvconfconf-entry-for-unbound-required-for-debian-bullseye-releases) that you can follow as well - I would docker exec -it them into the container

Tried that, but the config locations etc don't 100% match up i think? None of the commands work really. however i noticed that my resolv.conf contains

root@pihole:/etc# cat resolv.conf
nameserver 127.0.0.11
options ndots:0

which i kind of think looks weird for the nameserver, or am i wrong?

aleksanderbl29 commented 5 months ago 
root@pihole:/etc# cat resolv.conf
nameserver 127.0.0.11
options ndots:0

which i kind of think looks weird for the nameserver, or am i wrong?

This could be the issue. I usually configure it like

nameserver 1.1.1.1
nameserver 9.9.9.9

And I don't use ndots in my installs, but if that is on purpose you could set that to maybe 1 or 3

diddiman commented 5 months ago

But that is inside the docker container, so how would i do that in a way so it is persisted after a stop/start? I tried to change it and stop and then start the container, and it is reset back to it's original state

And ignore my previous reply, i missed the @ in the command. (command ran inside the container)


dig google.com @localhost -p 5335

; <<>> DiG 9.16.48-Debian <<>> google.com @localhost -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32051
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; Query time: 87 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sun Mar 10 22:31:07 CET 2024
;; MSG SIZE  rcvd: 39
aleksanderbl29 commented 5 months ago

Hi again @diddiman - I've been very busy, so sorry for the delay.

I would recommend you try passing a resolv.conf to the container as a volume. It would look something like

volumes:
      - ./resolv.conf:/etc/resolv.conf

Then you can create a custom resolvconf in the directory of your docker-compose file and edit it from there

diddiman commented 5 months ago

Hi! Just appreciate your time no worries

:facepalm: ofc that's how i'd do that.

So i have my compose looking:

version: '3.5'

services:
  pihole:
    container_name: "pihole"
    image: aleksanderbl/pihole-unbound:2024.02.2
    hostname: "pihole"
    domainname: "pihole.local"
    ports:
      - "443:443/tcp"
      - "53:53/tcp"
      - "53:53/udp"
      - "81:80/tcp" #Allows use of different port to access pihole web interface when other docker containers use port 80
      - "5335:5335/tcp" # Uncomment to enable unbound access on local server
      # - 22/tcp # Uncomment to enable SSH
    environment:
      FTLCONF_LOCAL_IPV4: "192.168.10.168"
      TZ: "Europe/Stockholm"
      WEBPASSWORD: "my-secret"
      WEBTHEME: "default-dark"
      REV_SERVER: true
      REV_SERVER_TARGET: "192.168.10.1"
      REV_SERVER_DOMAIN: "local"
      REV_SERVER_CIDR: "192.168.10.0/24"
      PIHOLE_DNS_: "127.0.0.1#5335"
      DNSSEC: false
      DNSMASQ_LISTENING: all
      HOSTNAME: "pihole"
      DOMAIN_NAME: "pihole.local"
      VIRTUAL_HOST: "pihole.box"
    dns:
      - 1.1.1.1
    volumes:
      - "/home/sami/pihole/etc-pihole:/etc/pihole:rw"
      - "/home/sami/pihole/etc-dnsmasq:/etc/dnsmasq.d:rw"
      - "/home/sami/pihole/resolv.conf:/etc/resolv.conf"
    restart: unless-stopped

my etc/resolv.conf in the container has:

nameserver 1.1.1.1
nameserver 9.9.9.9

But unfortunately i still have the same issue when doing dig from within the container:

root@pihole:/# dig google.com @localhost -p 5335

; <<>> DiG 9.16.48-Debian <<>> google.com @localhost -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; Query time: 107 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Mar 16 18:55:30 CET 2024
;; MSG SIZE  rcvd: 39
aleksanderbl29 commented 5 months ago

This is quite the puzzle

I have retried all of the configs that have been posted in this thread and I can't seem to replicate the issues. It is very strange.

Do you by any chance have other linux machines where you can try deploying the image to? Do you have any firewall rules that could prevent unbound from recursively looking up dns names?

I would recommend you remove the resolv.conf from your compose file and let it return to the original as it did not seem to do anything.

There is an option of forwarding unbound traffic to a specific external dns server if everything fails, but that kind of defeats the purpose of unbound (at least at I would intend it to be used here)

diddiman commented 5 months ago

Hmm yeah, very odd indeed

I have a fedora machine but i get the exact same behavior. I opened the firewall for 53, is that enough? I have also opened 53 on my pi, which is where i tried to do it first

I am not sure what this means would mean, but i can do

dig reddit.com @localhost -p 53

; <<>> DiG 9.16.48-Debian <<>> reddit.com @localhost -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5328
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;reddit.com.            IN  A

;; ANSWER SECTION:
reddit.com.     251 IN  A   151.101.1.140
reddit.com.     251 IN  A   151.101.193.140
reddit.com.     251 IN  A   151.101.129.140
reddit.com.     251 IN  A   151.101.65.140

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 20 20:51:57 CET 2024
;; MSG SIZE  rcvd: 103

that works. Butit does not work against port 5335 dig reddit.com @localhost -p 5335

Edit Not so interesting afterall, 53 i assume is just pihole

Edit 2 I also tried to just disable the firewall and systemd-resolve on fedora, no difference

aleksanderbl29 commented 2 months ago

I am closing this issue. Please throw a comment if there is anything further I can do for you

diddiman commented 1 month ago

Hi again!

Yesterday i updated/reinstalled my pi from raspbian 11 to 12. Decided to give this a try again and it worked perfectly. Only had to fix the resolved issue (port 53 in use) and a part from that i used the compose in my first post Thank you!!

aleksanderbl29 commented 1 month ago

That's great to hear! I only have Ubuntu and Debian installs in my environment , so please let me know if any new errors occur on raspbian in the future!