chriscrowe / docker-pihole-unbound

Run Pi-Hole + Unbound on Docker
1.08k stars 286 forks source link

unbound SERVFAIL when using macvlan in one container option #84

Open kevindd992002 opened 3 years ago

kevindd992002 commented 3 years ago

I want to be able to use the one container option method together with macvlan. The reason for using macvlan is I want my DNS server (pihole + unbound) to have its own IP address in the host network separate from the host IP. So I have this docker compose:

  pihole-unbound:
    container_name: pihole-unbound
    image: cbcrowe/pihole-unbound:latest
    hostname: pihole-unbound.condo.arpa
    domainname: condo.arpa
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-file: ${DOCKERLOGGING_MAXFILE}
        max-size: ${DOCKERLOGGING_MAXSIZE}
    labels:
      - "org.hotio.pullio.update=${PULLIO_UPDATE}"
      - "org.hotio.pullio.notify=${PULLIO_NOTIFY}"
      - "org.hotio.pullio.discord.webhook=${PULLIO_DISCORD_WEBHOOK}"
      - "org.hotio.pullio.author.avatar=https://raw.githubusercontent.com/causefx/Organizr/v2-master/plugins/images/tabs/bazarr.png"
    mac_address: fa:af:f7:2e:f5:99
    networks:
      physical_macvlan_network:
        ipv4_address: 192.168.20.102
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - ServerIP=192.168.20.102
      - WEBPASSWORD={redacted}
      - PIHOLE_DNS_=127.0.0.1#5335;127.0.0.1#5335
      - DNSSEC=true
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${DOCKERCONFDIR}/pihole-unbound/etc-pihole-unbound:/etc/pihole
      - ${DOCKERCONFDIR}/pihole-unbound/etc-dnsmasq-unbound.d:/etc/dnsmasq.d

With this config, unbound does not reply to DNS queries from the localhost, most probably because unbound sees the source IP of the query as not coming from localhost but from the macvlan IP that I assigned to the container:

root@pihole-unbound:/# dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62241
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Oct 28 17:17:25 PST 2021
;; MSG SIZE  rcvd: 40

If that's the case, the /etc/unbound/unbound.conf.d/pi-hole.conf file needs to be edited to include an access-list: 192.168.20.102/32 allow entry. However, I don't know how to edit the pi-hole.conf file inside the container without it being overwritten upon container update or restart. If I include this volume: - ${DOCKERCONFDIR}/pihole-unbound/etc-unbound.conf.d:/etc/unbound/unbound.conf.d it deletes all the conf files in that directory inside the container.

I also want to be able to use DNS-over-TLS with this container so unbound will act as a forwarder like the one explained in your two container option. Which file do I edit for this? unbound.sh? If so, where is that file? Do I need a volume for that?

P.S. I'm not a Linux expert and I only know the basic of docker containers.

Nyurael commented 2 years ago

Any fix or workaround? Having the same problem, since i also run the container in macvlan and pihole is calling google dns instead of unbound.