pi-hole / docker-pi-hole

Pi-hole in a docker container
https://pi-hole.net
Other
8.58k stars 1.13k forks source link

Top client shows only one IP (which I don't even recognize) #135

Closed arsaboo closed 2 years ago

arsaboo commented 7 years ago

I started using this image on my Synology NAS and have been very happy with it...thanks a ton!

I just have one issue that I am not able to resolve, in the Top Clients section, I see all the requests from one IP address (172.17.0.1). This is particularly interesting, given that 172.17.0.1 is not an IP from my network (at least I don't recognize it). All the IP addresses in my local network have the format 192.168.2.*. image I was hoping that I could see the request per IP address. I am using and Asus router with Merlin firmware (if that helps). I am not sure if it is a bug or something that I need to fix at my end. Thanks for looking into it.

AzureMarker commented 7 years ago

Is your Pi-hole accessible from the internet? Run pihole -d for a debug token.

Actually, that is a Docker internal IP address. @diginc would know more about why it's the only client.

arsaboo commented 7 years ago

Here's the debug token - smtw8e6m6a

Let me know if you want me to paste the log here. Thanks!

diginc commented 7 years ago

When a router cannot directly hand out DNS the only option is to have it relay. Mine does this too where my clients still point to my router and my router points to the pihole. the real addresses of the clients are lost in the process.

arsaboo commented 7 years ago

That is unfortunate. Here are few threads that I stumbled upon (although none of them are using a docker container): https://www.reddit.com/r/pihole/comments/4rdg5m/top_clients_only_shows_router_ip/ https://www.reddit.com/r/pihole/comments/5gz6dz/trouble_getting_docker_based_pihole_to_work/

I guess, we will have to live with that.

diginc commented 7 years ago

@Mcat12 pointed out that is the docker gateway IP address so the router explanation isn't quite right.

What is your docker run command and what is the output of docker logs pihole | head -35

Also what version of docker?

arsaboo commented 7 years ago

I am using the latest version of Docker (1.11.2-0.325) on my Synology NAS and the latest version of the image that was released 8/10 hours back. I used the GUI to initiate the container. Here are the settings:

{
  "cap_add": [],
  "cap_drop": [],
  "cmd": "",
  "cpu_priority": 0,
  "ddsm_bind_share": "",
  "devices": [],
  "enable_publish_all_ports": false,
  "enable_restart_policy": false,
  "enabled": true,
  "env_variables": [{
    "key": "TZ",
    "value": "America/New_York"
  }, {
    "fixed": false,
    "key": "PATH",
    "value": "/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  }, {
    "fixed": false,
    "key": "IMAGE",
    "value": "debian"
  }, {
    "fixed": false,
    "key": "setupVars",
    "value": "/etc/pihole/setupVars.conf"
  }, {
    "fixed": false,
    "key": "PIHOLE_INSTALL",
    "value": "/tmp/ph_install.sh"
  }, {
    "fixed": false,
    "key": "S6OVERLAY_RELEASE",
    "value": "https://github.com/just-containers/s6-overlay/releases/download/v1.19.1.1/s6-overlay-amd64.tar.gz"
  }, {
    "fixed": false,
    "key": "PHP_ENV_CONFIG",
    "value": "/etc/lighttpd/conf-enabled/15-fastcgi-php.conf"
  }, {
    "fixed": false,
    "key": "PHP_ERROR_LOG",
    "value": "/var/log/lighttpd/error.log"
  }, {
    "fixed": false,
    "key": "IPv6",
    "value": "True"
  }, {
    "fixed": false,
    "key": "S6_LOGGING",
    "value": "0"
  }, {
    "fixed": false,
    "key": "S6_KEEP_ENV",
    "value": "1"
  }, {
    "fixed": false,
    "key": "S6_BEHAVIOUR_IF_STAGE2_FAILS",
    "value": "2"
  }],
  "exporting": false,
  "id": "9375e5086f75a3734f20be6990ff937c748e7880831ac41f1d14627131ca3877",
  "image": "sha256:bf10d7dce4f463173db4d932f8aadcb5f4f09a9cef74d0cb5631ad834ae553d9",
  "is_ddsm": false,
  "is_package": false,
  "links": [],
  "memory_limit": 0,
  "name": "diginc-pi-hole1",
  "network": [{
    "driver": "bridge",
    "name": "bridge"
  }],
  "port_bindings": [{
    "container_port": 53,
    "fixed": false,
    "host_port": 53,
    "type": "tcp"
  }, {
    "container_port": 53,
    "fixed": false,
    "host_port": 53,
    "type": "udp"
  }, {
    "container_port": 80,
    "fixed": false,
    "host_port": 7780,
    "type": "tcp"
  }],
  "privileged": false,
  "shortcut": {
    "enable_shortcut": false
  },
  "ulimits": [],
  "use_host_network": false,
  "volume_bindings": [{
    "fixed": false,
    "host_volume_file": "/docker/PiHole",
    "mount_point": "/etc/pihole",
    "type": "rw"
  }],
  "volumes_from": null
}

Here are the logs:

ash-4.3# docker logs diginc-pi-hole1 | head -35
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
 ::: Starting docker specific setup for docker diginc/pi-hole
ERROR: To function correctly you must pass an environment variables of 'ServerIP' into the docker container with the IP of your docker host from which you are passing web (80) and dns (53) ports from
:::
::: Neutrino emissions detected...
:::
::: Pulling source lists into range... done!
:::
::: Getting raw.githubusercontent.com list... done
:::   Status: Success (OK)
:::   List updated, transport successful!
::: Getting mirror1.malwaredomains.com list... done
:::   Status: Success (OK)
:::   List updated, transport successful!
::: Getting sysctl.org list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting zeustracker.abuse.ch list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting s3.amazonaws.com list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting s3.amazonaws.com list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting hosts-file.net list... done
:::   Status: Not modified
diginc commented 7 years ago

ERROR: To function correctly you must pass an environment variables of 'ServerIP' into the docker container with the IP of your docker host from which you are passing web (80) and dns (53) ports from

Looks like ServerIP didn't get set correctly. This is a known issue I need to address, before it would cause the docker to die instantly but s6 doesn't seem to be quitting immediately during container init script errors.

arsaboo commented 7 years ago

I added the ServerIP and it shows in the container details (192.168.2.113 is the NAS IP):

image

diginc commented 7 years ago

Does synology allows live editing of the environment variables? The "env_variables": [{ block you pasted from your docker inspect does not list ServerIP yet your screenshot obviously has it. Live editing values without informing the user you have to re-create a container may explain this.

arsaboo commented 7 years ago

The env_variables that I pasted was before I added the ServerIP. After your comment, I added the ServerIP. Here's the updated block:

{
  "cap_add": [],
  "cap_drop": [],
  "cmd": "",
  "cpu_priority": 0,
  "ddsm_bind_share": "",
  "devices": [],
  "enable_publish_all_ports": false,
  "enable_restart_policy": false,
  "enabled": true,
  "env_variables": [{
    "key": "WEBPASSWORD",
    "value": "REDACTED"
  }, {
    "fixed": false,
    "key": "ServerIP",
    "value": "192.168.2.113"
  }, {
    "fixed": false,
    "key": "TZ",
    "value": "America/New_York"
  }, {
    "fixed": false,
    "key": "PATH",
    "value": "/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  }, {
    "fixed": false,
    "key": "IMAGE",
    "value": "debian"
  }, {
    "fixed": false,
    "key": "setupVars",
    "value": "/etc/pihole/setupVars.conf"
  }, {
    "fixed": false,
    "key": "PIHOLE_INSTALL",
    "value": "/tmp/ph_install.sh"
  }, {
    "fixed": false,
    "key": "S6OVERLAY_RELEASE",
    "value": "https://github.com/just-containers/s6-overlay/releases/download/v1.19.1.1/s6-overlay-amd64.tar.gz"
  }, {
    "fixed": false,
    "key": "PHP_ENV_CONFIG",
    "value": "/etc/lighttpd/conf-enabled/15-fastcgi-php.conf"
  }, {
    "fixed": false,
    "key": "PHP_ERROR_LOG",
    "value": "/var/log/lighttpd/error.log"
  }, {
    "fixed": false,
    "key": "IPv6",
    "value": "True"
  }, {
    "fixed": false,
    "key": "S6_LOGGING",
    "value": "0"
  }, {
    "fixed": false,
    "key": "S6_KEEP_ENV",
    "value": "1"
  }, {
    "fixed": false,
    "key": "S6_BEHAVIOUR_IF_STAGE2_FAILS",
    "value": "2"
  }],
  "exporting": false,
  "id": "9375e5086f75a3734f20be6990ff937c748e7880831ac41f1d14627131ca3877",
  "image": "sha256:bf10d7dce4f463173db4d932f8aadcb5f4f09a9cef74d0cb5631ad834ae553d9",
  "is_ddsm": false,
  "is_package": false,
  "links": [],
  "memory_limit": 0,
  "name": "diginc-pi-hole1",
  "network": [{
    "driver": "bridge",
    "name": "bridge"
  }],
  "port_bindings": [{
    "container_port": 53,
    "fixed": false,
    "host_port": 53,
    "type": "tcp"
  }, {
    "container_port": 53,
    "fixed": false,
    "host_port": 53,
    "type": "udp"
  }, {
    "container_port": 80,
    "fixed": false,
    "host_port": 7780,
    "type": "tcp"
  }],
  "privileged": false,
  "shortcut": {
    "enable_shortcut": false
  },
  "ulimits": [],
  "use_host_network": false,
  "volume_bindings": [{
    "fixed": false,
    "host_volume_file": "/docker/PiHole",
    "mount_point": "/etc/pihole",
    "type": "rw"
  }],
  "volumes_from": null
}
diginc commented 7 years ago

is top client behavior the same still after ServerIP addition? does the startup log indicate it had any errors?

arsaboo commented 7 years ago

Here are the logs again (no errors now):

ash-4.3# docker logs diginc-pi-hole1 | head -35
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
 ::: Starting docker specific setup for docker diginc/pi-hole
+ [[ REDACTED == '' ]]
+ pihole -a -p REDACTED REDACTED
New password set
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
                        "PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
                        "ServerIP" => "192.168.2.113",
                        "VIRTUAL_HOST" => "192.168.2.113",
Using IPv4 and IPv6
::: Testing DNSmasq config: dnsmasq: syntax check OK.
::: Testing lighttpd config: Syntax OK
::: All config checks passed, starting ...
::: Docker start setup complete - beginning s6 services
:::
::: Neutrino emissions detected...
:::
::: Pulling source lists into range... done!
:::
::: Getting raw.githubusercontent.com list... done
:::   Status: Success (OK)
:::   List updated, transport successful!
::: Getting mirror1.malwaredomains.com list... done
:::   Status: Success (OK)
:::   List updated, transport successful!
::: Getting sysctl.org list... done
eronde commented 7 years ago

Hi,

I've the same issue when I run pi-hole(docker 1.11.2) on my synology, it only log an internal ip address of docker an not the ip of the requested client.

github_ph_client

The logs:

dnsmasq: forwarded www.google.com to 8.8.4.4
dnsmasq: forwarded www.google.com to 8.8.8.8
dnsmasq: reply www.google.com is 172.217.17.132
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific setup for docker diginc/pi-hole
+ [[ test == '' ]]
+ pihole -a -p test test
New password set
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
                        "PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
                        "ServerIP" => "192.168.1.12",
                        "VIRTUAL_HOST" => "192.168.1.12",
Using IPv4 and IPv6
::: Testing DNSmasq config: dnsmasq: syntax check OK.
::: Testing lighttpd config: Syntax OK
::: All config checks passed, starting ...
::: Docker start setup complete - beginning s6 services
:::
::: Neutrino emissions detected...
:::
::: Pulling source lists into range... done!
:::
::: Getting raw.githubusercontent.com list... done
:::   Status: Success (OK)
:::   List updated, transport successful!
::: Getting mirror1.malwaredomains.com list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting sysctl.org list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting zeustracker.abuse.ch list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting s3.amazonaws.com list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting s3.amazonaws.com list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: Getting hosts-file.net list... done
:::   Status: Not modified
:::   No changes detected, transport skipped!
::: 
::: Aggregating list of domains... done!
::: Formatting list of domains to remove comments.... done!
::: 133946 domains being pulled in by gravity...
::: Removing duplicate domains.... done!
::: 110427 unique domains trapped in the event horizon.
:::
::: Adding adlist sources to the whitelist... done!

github-pihole

Thanks for looking into it.

diginc commented 7 years ago

https://github.com/diginc/docker-pi-hole/issues/135#issuecomment-303447282 https://github.com/diginc/docker-pi-hole/issues/135#issuecomment-303450984

murugaratham commented 7 years ago

+1, i've configured my router to tell clients to use docker host ip which is mapped to pi-hole container, but i am only seeing 172.17.0.1 for all clients.

I've tried setting my docker host ip 192.168.0.25 on my phone and laptop dns to test, but i can't differentiate clients

ptxmac commented 7 years ago

I also have this issue. Why was is closed?

diginc commented 7 years ago

Initially I thought it was a router based problem - I'll look into this again.

Any more data people can provide is appreciated so we can start trying to find a common thread. Docker image used, Docker versions, run command, maybe even router version, and if you're a synology or other type of server.

If you don't use your router DHCP DNS and hard code a computer's DNS to pi-hole does it still show the 172.17.0.1 IP?

murugaratham commented 7 years ago

Router: Asus RT-AC88U running asus merlin firmware 380.67

2017-07-30 01 28 01 pm

running latest pi-hole image from dockerhub

Pi-hole Version v3.1 (Update available!) Web Interface Version v3.1 FTL Version v2.9.4 Donate if you found this useful.

docker-compose.yml

version: "3"
services:
  pihole:
    container_name: pi-hole
    image: diginc/pi-hole:alpine
    ports:
      - "0.0.0.0:53:53/tcp"
      - "0.0.0.0:53:53/udp"
      - "0.0.0.0:8053:80/tcp"
    environment:
      # enter your docker host IP here
      ServerIP: 192.168.0.25
      VIRTUAL_HOST: imac.local
      VIRTUAL_PORT: 8053
      WEBPASSWORD: redacted
      TZ: Asia/Singapore
    # Add your own custom hostnames you need for your domain
    #extra_hosts:
      #   Point any of the jwilder virtual_host addresses
      # to your docker host ip address
      #- 'imac.local/pihole:192.168.0.25'
    volumes:
      # - '/etc/pihole/:/etc/pihole/'
      # WARNING: if this log don't exist as a file on the host already
      # docker will try to create a directory in it's place making for lots of errors
      # - '/var/log/pihole.log:/var/log/pihole.log'
      - '/Users/user/pihole/:/etc/pihole/'
      - '/Users/user/dnsmasq.d/:/etc/dnsmasq.d/'
    restart: always

And yes, i tried hardcoding the dns to 192.168.0.25 on my device and it still shows docker gateway ip instead of the actual client IP

ramsnerm commented 7 years ago

I am running the same setups on a Synology DS415 and a Ubiquiti USG as router. On the router DNS settings are points to the pi-hole docker container. Everything runs so far. Some test with some sites showed me that the filter is working - However I have the same issue with the IP mapping. I only see the virtual docker IP in the Dashboard but no details so further investigation is not possible. Did you find any solution/Idea where it comes from?

ptxmac commented 7 years ago

I just verified that my clients are using the IP of the host running docker - i.e. the same as what I configured ServerIP to, but it still shows the client as the docker ip. This is most likely due to dockers bridge networking?

diginc commented 7 years ago

Do the actual dnsmasq logs only show the one docker bridge IP address?

ptxmac commented 7 years ago

The dnsmasq logs shows the queries originating from the docker bridge gateway; in my case:

pihole_1  | dnsmasq: query[A] spectrum.s3.amazonaws.com from 172.19.0.1

172.19.0.1/16 is the bridged network for the pihole container. The container itself have 172.19.0.7, but everything is running on a host with ip 192.168.1.5 which all client correct to directly.

This probably means it's not possible to see the actual client when using docker with bridged network (the default)

mclambo commented 7 years ago

I tried a hard DNS entry of the docker pi-hole IP address in one of my Windows 10 computers, but it does not know a route to this subnet.

So manually adding a route through the command line seems to work, Pi-hole recognizes my computer. Off course this is suboptimal, because it would require me to manually add this route to all my devices making use of my network which range from Windows, Apple, Android to other kinds of gadgets....

Rajackar commented 7 years ago

I can confirm this behaviour as well. Not a real issue for me as the pi-hole itself is working fine. It's just no longer possible to identify individual machines on my network.

fenrir-github commented 7 years ago

my 2cts => docker-proxy

trx1138 commented 6 years ago

this could be docker bug or more specifically, docker synology build's bug.

I have 2 almost identical setup with one synology and one linux server. and only synology one has this problem, report client's ip as docker's internal, while running the same image. I'm comparing every possibly related configs of both setup and found no real difference so far.

and because it seems most reports are from synology user, I'm suspecting this could be a bug of v.17.05 or synology's build.

synology: Docker version 17.05.0-ce, build 9f07f0e-synology linux server: Docker version 17.12.0-ce, build c97c6d6

murugaratham commented 6 years ago

I doubt it's due to synology, I'm running official Mac docker, it's having the same problem too

dajappie commented 6 years ago

If you don’t use Docker’s network bridging for Pihole, but first setup a direct network within Docker settings and use that with the Pihole image you should get the IP’s of the clients.

mclambo commented 6 years ago

Could you elaborate a little bit on this dajappie? What would one need to configure exactly?

diginc commented 6 years ago

@dajappie do you mean running the container with --net=host or creating a separate bridge network with something like...

docker network create --subnet=192.168.90.0/24 hostnetwork
docker run  --net hostnetwork --ip 192.168.90.50 -d ... <rest of stuff>

It's worth nothing I always use a docker-compose and that creates a custom network separate from docker's default bridge network (aka docker NAT). Could explain why I never have the problem.

edit: looking back seems like people using compose have this problem too. It's more likely because I use an NGINX and/or traeffik proxy.

tlewis17 commented 6 years ago

I've been trying to get a NGINX proxy setup and working but haven't be able to quite figure it out with my Docker Swarm stacks. But I'm fairly new to Docker :) Do you have a good sample config of your traeffik proxy?

tlewis17 commented 6 years ago

I found one way to do this but it wasn't really ideal with a Docker Swarm.

Compose file. Remove the ports configuration and change to host networking.

services:
  pihole:
    image: ...
    networks:
      - pihole
networks:
  pihole:
    external:
      name: "host"

The major downside to this is the fact that then Pihole takes over your port 80 on your entire swarm. Using the config option to change the listening port results in the bug for #229 . Even pulling down the dev branch still has this error.

diginc commented 6 years ago

Here is an example of how I use traefik as my proxy, it maybe more compatible with swarm as it has some official mentions on docker's documentation pages.

https://github.com/diginc/docker-pi-hole/blob/traefik/traefik-docker-compose-example.md

tlewis17 commented 6 years ago

Honestly, this appears to be a Docker Swarm issue, not anything with your docker container. i checked out your sample compose and I don't see anything different between that and mine that would cause it. I found this open issue on Docker's github: https://github.com/moby/moby/issues/25526

chrisob commented 6 years ago

If it's dnsmasq that's reporting the DNS requests' src. IPs to be docker's bridge IP address, what does this have to do with any reverse proxy, which is only touching web traffic and not DNS?

FWIW, I'm having this same issue while not using a reverse proxy. I'm running Docker version 17.12.1-ce, on Proxmox (pretty much Debian 9.3), and the host is not registered as a swarm node. Here is my docker-compose file (192.168.2.1 is my router, which does further DNS resolution to hosts belonging to the local domain):

    container_name: pihole
    hostname: pihole
    image: diginc/pi-hole
    volumes:
      - pihole-config:/etc/pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    dns:
      - 192.168.2.1
    environment:
      ServerIP:           "${HOST_IP_ADDRESS}"
      TZ:                 "${TZ}"
      DNS1:               "192.168.2.1"
      DNS2:               "192.168.2.1"
      IPv6 :              "False"
      DNSMASQ_LISTENING : "all"
    restart: unless-stopped
khandelwalpiyush commented 6 years ago

Was there any solution to this? Have the exact same problem on my DS918+ Synology NAS with docker

Jeltel commented 6 years ago

I'm having the same issue. Would be nice to see which ip is querying the same domain over and over.

mjraider13 commented 6 years ago

Same issue here. Synology/Docker/Pi-Hole all at latest versions, only shows one client - 172.17.0.1. Any thoughts on a resolution?

riker09 commented 6 years ago

I'm having the same issue, but on a QNAP nas. I believe the Docker version is 17.07. I would have to look the exact value up, but reading this thread makes me think that the issue lies somewhere else.

Client IP is 172.31.224.1 in my case.

riker09 commented 6 years ago

I made a little progress. With this docker-compose.yml configuration:

version: '2'
services:
  pihole:
    image: diginc/pi-hole
    container_name: pihole
    restart: unless-stopped
    environment:
      - ServerIP=192.168.178.2
      - TZ=Europe/Berlin
      - WEBPASSWORD=MyPassword
      - DNS1=9.9.9.9
      - DNS2=1.1.1.1
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "88:80/tcp"
    volumes:
      - pihole:/etc/pihole/
      - dnsmasq:/etc/dnsmasq.d/
    networks:
      default:
        ipv4_address: 192.168.178.4

volumes:
  pihole:
  dnsmasq:

networks:
  default:
    driver: qnet
    ipam:
      driver: "qnet"
      options:
        iface: "eth0" 
      config:
        - subnet: 192.168.178.1/24
          gateway: 192.168.178.1

Now the client IP is not the Docker gateway bridge IP but the IP of the NAS itself. Still no individual clients, though...

Here's some log output:


dnsmasq: 1 192.168.178.2/52616 query[A] upnp.sd2.1und1.de from 192.168.178.2
dnsmasq: 1 192.168.178.2/52616 forwarded upnp.sd2.1und1.de to 1.1.1.1
dnsmasq: 1 192.168.178.2/52616 forwarded upnp.sd2.1und1.de to 9.9.9.9
dnsmasq: 1 192.168.178.2/52616 reply upnp.sd2.1und1.de is NXDOMAIN
dnsmasq: 2 192.168.178.2/52616 query[A] kldsjflkasdjfkl.de from 192.168.178.2
dnsmasq: 2 192.168.178.2/52616 forwarded kldsjflkasdjfkl.de to 1.1.1.1
dnsmasq: 3 192.168.178.2/52616 query[AAAA] kldsjflkasdjfkl.de from 192.168.178.2
dnsmasq: 3 192.168.178.2/52616 forwarded kldsjflkasdjfkl.de to 1.1.1.1
dnsmasq: 2 192.168.178.2/52616 reply kldsjflkasdjfkl.de is NXDOMAIN
dnsmasq: 3 192.168.178.2/52616 reply kldsjflkasdjfkl.de is NXDOMAIN
dnsmasq: 4 127.0.0.1/36612 query[A] pi.hole from 127.0.0.1
dnsmasq: 4 127.0.0.1/36612 /etc/pihole/local.list pi.hole is 192.168.178.2```
StefanSchoof commented 6 years ago

I have this issue, too. I think this is ipv6 related.

If I run

dig ipv4.example.com @Ipv4OfMyDocketHost dig ipv6.example.com @Ipv6OfMaDockerHost

and look into the querylog and search for example.com I see the client name of my ipv4 query and 172.17.0.1 for the Ipv6OfMaDockerHost query.

ShawnMcGough commented 6 years ago

I was able to work around this bug by following these instructions:

http://tonylawrence.com/post/unix/synology/running-pihole-inside-docker/

Note that a different set of issues (all cosmetic as far as I can tell) will crop up - as document here: #197

StefanSchoof commented 6 years ago

I think this is caused by IPv6 publish forwards incorrect ip

darktorana commented 6 years ago

Using Docker on Windows and Kitamatic for the install, I have the same issue of Pi-Hole showing 172.17.0.X as the only client. All computers have DNS set to go straight to the host machine (192.168.2.254), and are not going via the router.

I tried ShawnMcGough's solution, however the server refuses to boot saying the ServerIP is not a valid IP (it is).

Need any logs or anything let me know.

skaldenhoven commented 5 years ago

Have been running 2 setups. 1 is running inside a docker on a VM on Windows Hyper-V. The Guest OS of the VM is CentOS 7.6. Inside a pihole Docker container is running with the following command. In this instance no issues with the Client addresses. All addresses are shown for clients and resolved by the DHCP server of my router (pfSense) with a conditional forward.

docker run -d --name pihole \
-p 53:53/tcp -p 53:53/udp \
-p 80:80 -p 443:443 \
-e ServerIP=172.16.2.76 \
-e WEBPASSWORD=securepassword \
-e DNS1=208.67.222.222 \
-e DNS2=1.1.1.1 \
-e VIRTUAL_HOST=pihole1.internal.lan \
-e TZ=Europe/Amsterdam \
--cap-add=NET_ADMIN \
-v pihole-config:/etc/pihole/ \
-v pihole-dnsmasq:/etc/dnsmasq.d/ \
--dns=127.0.0.1 \
--dns=208.67.222.222 \
--dns=1.1.1.1 \
pihole/pihole:latest

Then for the second PiHole running on my Synology NAS which is having the problems as described in this issue. Since you cannot pass the --dns options with the Docker GUI (Yes you could mount a custom resolv.conf) nor set --cap_add=NET_ADMIN I'm starting this from the CLI of the Synology.

docker run -d --name Pi-Hole1 \
-p 53:53/tcp -p 53:53/udp \
-p 80:80 -p 443:443 \
--cap-add=NET_ADMIN \
-e ServerIP=172.16.2.90 \
-e WEBPASSWORD=securepassword \
-e DNS1=208.67.222.222 \
-e DNS2=1.1.1.1 \
-e VIRTUAL_HOST=pihole2.internal.lan \
-e TZ=Europe/Amsterdam \
-v /volume1/docker/pihole/config:/etc/pihole/ \
-v /volume1/docker/pihole/dnsmasq:/etc/dnsmasq.d/ \
--dns=127.0.0.1 \
--dns=208.67.222.222 \
--dns=1.1.1.1 \
pihole/pihole:latest

In this case as a client I only see 172.17.0.1 which is the Docker gateway IP.

However I managed to get it to work when starting it with --net=host

docker run -d --name Pi-Hole1 \
--network host \
--cap-add=NET_ADMIN \
-e ServerIP=172.16.2.90 \
-e WEBPASSWORD=securepassword \
-e DNS1=208.67.222.222 \
-e DNS2=1.1.1.1 \
-e VIRTUAL_HOST=pihole2.internal.lan \
-e TZ=Europe/Amsterdam \
-v /volume1/docker/pihole/config:/etc/pihole/ \
-v /volume1/docker/pihole/dnsmasq:/etc/dnsmasq.d/ \
--dns=127.0.0.1 \
--dns=208.67.222.222 \
--dns=1.1.1.1 \
pihole/pihole:latest

So it seems as if it is more related to the implementation of Docker on Synology than to this container itself. I also had it running on a container on a Ubuntu 16.04 server and this one also no issues.

docker run -d --name pihole \
-p 53:53/tcp -p 53:53/udp \
-p 80:80 -p 443:443 \
--cap-add=NET_ADMIN \
-e ServerIP=10.20.40.1 \
-e WEBPASSWORD=securepassword \
-e DNS1=208.67.222.222 \
-e DNS2=1.1.1.1 \
-e VIRTUAL_HOST=pihole3.internal.lan \
-e TZ=Europe/Amsterdam \
-v pihole-config:/etc/pihole/ \
-v pihole-dnsmasq:/etc/dnsmasq.d/ \
--dns=127.0.0.1 \
--dns=208.67.222.222 \
--dns=1.1.1.1 \
pihole/pihole:latest
Jeltel commented 5 years ago

@skaldenhoven That works :) I've now got local ip's and with the Conditional Forwarding option, also local names. Very nice.

skaldenhoven commented 5 years ago

Have been testing a bit more and it seems to be related to iptables. Whenever you don't use --net host but use port forwarding and you have a rule which is related to port 53 then it shows the internal docker adres. Tested it by starting a docker on a remote VPS where by default traffic is allowed if not blocked explicitly. Request made and shows in log with external IP. Then just added a pass rule for udp/tcp 53 in the incoming chain (which in effect doesn't do anything since I could already use it and the request shows up with the docker gateway.

Then I think I found it. I usually block access to ports from docker containers in the DOCKER chain in iptables. I now used an inverse rule so to drop traffic if the source does not equal my trusted hosts and it keeps working.

Not sure exactly what is going wrong within iptables but it's related to that setup. In my other post the machine with CentOS has no iptables installed on it. (It's internal)

argoneus commented 5 years ago

@skaldenhoven Thanks, --network host fixed the issue for me as well!

RmigD commented 5 years ago

How can I add this via the container settings?

skaldenhoven commented 5 years ago

How can I add this via the container settings?

If using the Synology Docker interface for the --network host option you would have to choose host networking instead of bridged. However the PiHole container won't start without the --dns and --cap-add options you will have to use the CLI of your Synology as described in my post from Jan 26.