Closed arsaboo closed 2 years ago
Thanks for replying. I had no issues setting up the container as "host" and starting it from the normal interface. It's showing all the device IPs I also added DNS1, DNS2 and WEB_PORT to the environment variables.
Thanks for replying. I had no issues setting up the container as "host" and starting it from the normal interface. It's showing all the device IPs I also added DNS1, DNS2 and WEB_PORT to the environment variables.
@RmigD could you please show me how your config file look like? I follow your hint however I got "[✗] DNS resolution is currently unavailable" in log.
Thanks for replying. I had no issues setting up the container as "host" and starting it from the normal interface. It's showing all the device IPs I also added DNS1, DNS2 and WEB_PORT to the environment variables.
@RmigD could you please show me how your config file look like? I follow your hint however I got "[✗] DNS resolution is currently unavailable" in log.
Just updated to 4.3 and these worked for me after setting the "host" flag:
DNS1 1.1.1.1 DNS2 1.0.0.1 WEB_PORT 8000 ServerIP 192.168.1.10
ServerIP is the NAS's IP in my case. It already exists but is set to 0.0.0.0 by default. Hope it helps.
@RmigD thanks for your reply, I was able to add "DNSMASQ_LISTENING=all" to my config to make it work.
Dears, Any solution found for that problem ? Is it possible to summarize what we have to do to make it works ? I've been struggled with that issue for a couple of months now Thanks in advance
any feedback ?
I've never reproduced this problem so I can't speak with any first hand experience...the thread covers all the workarounds people have gotten working. The first is probably the easiest for people to use. The others may help in other cases.
docker run --network host
docker run -e DNSMASQ_LISTENING=all
Any others I'm missing?
I think the root cause is how docker handles ipv6. There is a PR to fix this. In last days there has been some movement, so there is hope this will be solved someday: https://github.com/docker/libnetwork/pull/2023
Dears, I've change the configuration of my PiHole on the docker via Docker compose, the host is no more bridged and Pihole has its own IP address (via MacVlan) now, it's the IP address of my gateway that appeared, but still only one IP address !
Any recommandation, It seems that "diginc" has found a workaround ?
I am using Container Station from QNAP with ServerIP 10.0.0.8 (I set it as bridged) and my QNAP has the 10.0.0.5 IP. Now on the webpage, all the clients come from 10.0.0.5. A couple of months ago this wasn't happening, and I set it exactly the same way. Any clue?
@DrumSergio maybe you or your ISP activate ipv6 in your local network.
@DrumSergio maybe you or your ISP activate ipv6 in your local network.
I have blocked ipv6 traffic inside my net and it's still happening. How can I know where's the problem so I can fix it?
The reason this happens on Synology NAS and maybe not on other systems is that Synology uses the default Docker configuration of the --userland-proxy parameter, which is set to true.
It is possible to disable userland proxy by editing /var/packages/Docker/etc/dockerd.json
, adding "userland-proxy": false
, and restarting the Docker daemon using synoservice --restart pkgctl-Docker
. On top of that an iptables entry needs to be added sudo iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
. All courtesy of this synology community post.
Change at your own risk. There is some sparse explanation by Docker at the bottom of the page here
The reason this happens on Synology NAS and maybe not on other systems is that Synology uses the default Docker configuration of the --userland-proxy parameter, which is set to true.
It is possible to disable userland proxy by editing
/var/packages/Docker/etc/dockerd.json
, adding"userland-proxy": false
, and restarting the Docker daemon usingsynoservice --restart pkgctl-Docker
. On top of that an iptables entry needs to be addedsudo iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
. All courtesy of this synology community post.Change at your own risk. There is some sparse explanation by Docker at the bottom of the page here
Thanks a lot, I just followed your instructions and it worked flawlessly :-)
FYI: disabling userland-proxy has downsides, like kernel panics: https://github.com/moby/moby/issues/14856
That's why --userland-proxy is still true by default.
I did not need to set any additional iptables rules on my Pi.
I assume this is the right thread.
The Docker Container ignores ServerIP param. This causes my biggest issue (blocked domains get resolved to 0.0.0.0).
I managed it do get the client's IP (on Synology NAS) with the following approach.
My only issue is now that the docker container resets the env variable ServerIP
to 0.0.0.0
I hope this is helpful, and someone could help me resolve the 0.0.0.0 address issue.
I've been seeing this issue myself after migrating my Pi-hole docker container from a NanoPi NEO 2 running Armbian, to my Synology NAS.
SSH'ing to the NAS and running this does fix it:
sudo iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
I do see 2 small problems with this:
Update:
This also works fine and with no issues (AFAIK!):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
I got this issue after changing the domain on my router's DHCP server from localdomain to a .haus domain I bought to use for off-site access. Changing my DHCP server back to localdomain fixed the issue.
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
https://discourse.pi-hole.net/t/docker-incorrect-dns-address-being-sent-to-dhcp-clients/34468/1
I started having this issue too after I updated the pihole container to latest image version on my Raspberry Pi 4.
image ID: "Id" : "sha256:24f57796973015eb47bc616fea3656b23961eb9d639e22b32cd5b4d386173fd3"
Edit: I am using the container only as DNS server, DHCP remains on the router, and it worked like a charm with the previous docker image version with the standard docker compose file. I just changed the time zone in the file and later added the network and router IP as well as the local network domain in the web interface (Conditional Forwarding).
Hey! Does anyone know if this Docker GUI software available for download?
Here have many synology users
I have a similar issue. While the IPs are correct sometimes, they still are the docker host ones most of the time.
They appear as 172.19.0.1
in the logs.
Aug 15 09:36:19 dnsmasq[886]: query[A] v.redd.it from 172.19.0.1
Aug 15 09:36:19 dnsmasq[886]: forwarded v.redd.it to 192.168.178.1
Aug 15 09:36:19 dnsmasq[886]: query[AAAA] v.redd.it from 172.19.0.1
Aug 15 09:36:19 dnsmasq[886]: forwarded v.redd.it to 192.168.178.1
Aug 15 09:36:19 dnsmasq[886]: reply v.redd.it is <CNAME>
Aug 15 09:36:19 dnsmasq[886]: reply reddit.map.fastly.net is NODATA-IPv6
Aug 15 09:36:19 dnsmasq[886]: reply v.redd.it is <CNAME>
Aug 15 09:36:19 dnsmasq[886]: reply reddit.map.fastly.net is 199.232.57.140
I've tested it by using dig
to get the IP of another host I found in the logs: dig a.root-servers.net
Using this, my client IP shows up correctly (192.168.178.83
)
But when "digging" with IPv6 (dig -6 a.root-servers.net
), the client IP changes to the one of the docker host: 172.19.0.1
So it seems to be related to IPv6 and docker. I was not able to fix it as of now :(
Here's my docker-compose.yml
if that's useful in some way
version: "3.8"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
- "81:80"
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: 'ItsASecretToEverybody'
VIRTUAL_HOST: 'pi.hole'
DNSMASQ_LISTENING: 'all'
volumes:
- '/opt/containers/pi-hole/pihole/:/etc/pihole/'
- '/opt/containers/pi-hole/dnsmasq/:/etc/dnsmasq.d/'
dns:
- 127.0.0.1
- 1.1.1.1
hostname: "pi-hole"
@PedroLamas Thanks, that seems to be working fine so far. Added a boot-up task in Task Scheduler to ensure it survives reboots. Will report back if I see any side effects.
@lordkev I've had some issues on mine as it would run the script before Docker was ready so I created an "improved" version that runs some checks before doing that change: https://gist.github.com/PedroLamas/db809a2b9112166da4a2dbf8e3a72ae9
Great, looks good. Thanks!
So for me it was simply docker and IPv6. Now I told my router to only promote IPv4 DNS server (the pi-hole on docker) and it works as intendet. Of course one may also activate IPv6 for docker, but this is much more complicated, depends on the router DHCP capabilities, privacy extentions, and if the provider changes the IPv6 range regularly. And I do not see an advantage in it. Of course DNS request for a IPv6 adresses are still provided with an IPv4 DNS connection.
I'm using kubernetes, and not bare docker. Is there any fix?
Having the same issue running in Win10 Docker. I've tried a lot of the suggestions above, at least where they seem to apply to the Windows version. My clients do have the IP of my Win10 host as their DNS server and it's functioning properly as far as I can tell but all requests appear to come from the Docker host IP (I assume) 172.17.0.1.
Tried:
I can handle routing an extra network from my router but when it comes to setting Docker up as a bridge and adding that additional network, not sure what to do there yet. Going to keep searching but if anyone has any insights on how to get that done (or if it's even worth pursuing) I'd certainly appreciate it.
Either way it's up and running and getting the base functionality working was quick and easy so I appreciate all the effort from everyone involved. Despite not knowing what devices are making all the requests it's still very cool to see.
@Jimmeroo
I suspect that userland proxy cannot be disabled for Windows. I was not able to find docker official documentation about it, but somebody mentions that on this blog https://www.cceye.com/disable-userland-proxy-it-takes-too-much-cpu-for-localhost-traffic/
The suspicion could also be supported by the lack of that setting in Windows docker.json in https://docs.docker.com/engine/reference/commandline/dockerd/
BTW the location for docker.json for Windows according to the documentation is in
%programdata%\docker\config\daemon.json
Also the iptables
command is for Docker host and would not help even if you were able to run it in the container. Since Windows wouldn’t be running iptables, this does not apply to you.
TLDR: it is very likely that there is no solution for Windows because userland proxy cannot be disabled there.
TLDR: it is very likely that there is no solution for Windows because userland proxy cannot be disabled there.
Gotcha, thanks very much for the reply. Suppose I'll leave it as-is for now and look into different methods in the future.
Cheers!
I'm having the same issue on Docker Desktop for Mac, and disabling userland-proxy doesn't seem to be available on macOS. https://github.com/moby/moby/issues/14856#issuecomment-238933107
Hi All, I'm using kubernetes and metallb doing load balancing. DNS works but the source Client IP is my internal kubernetes cluster gateway ip 10.42.3.1 Tried the conditional forwarding and also adding the DNSMASQ_LISTENING=all. Anyone have the similar but are getting actual client ip/hostnames?
Hi all,
@mapraez i was in the same case, kub / metallb / pihole and only kub ip address showing
I found "externalTrafficPolicy: Local" was missing in services. Now clients list is right
Hope it helps Thanks to all in this thread.
Anch.
this happens in podman as well. thee are several other bugs reported that are basically related to this. ServerIP doesnt matter it seems, and the pi.hole A record is set to the bogus podman/docker/kubernetes internal IP in the containers hosts file
worth noting im running podman with dockerless rootless containers...so
Rootless networking...
When using Podman as a rootless user, the network setup is automatic. Technically, the container itself does not have an IP address, because without root privileges, network device association cannot be achieved. in the long run the network shouldnt be trusted in the container.
how do i fix this? this is going to become a more severe issue as time goes on and docker becomes less of a tolerated root process.
Here is my ipv4+ipv6 solution, based on the one by @pedrolamas. The first two commands are for ipv6, the rest is an improvement of the existing ipv4 solution:
sudo ip6tables -t nat -A PREROUTING -p tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination <ipv6-pihole>
sudo ip6tables -t nat -A PREROUTING -p udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination <ipv6-pihole>
sudo iptables -t nat -A PREROUTING -p tcp --dport 53 -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -p udp --dport 53 -m addrtype --dst-type LOCAL -j DOCKER
Replace <ipv6-pihole>
with the address of the pihole container in the docker ipv6 network, which can be checked with docker network inspect
or specified by:
service:
... pihole ...
networks:
default:
ipv6_address: <ipv6-pihole>
The solution by @pedrolamas is a bit crude by forwarding every incoming packet to docker, including non-dns ones. To avoid potentially breaking something, these commands only work on port 53 (and therefore require two separate rules for tcp and udp).
Keep in mind that -A
means ‘append’, so running the commands multiple times will create duplicate rules.
Thanks for all in this thread.
Edit: I’m not sure if it’s caused by this change, but I had to disable ipv6 DNS for my android phone, because it repeatedly disconnected.
I'm seeing only ip 172.17.0.1 in my logs. I'm running Pi-hole on Windows 10 WSL2 with Docker desktop. I know this is a Docker default bridge network's gateway IP address. "userland-proxy": false
or --net=host
doesn't work on Windows & Mac operating systems. So cannot preserve client IP addresses. Is there any other work around?
On Windows systems, Docker is the only way to run Pi-hole .. :(
As I've been trying to fix this most of the day, I came across several possible solutions, none of which really seemed to work for me, and I didn't want to use some scheduled task either, when it should be possible without.
What I'm currently running; Synology NAS with Docker (20.10.3-1239) and pi-hole version v5.6 (in Docker the PIHOLE_VERSION environment variable is 2021.11), with an Asus router set as DHCP server
As has been said before, the IP shown in Pi-hole is the IP gateway of docker, rather than the IP-address of the actual client. After seeing the network "host" in docker's "Network" tab, I started looking up how to assign a container to the host network. Turns out this can only be chosen upon creation of the container (in advanced settings) and no longer possible after creation (unlike the other bridge networks). I've followed this guide, mostly for the host network part: http://tonylawrence.com/posts/unix/synology/running-pihole-inside-docker/
After I got my pi-hole up and running, I did 2 more things.
That should get it fixed! TLDR: re-create your Pi-hole container, go into advanced settings, go to "Network" and make sure to check "Use the same network as Docker Host". Update your router's DNS setting (or manually adjust each client's settings) and enable Pi-hole's conditional forwarding. Enjoy ;-)
I'm running pihole in a docker container on a linux machine and have also sometimes 172.22.0.1 as client in my query-logs. is there any other fix than switching to host-network-mode?
host-network does also not work in setup. router (Fritzbox) as dhcp and upstream dns and pihole in a docker-container. both bridged and host network showing localhost, pi.hole or the internal docker-host-ip as client.
macvlan seems to work much better but i would prefer to have the default (bridged) network. has someome an idea how to do this?
for all others who want to try macvlan this is my current docker-comppse.yml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: always
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: 'topsecret'
PIHOLE_DNS_: '192.168.1.1;fd00::cece:1eff:fea8:6d0'
DNS_BOGUS_PRIV: 'true'
DNS_FQDN_REQUIRED: 'true'
REV_SERVER: 'true'
REV_SERVER_DOMAIN: 'fritz.box'
REV_SERVER_TARGET: '192.168.1.1'
REV_SERVER_CIDR: '192.168.1.0/24'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
cap_add:
- NET_ADMIN
networks:
macvlan_network:
ipv4_address: 192.168.1.249
networks:
macvlan_network:
driver: macvlan
driver_opts:
parent: eno1
ipam:
driver: default
config:
- subnet: 192.168.1.0/24
ip_range: 192.168.1.248/29
gateway: 192.168.1.1
@AlBundy33 have you tried applying the firewall rules as described in many posts here? This is the latest one https://github.com/pi-hole/docker-pi-hole/issues/135#issuecomment-881093822
even with this rules i get some localhost, pi.hole or nuc.fritz.box (this is my docker host) clients in the list with domains that are 100% related to my android devices.
I've also found out that the macvlan works formthe client issue but after using this i can not resolve names from my lan on my docker host (e.g. i cannot resolve diskstation on nuc)
I've also found out that the macvlan works formthe client issue but after using this i can not resolve names from my lan on my docker host (e.g. i cannot resolve diskstation on nuc)
If I understand correctly, you need to create a shim to talk from the host to a docker on macvlan network. Look at the Set up a PiHole using Docker MacVlan Networks guide, specifically the "Enable docker to host communication over macvlan" section.
not sure if this is the right solution. my docker host called nuc (because it's an intel nuc) formthe pihole container i've defined the macvlan to ensure that pihole can resolve all clients correctly.
but if i now ssh into nuc (the docker host) and try to ping diskstation (my physical synology diskstation) the name gets not resolved. if i switch to network_mode host all works as expected but i get a lot of wrong clients (pi.hole, localhost) in my query log even if the requests came from my android tablet. but sometimes the android tablet is listed jn the query log as expected.
not sure if this is the right solution. my docker host called nuc (because it's an intel nuc) formthe pihole container i've defined the macvlan to ensure that pihole can resolve all clients correctly.
but if i now ssh into nuc (the docker host) and try to ping diskstation (my physical synology diskstation) the name gets not resolved.
sounds exactly like what the solution is trying to address. When you run pihole docker with macvlan network the host is not able to connect to it due to limitations of macvlan. So if your host (nuc) is not able to reach the macvlan IP address, it is not going to be able to use it for DNS resolution. That is exactly the expected behavior. To fix it, you need to add the macvlan shim as the article states.
if i switch to network_mode host all works as expected
yes, correct, because you are no longer using macvlan, therefore the host (nuc) is able to talk to pihole.
but i get a lot of wrong clients (pi.hole, localhost) in my query log even if the requests came from my android tablet. but sometimes the android tablet is listed jn the query log as expected.
this sounds like your android tablet is set up with two different DNS addresses and is coming in through two different paths. Or something similar. Either way, the problem is not pihole and docker anymore, but your network setup.
thanks for the explanation but because it needs additional setup on the host it is not an option for me because I want to have the complete comfiguration in my docker-compose.yml my android devices have an IPv4 and an IPv6 address - maybe they are using different paths but my fritzbox adviertises also my pihole as IPv6 DNS server.
I'm using now network_mode: host an live with some wrong displayed clients. so this is my current docker-compose.yml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: always
network_mode: host
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: 'foobar'
PIHOLE_DNS_: '192.168.1.1;fd00::cece:1eff:fea8:6d0'
WEB_PORT: 3080
INTERFACE: 'eno1'
DNS_BOGUS_PRIV: 'true'
DNS_FQDN_REQUIRED: 'true'
REV_SERVER: 'true'
REV_SERVER_DOMAIN: 'fritz.box'
REV_SERVER_TARGET: '192.168.1.1'
REV_SERVER_CIDR: '192.168.1.0/24'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
As I've been trying to fix this most of the day, I came across several possible solutions, none of which really seemed to work for me, and I didn't want to use some scheduled task either, when it should be possible without.
What I'm currently running; Synology NAS with Docker (20.10.3-1239) and pi-hole version v5.6 (in Docker the PIHOLE_VERSION environment variable is 2021.11), with an Asus router set as DHCP server
As has been said before, the IP shown in Pi-hole is the IP gateway of docker, rather than the IP-address of the actual client. After seeing the network "host" in docker's "Network" tab, I started looking up how to assign a container to the host network. Turns out this can only be chosen upon creation of the container (in advanced settings) and no longer possible after creation (unlike the other bridge networks). I've followed this guide, mostly for the host network part: http://tonylawrence.com/posts/unix/synology/running-pihole-inside-docker/
After I got my pi-hole up and running, I did 2 more things.
1. Went into my Asus router settings, to Lan - DHCP, where you can fill in the IP-address of the NAS as DNS Server (as Pi-hole is using that same address now). Doing that (for me, at least), worked flawlessly for my phone, but stuff that should be blocked, currently still load on my computer (looking into this still, but beside the point for this issue) 2. Went into my Pi-hole settings ( http://piholeaddress/admin/settings.php?tab=dns ) and enabled the Conditional Forwarding and filled in the local network in CIDR notation and the IP-address of my Asus router as DHCP server. This seems to have enabled translation of the IP-addresses into the actual names.
That should get it fixed! TLDR: re-create your Pi-hole container, go into advanced settings, go to "Network" and make sure to check "Use the same network as Docker Host". Update your router's DNS setting (or manually adjust each client's settings) and enable Pi-hole's conditional forwarding. Enjoy ;-)
I have used this solution for a while, but since updating to 5.8.1 (unsure what the version was before) it suddenly does not work anymore and all requests shows as the bridge IP again.
I tried the firewall rules as suggested, but that also does not work.
I can see in the network log that all my old hosts-names are "last seen 13/1" which is the date i updated the docker-container to the newest version. After that date I only see the bridge.
Suggestions?
Try to bind your forwarded dns-ports (53 udp and tcp and maybe 67 tcp) to your default interface. e.g. instead of 53:53/tcp use 192.168.1.123:53:53/tcp (use your correct ip of course and do it for all forwardings).
With this setting it works as expected on my container.
@AlBundy33 Thanks, that seemed to help. :) Don't know what changed to require this change. shrugs At least it works now. Cheers.
I started using this image on my Synology NAS and have been very happy with it...thanks a ton!
I just have one issue that I am not able to resolve, in the Top Clients section, I see all the requests from one IP address (172.17.0.1). This is particularly interesting, given that 172.17.0.1 is not an IP from my network (at least I don't recognize it). All the IP addresses in my local network have the format 192.168.2.*. I was hoping that I could see the request per IP address. I am using and Asus router with Merlin firmware (if that helps). I am not sure if it is a bug or something that I need to fix at my end. Thanks for looking into it.