search

sujiba / pihole-unbound-hyperlocal

docker pull sujiba/pihole-unbound-hyperlocal
https://hub.docker.com/r/sujiba/pihole-unbound-hyperlocal
18 stars 7 forks source link

Warnings in Log: so-rcvbuf not granted - DNS resolution is not available #11

Closed bjoern-vh closed 3 months ago

bjoern-vh commented 3 months ago

Hello,

thanks for this project. I am using it for a few months without any problems and it's great.

Just looking into my docker compose log file I see the following messages:

pihole  | Starting unbound
pihole  | [1717647849] unbound[314:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
pihole  |   [✗] DNS resolution is currently unavailable
  [✗] DNS resolution is not available

I am current running Debian 12 Bookworm 64-Bit with Docker version 24.0.7, build afdd53b and Docker compose Docker Compose version v2.21.0. I am using a unprivileged user added to the docker group. The image is pulled to the newest version.

From my perspective all is working as expected. But I am not sure if this is correct because of the messages. Do I have to change something in my config?

My compose file:

---
services:
  pihole-unbound:
    image: ${IMAGE}
    container_name: ${NAME}
    hostname: ${HOSTNAME}
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "${HTTP_PORT}:80/tcp"
    environment:
      TZ: ${TZ}
      WEBPASSWORD: ${WEBPASSWORD}
      PIHOLE_DNS_: ${PIHOLE_DNS}
      DNSSEC: ${DNSSEC}
      CUSTOM_CACHE_SIZE: ${CUSTOM_CACHE_SIZE}
      DNS_BOGUS_PRIV: ${DNS_BOGUS_PRIV}
      DNS_FQDN_REQUIRED: ${DNS_FQDN_REQUIRED}
      TEMPERATUREUNIT: ${TEMPERATUREUNIT}
      WEBTHEME: ${WEBTHEME}
      FTLCONF_MAXDBDAYS: ${MAXDBDAYS}
      FTLCONF_DBINTERVAL: ${DBINTERVAL}
    volumes:
      - ./etc-pihole/:/etc/pihole/
      - ./etc-dnsmasq.d/:/etc/dnsmasq.d/
    restart: unless-stopped

My .env

IMAGE=sujiba/pihole-unbound-hyperlocal:latest
NAME=pihole
HOSTNAME=pihole
HTTP_PORT=81
TZ='Europe/Berlin'
WEBPASSWORD=***removed***
PIHOLE_DNS='127.0.0.1#5335'
DNSSEC=false
CUSTOM_CACHE_SIZE=10000
DNS_BOGUS_PRIV=true
DNS_FQDN_REQUIRED=true
TEMPERATUREUNIT=c
WEBTHEME=default-dark
MAXDBDAYS=30
DBINTERVAL=60

If further info is needed please let me know.

Thanks in advance!

sujiba commented 3 months ago

Hi,

you can find a solution to your first problem over here https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602

Could you please run the following commands:

docker-compose exec -it pihole-unbound bash
dig github.com @127.0.0.1
dig github.com @127.0.0.1 -p 5335

Do you get a response for both dig commands?

Also run netstat -tulpn on your host. Only root has the privilege to open the first 1024 ports.

bjoern-vh commented 3 months ago

Thanks for your response.

For the first problem, I get a new error message. Writing to /etc/sysctl.conf and reboot has changed nothing, so i tried to set the value temporary on command line:

root@pihole:~# sysctl -w net.core.rmem_max=1048576 sysctl: cannot stat /proc/sys/net/core/rmem_max: No such file or directory

I think that's because my Pihole-Unbound-Hyperlocal is running in an unprivileged LXC in Proxmox VE. I would actually like to assign as few rights as possible. Is there anything you can do anyway?

Output of dig github.com @127.0.0.1:

; <<>> DiG 9.16.48-Debian <<>> github.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40718
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;github.com.            IN  A

;; ANSWER SECTION:
github.com.     60  IN  A   140.82.121.4

;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 07 12:11:51 CEST 2024
;; MSG SIZE  rcvd: 55

Output of dig github.com @127.0.0.1 -p 5335:

; <<>> DiG 9.16.48-Debian <<>> github.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1529
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;github.com.            IN  A

;; ANSWER SECTION:
github.com.     60  IN  A   140.82.121.3

;; Query time: 86 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Jun 07 12:13:00 CEST 2024
;; MSG SIZE  rcvd: 55

Output of netstat -tulpn:

root@pihole:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      520/docker-proxy    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      483/docker-proxy    
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN      500/docker-proxy    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      361/master          
tcp6       0      0 ::1:25                  :::*                    LISTEN      361/master          
tcp6       0      0 :::53                   :::*                    LISTEN      526/docker-proxy    
tcp6       0      0 :::22                   :::*                    LISTEN      1/init              
tcp6       0      0 :::80                   :::*                    LISTEN      488/docker-proxy    
tcp6       0      0 :::81                   :::*                    LISTEN      504/docker-proxy    
udp        0      0 0.0.0.0:53              0.0.0.0:*                           543/docker-proxy    
udp6       0      0 :::53                   :::*                                547/docker-proxy

Thanks in advance again!

bjoern-vh commented 3 months ago

For the first problem, I found a solution: The setting for net.core.rmem_max is now global on the Proxmox VE host for all machines. That's OK for me and my security concerns. The error messages are gone. But the log messages for DNS are still available:

...
pihole  | Starting unbound
pihole  |   [✗] DNS resolution is currently unavailable
sujiba commented 3 months ago

Can you try the following:

Add the resolve.conf as a volume and restart the container.

See also https://github.com/sujiba/pihole-unbound-hyperlocal/blob/main/resolv.conf

bjoern-vh commented 3 months ago

OK, that seems to work :-)

...
pihole  | Starting unbound
pihole  |   [✗] DNS resolution is currently unavailable
  [✓] DNS resolution is now available
...

The comments in your docker-compose.yaml say that you only need this if you have your own network, so I left it commented out because I do not use any other network.

I am happy now. All is working and no errors any more :-)

Thank you so much for your help.

Best wishes and kind regards Björn

sujiba commented 3 months ago

You're welcome and thank you for your feedback. I'll try to make it clearer.