Official pihole docker with both DoT (DNS over TLS), DoH (DNS over HTTPS) and unbound clients. Don't browse the web securely and yet still send your DNS queries in plain text!
For docker parameters, refer to official pihole docker readme.
Below is an docker compose example.
version: '3.0'
services:
pihole:
container_name: pihole-dot-doh
image: devzwf/pihole-dot-doh:latest
hostname: pihole1
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "82:80/tcp"
environment:
TZ: 'America/Toronto'
#WEBPASSWORD: 'password'
PIHOLE_DNS_: '127.1.1.1#5153;127.2.2.2#5253'
#INTERFACE: 'br0'
FTLCONF_LOCAL_IPV4: '<IP of the docker host>'
FTLCONF_LOCAL_IPV6: ''
IPv6: 'False'
DNSMASQ_LISTENING: 'all'
# Use boxed layout (helpful when working on large screens)
#WEBUI BOXED LAYOUT: 'boxed'
# Volumes store your data between container upgrades
volumes:
- './pihole/:/etc/pihole/'
- './dnsmasq.d/:/etc/dnsmasq.d/'
- './config/:/config'
- './log/pihole/:/var/log/pihole
#Unbound Log if you need it
#- './log/unbound/:/var/log/unbound
cap_add:
- NET_ADMIN
restart: unless-stopped
Unbound has been integrated into the image. Unbound can be used as the only upstream dns server for pihole, while unbound itself has been pre-configured to use stubby and cloudflared as its upstream dns servers.
To use unbound instead of cloudflared and stubby just replace the "Pihole_DNS_" variable with "127.0.0.1#5335".
If you want to change the upstream dns servers for unbound just edit the "forward-records.conf" file in your "/config" mount and comment-out (add a # infront of the "forward-addr") the line and remove the comment for any other dns server like quad9.
By default logging for unbound has been disabled and routed to "/dev/null". This can be changed to "/var/log/unbound/unbound.log" in the "unbound.conf" file in your "/config" mount. After a restart of the container the log should be viewable with the command "docker exec Pihole-DoT-DoH tail -f /var/log/unbound/unbound.log" from the host.
If no logs are collected you might need to enable "log-queries" in the "unbound.conf" file or need to increase the "verbosity"-level in the "unbound.conf" file. If you made sure unbound is running, you should disable logging again and redirect the logfile to "/dev/null" again!
- Remember to set pihole env PIHOLE_DNS_ to use the DoH / DoT / Unbound IP below. If PIHOLE_DNS_ is NOT set, Pihole will use a non-encrypted service.
- DoH service (cloudflared) runs at 127.1.1.1#5153. Uses cloudflare (1.1.1.1 / 1.0.0.1) by default
- DoT service (stubby) runs at 127.2.2.2#5253. Uses google (8.8.8.8 / 8.8.4.4) by default
- Unbound service run at 127.0.0.1#5335
- In addition to the 2 official paths, you can also map container /config to expose configuration yml files for cloudflared (cloudflared.yml) and stubby (stubby.yml).
- Edit these files to add / remove services as you wish. The flexibility is yours.
- Credits:
- Pihole base image is the official pihole/pihole:latest
- Cloudflared client was obtained from official site
- Stubby is a standard debian package
- doh and dot was based from https://github.com/testdasi/pihole-dot-doh
- Joly0 for the unbound integration (https://github.com/Joly0)
- update since other container was falling behind version
Some variables for the example docker compose has been updated reflecting changes of the pi-hole docker container. Changes are:
- "DNS1" and "DNS1" has been replaced with the single variable "PIHOLE_DNS_". You can add multiple dns servers here, separated by a semicolon ;
- "ServerIP" has been replaced with "FTLCONF_LOCAL_IPV4"
- "ServerIPv6" has been replaced with "FTLCONF_LOCAL_IPV6"
- Variable "WEBUI BOXED LAYOUT" with the value "boxed" has been added as an optional variable, as its suggested by the upstream pi-hole docker container as its helpful if you open pi-hole on a large screens