So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably… and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.
Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.
Happy to share my config if there is interest.
If you don’t mind DM’ing me or dropping it in a comment here it would be greatly appreciated! The docker engine isn’t something entirely new to me so i’m a bit skeptical into thinking that i missed something but always happy to compare with others, actually Docker is what pushed me to switch fully to Linux on my personal computers.
Snippet from my docker-compose.yml:
pihole: container_name: pihole hostname: pihole image: pihole/pihole:latest networks: main: ipv4_address: 172.18.0.25 # For DHCP it is recommended to remove these ports and instead add: network_mode: "host" ports: - "53:53/tcp" - "53:53/udp" - "127.0.0.1:67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "127.0.0.1:85:80/tcp" - "127.0.0.1:7643:443" environment: TZ: 'America/Vancouver' FTLCONF_webserver_api_password: 'insert-password-here' FTLCONF_dns_listeningMode: 'all' # Volumes store your data between container upgrades volumes: - './config/pihole/etc-pihole:/etc/pihole' - './config/pihole/etc-dnsmasq.d:/etc/dnsmasq.d' - '/etc/hosts:/etc/hosts:ro' # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities cap_add: - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed - CAP_SYS_TIME - CAP_SYS_NICE - CAP_CHOWN - CAP_NET_BIND_SERVICE - CAP_NET_RAW - CAP_NET_ADMIN restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.pihole.rule=Host(`pihole.my.domain`)" - "traefik.http.routers.pihole.entrypoints=https" - "traefik.http.routers.pihole.tls=true" - "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.routers.pihole.middlewares=fail2ban@file" unbound: image: alpinelinux/unbound container_name: unbound hostname: unbound networks: main: ipv4_address: 172.18.0.26 ports: - "127.0.0.1:5334:5335" volumes: - ./config/unbound/:/var/lib/unbound/ - ./config/unbound/unbound.conf:/etc/unbound/unbound.conf - ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/ - ./config/unbound/log/unbound.log:/var/log/unbound/unbound.log restart: unless-stoppedEdit: After re-reading the Unbound github and their documentation it seems i may have missed some volume mounts that are key to the function of Unbound, i’ll definitely have to dive deeper into it.