trustworth.ee A most trustworth.ee corner of the Internet.

Running Docker Pihole on Synology Diskstation Manager v 7

2023-08-17

Background

I run a fair bit of OpenBSD in my home network. At this time, my firewall setup runs a chain of Unbound (with RPZ to block ads) to NSD (to maintain my internal domain hosts) to dnscrypt_proxy (to send my recursive queries to external hosts).

The unbound portion of this work is kinda clunky and homegrown. It was essentially trying to emulate a pihole setup that I didn’t want to dedicate hardware or an OpenBSD vmm to.

This page describes an incremental move away from that approach: I start by implementing pihole and forwarding everything to my router DNS service; since pihole will block everything that unbound would block, unbound will thus serve to either do local name resolution for my internal domain (lan.ckure.com) or send to the recursive upstream resolvers via dnscrypt_proxy.

Requirements

A Synology NAS
- Run DSM 7 (DSM 7.2-64570 Update 3)
- Container Manager
- A directory to persist docker files (/volume1/docker in my case)
Docker Pihole (pihole/pihole-latest)
- At the time of this writing, pihole is showing:
  - Docker Tag 2023.05.2
  - Pi-hole v5.17.1
  - FTL v5.23
  - Web Interface v5.20.1
My settings
- Docker directory for persisting settings (/volume1/docker)
  - /volume1/docker/pihole/etc-pihole
  - /volume1/docker/pihole/etc-dnsmasq.d

Setup

I decided to execute the pihole/pihole-latest container via a project. I’m not sure if that’s the best approach. But it was pretty straightforward, except that binding pihole to the “host” network wasn’t working. I looked at several things to solve a couple of issues:

If the docker container is within the 172.17.0.0/16 network, clients resolving hostnames are behind the Docker NAT and you only see the internal bridge IP of the NAS as the source of queries. This is not ideal for me, because it complicates troubleshooting family concerns like “why won’t the shopping cart on Costco work?” or “who is trying to resolve that malware domain?”
Since container manager and docker wouldn’t easily join the “host” network, I played a bit with macvlan but it seemed overkill
I am not trying to run DHCP on my Pihole, because my OpenBSD routers are already using more advanced features to map internal domain names to reserved IPs, but you may need to do something like macvlan in order to get DHCP to properly work with your physical interface

Ultimately, I settled on IPTables forwarding of DNS traffic into the Docker network.

With that said, here are the key components of my working setup:

docker.compose

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest

    ports:
      - "53:53/tcp"
      - "53:53/udp"
      # - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "843:80/tcp"
    environment:
      TZ: 'America/New_York'
      WEBPASSWORD: ...
      PIHOLE_DNS_: $InternalDnsIp # eg. '192.168.1.254'
      REV_SERVER: "true"
      REV_SERVER_DOMAIN: $MyInternalDomain # eg. 'lan.ckure.com'
      REV_SERVER_TARGET: $InternalDnsIp # eg. '192.168.1.254'; you need this if you have an internal domain for your hosts
      REV_SERVER_CIDR: $MyLanSubnet # eg. '192.168.1.0/16'; you use this to tell pihole which subnet to send to REV_SERVER_TARGET for local DNS resolution
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    # cap_add:
    #  - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped

scheduled task

In order to get past the container NAT and expose the 192.168.1.0/16 client IP addresses / reverse name lookups in pihole’s “Client” view, I need to add some IP tables rules. To do that, we run a scheduled task on boot: