lollipopcloud/services/pi_hole.md

Pi Hole

Ad blocking at the DNS level. Save yourself that precious transfer while on the go.

This was chosen as it's designed to run on a Raspberry Pi and... this project is all about that kind of hardware.

NOTE: You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card

Inspiration / Further Reading

• https://hub.docker.com/r/diginc/pi-hole/
• https://hub.docker.com/r/diginc/pi-hole-multiarch/tags/
• https://github.com/diginc/docker-pi-hole/blob/master/README.md
• https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records

Update Unbound

Setup unbound to listen on the Docker LAN so it can be the upstream of Pi Hole

Add a 2nd interface line to /etc/unbound/unbound.conf

interface: 172.30.0.1

Restart unbound with systemctl restart unbound

Setup Initial Run & Update Script

A simple update script that will pull the latest Pi Hole Docker image, configure it for auto-run, etc. Note the settings under the docker run command. You need/want to tweak them lightly.

Full docs on run time parms can be found in the Pi Hole docs (link).

mkdir /var/pihole /var/pihole/data /var/pihole/dnsmasq.d
cat > /scratch/docker/pi-hole.sh <<EOF
#!/bin/bash

ARCH=\`arch\`
if [ \$ARCH == "aarch64" ]
then
    ARCH="arm64v8"
else
    ARCH="arm32v7"
fi

docker pull registry.lollipopcloud.solutions/\$ARCH/pihole

docker stop pihole
docker rm pihole

docker run \\
    --name pihole \\
    --restart unless-stopped \\
    --memory=128m \\
    --net docker-private \\
    --ip 172.30.5.5 \\
    -e ServerIP=172.30.5.5 \\
    -e DNS1=172.30.0.1 \\
    -e DNS2=none \\
    -e WEBPASSWORD=BADPASSWORD \\
    -e DEBUG=1 \\
    -v /var/pihole/data:/etc/pihole \\
    -v /var/pihole/dnsmasq.d:/etc/dnsmasq.d \\
    registry.lollipopcloud.solutions/\$ARCH/pihole

EOF

chmod a+x /scratch/docker/pi-hole.sh

Run Pi Hole

Simply execute /scratch/docker/pi-hole.sh to update/run Pi Hole.

Update LAN(s) to Use Pi Hole

Note: Do NOT update the WAN connections to use Pi Hole. The only 'thing' using the WAN dns (unbound) should be the main board which should not be affected by ads. This also simplifies troubleshooting and failure modes (the board won't need working Docker/Pi Hole to fix problems with Docker/Pi Hole).

# Ensure *ALL* shared connections use pi hole (creative trick with NetworkManager)
cat > /etc/NetworkManager/dnsmasq-shared.d/pi-hole.conf <<EOF
server=172.30.5.5
EOF

# Bounce LAN's to pickup changes
nmcli con down mgmt && nmcli con up mgmt
nmcli con down wifi-ap-50 && nmcli con up wifi-ap-50
nmcli con down wifi-ap-24 && nmcli con up wifi-ap-24

Update Unbound

cat > /etc/unbound/local_zone/pi-hole.conf <<EOF
local-data: "pi-hole A 172.30.5.5"
local-data-ptr: "172.30.5.5 pi-hole"
local-data: "pi-hole.domain.tld A 172.30.5.5"
local-data-ptr: "172.30.5.5 pi-hole.domain.tld"
EOF

Admin Interface

Once the container is online you can get to the Pi Hole admin interface at http://pi-hole.domain.tld/admin.

First Run Config

Upon first run Pi Hole will be using a Google DNS server as a secondary to the locally hosted Unbound instance. You'll likely want to disable this functionality.