Running Pihole at home
I run pihole via docker on an old laptop.
Pihole Docker container as DHCP and DNS server
I got it configured via the pihole docs.
To see my ansible playbook that works with Pihole and is run via compose, look at this playbook.
I had to set the container into host networking mode, so it can directly answer DNS and DHCP requests.
Due to host networking mode, I had to comment out all port mappings from the compose config.
Via docker envs, it's also configured so that dnsmasq answers on all network interfaces.
Also the container required to have the NET_ADMIN capabilities added to it.
What I haven't figured out yet is how I can put traefik in front of the pihole web UI to avoid port conflicts with pihole's own webserver that's reachable via port 80 on the host.
Pihole Logs and Stats
It shows some really useful info on your network.
Examples of such info are, when full logging are enabled:
- what domains are queried and blocked
- what devices are making the requests
- what kind of requests devices are making(A, AAAA, PTR and so on)
- what DNS servers/forward destinations are used for the queries in what proportion(google, cloudflare, etc), these stats include the blocklist and local cache
- there are lists for top permitted and blocked domains
- and also lists for top clients and a subset of top blocked clients
- my top performers on the blocked client list are a Windows 10 VM and my android phone
Pihole DHCP settings
I was most interested in these parts of the settings as my ISP's router is very limited.
When the DHCP is server is enabled, you can define a range of IP addresses to use on the network.
Since my laptop(pihole host) is not the router on the network, I set the ISP's device as the gateway.
This page also shows the currently active DHCP leases and also any static DHCP lease configurations.
On the right side, there's a section where you can define what domain to use on the LAN.
Note: this domain does need to have any A/AAAA records.
This domain setting will put a search sub.domain.tld line into each Linux device's /etc/resolv.conf:
# Generated by NetworkManager search home.domain.tld nameserver 192.168.0.69
As a result, each device will be resolvable on the lan thanks to Dynamic DNS.
So I can connect to each device by either their hostname(eg acerlaptop) or full hostname which would be acerlaptop.home.domain.tld.
This is most useful, when used with traefik and other containers. If configured properly, traefik can then issue wildcards for each device where it runs.
Resulting in the following wildcard certs, valid for:
So a web host might be resolvable this way on the lan:
Thanks to Traefik, it will have a valid SSL certificate.
However, this results in long hostnames in the browsers, which will annoy some people.
Adding Custom Domain names to Pihole
Since pihole uses Dnsmasq, we can also apply Dnsmasq configs of our own.
In my case, I've placed my custom config file that has device specific subdomains defined inside via an Ansible template task.
An example of such task is:
- name: Template pihole conf file for local wildcard domains template: src: wildcard-local.conf.j2 dest: /var/docker/pihole/etc-dnsmasq.d/wildcard-local.conf owner: root group: root mode: 0644 tags: - docker
This configuration file can be placed into the container's /etc/dnsmasq.d directory.
If a static volume mapping is used for a container's config, eg:
volumes: - /var/docker/pihole/etc-pihole:/etc/pihole - /var/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
then our config file needs to be placed inside /var/docker/pihole/etc-dnsmasq.d on the host that runs pihole. Then inside the container, it will look like that a new config file has appeared.
If I want to restart the dnsmasq process inside the container, without restarting the entire container, I can just simply exec:
docker exec ctname pihole restartdns
inside the container. This will apply our new configuration file straight away.