Android Simplicity

Windows WSL2 Docker with PiHole and Unbound For Recursive DNS

Typically, when you search for a domain name, the resolver will recursively pass your request on until it finds the Authoritative Name Server. This can be a potential security hole as someone can easily track down all the url that you visited, as well as it's paths.

Unbound is a validating, recursive, and caching DNS resolver.

Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS. After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server. 

By combining the two software, we can make sure that all DNS requests go straight to a Authoritative Name Server and eliminating the middle man (i.e. your own hosted Unbound becomes that middle man and finds the Authority for you in a nonrecursive mode). 

This article assumes you have general knowledge of how <a href="https://pi-hole.net/">PiHole</a> and docker works. 

*Note* If you are running pihole on a vm or hardware then just follow this guide

Steps:

1. Install docker

2. Create a docker compose file (PiHole_docker-compose.yml) using the code below in whatever path you decide to use: 

=============
version: '3'
services:
  pihole:
    image: 'pihole/pihole:latest'
    privileged: true
    restart: unless-stopped
    dns:
      - 127.0.0.1
      - 1.1.1.1
    links:
      - unbound
    ports:
      - '80:80'
      - '53:53/udp'
      - '53:53/tcp'
    environment:
      TZ: TZ=America/Chicago
      ServerIP: YOUR HOST IP GOES HERE
      WEBPASSWORD: YOUR PW GOES HERE
      DNS1: '169.254.0.19#5335'
    cap_add:
      - NET_ADMIN
    volumes:
      # ./Config will mount to the volume on your host machine and save the settings in the below locations
      - './config/pihole:/etc/pihole'
      - './config/dnsmasq:/etc/dnsmasq.d'
    networks:
      pihole_net:
        ipv4_address: 169.254.0.3
  unbound:
    image: klutchell/unbound
    restart: unless-stopped
    volumes:
      - './config/unbound:/opt/unbound/etc/unbound'
    networks:
      pihole_net:
        ipv4_address: 169.254.0.19
networks:
  pihole_net:
    driver: bridge
    ipam:
      config:
        - subnet: 169.254.0.0/29
==============

3. In the same location, create config/unbound directory

4. Create a new file named unbound.conf

5. Paste in the below code and modify as needed.

==============
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    interface: 169.254.0.19
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    # Ensure privacy of local IP ranges. Remove ones you dont need
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.18.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
    # The action allow gives access to clients from that netblock.  It gives only access for recursion clients (which  is  what  almost all clients need).  Nonrecursive queries are refused.
    # The action allow_snoop gives nonrecursive access too. 
    access-control: 127.0.0.1 allow_snoop #Container ip address. Good for debugging in shell. 
    access-control: 169.254.0.0/16 allow  # Allow only bridged clients
==============

6. In Cmd run the following command: docker compose -p pihole -f "PiHole_docker-compose.yml" up -d


Popular Posts
AndroidSim Mobile App
What are you using?