Pi-hole/unbound unreachable for other containers

2 weeks ago I installed Pi-hole in a Docker container and last week I added Unbound to the mix so I don’t need to send DNS traffic out to the internet. All my clients are using the internal address of Pi-hole, Pi-hole forwards all requests to Unbound, great. But…

When I set my other Docker containers (like uptime-kuma and Domoticz) to use the internal DNS server, they’re not able to. When I login to the container (sudo docker exec -it uptime-kuma bash) and ping to the IP of the Pi-hole container, all requests are dropped, while I can ping every other device on the network.

Pi-hole and Unbound run on their own MacVLAN and are able to ping each other. How do I allow other Docker containers running in “network_mode: host” to use Pi-hole as their internal DNS server?

What you experience is a security restriction of the Linux kernel, which prevents macvlan child interfaces to communication with their parent interface. Containers attached to a macvlan network use macvlan child interfaces (as used by your pihole and unbound container) and your host and every container using --network=host or network_mode: host use the parent interface.

To work around the restriction you can add a macvlan child interface to the host. You can find a description for how it’s done in @ajeetraina’s blogpost: https://collabnix.com/2-minutes-to-docker-macvlan-networking-a-beginners-guide/ in the “Enabling Container to Host Communication” section.

Ok, I’ll look into that. Any thought though on why the Docker server itself (Synology) can’t reach the address? (An issue I just now found out)

I am not sure what to say here, except: please re-read my last response.

Please quote the parts of my response you didn’t understand and write what you think they mean, so I know which part needs to be rephrased.

I ran these commands:

ip link add mac0 link eth0 type macvlan mode bridge
ip addr add <ip of pi-hole>/24 dev mac0
ifconfig mac0 up

Now I’m able to ping the address of the Pi-hole inside docker, but my Synology is still not able to use that address as its DNS server. Need to investigate some more. Thanks for this!

You added a macvlan child interface to your host. This is what you need.

Then you assign the same ip to the hosts’s macvlan child interface that you already use for the pihole container and create an ip collision. Do you mind sharing your thoughts that lead to using the pihole ip here? I would like to understand your thoughs.

You need to use an ip that a) is not in a dhcp range and b) is not already in use.

Easiest way of solving this for me is:

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: always
    network_mode: host
    environment:
      TZ: Europe/Paris
      WEB_PORT: 3003
    volumes:
      - ./pihole:/etc/pihole
      - ./dnsmasq.d:/etc/dnsmasq.d

  unbound:
    image: klutchell/unbound:latest
    container_name: unbound
    network_mode: bridge
    ports:
      - '5335:53/tcp'
      - '5335:53/udp'
    restart: always

Set the Custom 1 (IPv4) in Pi-hole to 127.0.0.1#5335 and you’re ready to go.

1 Like