This weekend’s project will be staging a new DNS server leveraging PiHole within a docker container. PiHole is a free and opensource DNS sinkhole project which provides ad blocking at a network level so that clients don’t require any unique setup to take advantage of PiHole’s offerings. Containers, as I mentioned previously, are a newer technology that allows you to separate applications from host OS.
What do I need?
I will be building this server as a VM within my lab and leveraging Alpine as our OS of choice.
About Alpine: Alpine is a lightweight security-oriented OS. Since our host OS is just running docker and it’s containers, we want to make sure we are running bare essentials to limit our possible attack surface.
Here is your VMs configuration:
- 1 CPU/Socket
- 1 GB ram
- 8 GB of HDD space
- network Adapter: E1000
- OS type to Linux (other) x64
let’s get started: OS Installation and Configuration
- Mount the Alpine ISO you downloaded (for our demo, we are using Alpine – Virtual – x86_64).
- Power on your VM and boot to disc
- Once the boot process has finished, you should be at the login prompt.
- Log in as root (there is no password)
- To install to the disk, we need to run the alpine install script:
- Choose your keyboard layout (and a variant if prompted): US
- Choose your network card:
- Set a static IP when prompted if you want DHCP or other:
IP: <your IP>
GW: <your router IP>
DNS: 188.8.131.52, 184.108.40.206
- Set your root password.
- Choose your time zone:
- Chose your mirrors:
f (determines the fastest mirror)
- Chose an SSH server:
OpenSSH (you can select none if you plan to do management from the console)
- Choose NTP client:
Chrony (no preference here – used default)
- Choose the disk you want to install Alpine to:
sda (yours may be different)
- How would you like to use the disk?
- Installation should have completed, and you can now reboot the server:
- Disconnect the ISO.
- Login as root using the password you previously set.
- Add a new user for management purposes:
# adduser <username>
- Add user to sudoers:
# vi /etc/sudoers
a. Enter insert mode:
<username> ALL=(ALL) ALL
b. Exit insert mode (esc) and type: wq! (write/quite/force)
- Exit root and login as your new user.
- Type SU to elevate permissions
- Add the community repository to the APK repositories:
# vi /etc/apk/repositories
a. Enter insert mode:
b. Exit insert mode (ESC) and type wq! (write/quite/force)
- Update APK repositories:
# apk update
- Install docker:
# apk add docker
- Set docker to start on boot:
# rc-update add docker boot
- Start the docker daemon manually:
# service docker start
- 1. Install PIP
# apk add py-pip
- Install dev dependencies:
# apk add python-dev libffi-dev openssl-dev gcc libc-dev make
- Install docker-compose:
# pip install docker-compose
Create your docker-compose.yml file
- Navigate to your users home:
# cd /home/<username>
- Create your docker-compose.yml
# vi docker-compose.yml
a. Enter insert mode and paste the following (example template from the projects docker-hub page):
version: "3" services: pihole: container_name: pihole image: pihole/pihole:latest ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" - "80:80/tcp" - "443:443/tcp" environment: TZ: 'America/Los_Angeles' WEBPASSWORD: '<your password>' # Volumes store your data between container upgrades volumes: - './etc-pihole/:/etc/pihole/' - './etc-dnsmasq.d/:/etc/dnsmasq.d/' dns: - 127.0.0.1 - 220.127.116.11 # Recommended but not required (DHCP needs NET_ADMIN) cap_add: - NET_ADMIN restart: unless-stopped
Important Note: Update the following entries per your preference:
Docker Hub Page:
You can lock PiHole to a specific version by changing tags:
pihole/pihole:latest to pihole/pihole:v4.4
Environment variables you may want to change:
- TZ: 'America/Los_Angeles' - WEBPASSWORD: '<your password>'
- Exit insert mode (ESC) and type wq! (write/quite/force)
- Let’s pull the images we defined in our docker-compose file (while in the SAME directory as your docker-compose.yml):
# docker-compose pull
- Time for the moment of truth – let’s start our containers:
# docker-compose up
- Verify you have no error messages.
- Navigate to the PiHole admin page using the IP address assigned to your host VM:
- Login using the password set in your docker-compose.yml file
- Yay, you should now see your dashboard:
- Go back to your SSH session and end the docker-compose process (CTRL + C)
- Start docker-compose as a background daemon:
# docker-compose up -d
- At this point, your PiHole server can begin to filter ADs, but you will need to either update your router’s DHCP DNS option to point to your PiHole’s IP OR disable DHCP on your router and shift DHCP to PiHole.
At this point, you’ve set up an Alpine Linux host, installed docker, installed docker-compose, created your docker-compose.yml file, and configured your PiHole to start blocking ADs.
Other options that may be worth tweaking:
- Settings -> Privacy – Depending on your views of privacy on your local network, you may wish to either show every DNS lookup and record all details or collect nothing.
- Settings -> Blocklist – You can add additional block lists to your PiHole. I’ve ever felt the need to do, but it’s an option.
- Settings -> DNS – You can choose additional upstream DNS servers instead of Google. Additionally, you can also leverage DNSSEC, which provides another level of security for browsing.
Thank you for taking the time to go through this project, and I hope you found it helpful.