Raspberry Pi running Pi Hole on ArchLinux Guide.md

Archlinux + Docker + Pi Hole

This is a guideline on how to setup Pi Hole in ArchLinux.

For this, I used a Raspberry Pi 4b with 8gb ram, using aarch64 version of ArchLinux.

This can also be done using a Raspberry Pi Zero, though I haven't tested myself (yet).

References:

• https://www.reddit.com/r/archlinuxarm/comments/hmj4a3/raspberry_pi_4_arch_linux_docker_pihole/
• https://gist.github.com/tntwist/a6183bbf736d7d652d1fc01a32c9c19a

Start by logging in as root, switching to root or using sudo -i.

Make sure the timezone and NTP service are correct and active

timedatectl set-ntp true
timedatectl set-timezone "Europe/London"

Disable bluetooth and wifi

(You don't want to do DNS queries through wifi)

cat <<EOF >>/etc/modprobe.d/pi-blacklist-bluetooth.conf
# Bluetooth
blacklist bluetooth
blacklist btsdio

Press Ctrl + D

cat <<EOF >>/etc/modprobe.d/pi-blacklist-wifi.conf
# WiFi
blacklist brcmfmac
blacklist brcmutil

Press Ctrl + D

Install required packages

pacman -S git pigz docker docker-compose docker-scan

Enable Docker service

systemctl enable --now docker.service

Test docker service

docker run hello-world

It should run fine as root. Try it again with your non-priviledged user. If you get the error message:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock:

Add your user to the docker group:

sudo usermod -a -G docker [user]

Logout and Login (Reference: https://stackoverflow.com/questions/47854463/docker-got-permission-denied-while-trying-to-connect-to-the-docker-daemon-socke )

Reboot

reboot

Log in as root, switching to root or use sudo -i.

Disable systemd-resolved due to port conflict

Reference: sameersbn/docker-bind#65

systemctl stop systemd-resolved
systemctl disable systemd-resolved

Exit root / Login with non-priviledged user

Create docker-compose.yml

A similar setup for IPv6 can be found here: https://gist.github.com/tntwist/a6183bbf736d7d652d1fc01a32c9c19a NOTE: You need to be able to make your router assign an IPv6 to your Raspberry Pi to use it reliably.

version: "3"

services:
  cloudflared:
    container_name: cloudflared
    image: visibilityspots/cloudflared:latest
    restart: unless-stopped
    ports:
      - "5054:5054/tcp"
      - "5054:5054/udp"
    environment:
        DNS1: 1.1.1.1
        DNS2: 1.0.0.1
        PORT: 5054
    networks:
      pihole_net:
        ipv4_address: 10.0.0.2
    cap_add:
      - NET_ADMIN

  pi-hole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    ports:
      - "80:80/tcp"
      - "53:53/tcp"
      - "53:53/udp"
      - "443:443/tcp"
    environment:
      - TZ='Europe/London'
      - WEBPASSWORD=YOUR_ADMIN_PASSWORD
      - FTLCONF_REPLY_ADDR4=192.168.1.200 #IPv4 address of docker host
      - PIHOLE_DNS_=10.0.0.2#5054
      - IPv6=false
      - DNSMASQ_LISTENING=all
    volumes:
      - "./config/pihole:/etc/pihole"
      - "./config/dnsmasq:/etc/dnsmasq.d"
    networks:
      pihole_net:
        ipv4_address: 10.0.0.3
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN

networks:
  pihole_net:
    driver: bridge
    ipam:
     config:
       - subnet: 10.0.0.0/29

Create and start containers based on the docker-compose.yml file

docker-compose up -d

Check the logs to see if everything is running correctly

docker-compose logs cloudflared

docker-compose logs pi-hole

Check if there are any errors in the log.

Add block lists

• https://blocklistproject.github.io/Lists/ Instructions here: https://github.com/blocklistproject/Lists#usage

Check data:

Get Interface names:

ip a

Capture inbound DNS request

tcpdump -i eth0 udp port 53

Cature DNS request from pi-hole to cloudflared

tcpdump -i br-4294f2b61c75 udp port 5054

Configure your router DHCP to use your PiHole server as the DNS server.

NOTE: It is possible to make Pi Hole works as a DHCP server, but it's not covered by this guide.

How to upgrade:

1. Check https://github.com/pi-hole/docker-pi-hole for what changed in the newest version and decide if you want to upgrade.
2. docker images to check what you currently have
3. docker-compose pull
4. docker-compose down
5. docker images to check the current state of the images
6. docker-compose up --force-recreate --build -d
7. If everything before went well (test it!), run docker image prune -f to delete old images

After "being forced" to use a Velop Mesh router, I realized that it takes ownership of any DNS requests, even when you configure it to use the Pi-Hole as the DNS server, effectively hiding the IP of the original request.

To solve this issue, I decided to use the Pi Hole as the DHCP server.

Here's an updated docker file that still allows to use cloudflared with the Pi-Hole, but will also work as a DHCP server.
Since this use network_mode: host, make sure your Raspberry Pi is behind a firewall.
If someone finds a way to have it on bridge mode while still serving Class C (192.168.x.x) IPs, please add instructions below.

version: "3"

services:
  cloudflared:
    container_name: cloudflared
    image: visibilityspots/cloudflared:latest
    restart: unless-stopped
    network_mode: "host"

  pi-hole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped # Recommended but not required (DHCP needs NET_ADMIN)
    network_mode: host
    depends_on:
      - cloudflared
    environment:
      - TZ='Europe/London'
      - WEBPASSWORD=YOUR_ADMIN_PASSWORD
      - FTLCONF_LOCAL_IPV4=192.168.1.200 #IPv4 address of docker host
      - PIHOLE_DNS_=192.168.1.200#5054;192.168.1.200#5054
      - IPv6=false
      - DNSMASQ_LISTENING=local
      - DHCP_ACTIVE=true
      - DHCP_START=192.168.1.50
      - DHCP_END=192.168.1.199
      - DHCP_ROUTER=192.168.1.1
      - PIHOLE_DOMAIN=fejuca-net
    volumes:
      - "./config/pihole:/etc/pihole"
      - "./config/dnsmasq:/etc/dnsmasq.d"
    cap_add:
      - NET_ADMIN