brccabral/01_README.md

## 01_README.md

      
    Raw
  

              01_README.md
            
          
    Pihole

Before anything, check your docker log settings. I had Unbound consuming 17GB alone.

https://docs.docker.com/config/containers/logging/json-file/

/etc/docker/daemon.json
{
  "log-opts": {
    "max-size": "20m",
    "max-file": "3"
  }
}
Save as local volume /etc/pihole/, /etc/dnsmasq.d/, /etc/resolv.conf.
In case you have other process listening port 53, set Docker to listen ports only in your local IP 192.168.12.240.

I had Virt-Manager listening to 192.168.122.1:53 so it can manage IP's for VM's.

Port 67 conflicts with Virt-Manager.
I set my host /etc/hosts to map PiHole one with ro read only attribute. Any change in the host /etc/hosts need to restart PiHole container.
I changed healthcheck command to 127.0.0.11 because this is the default DNS nameserver, and if Unbound is in a subnet, the original command fails because it uses 127.0.0.1.
Use Unbound as upstream DNS. Save unbound.conf into the mounted volume as per below configuration.
If you don't set the ip in the port 53, need to explicity set DNS, otherwise it can't connect to internet. That is because the host will have /etc/resolf.conf set to nameserver 192.168.12.240 and the container needs to find it.

53:53 -> set dns

192.168.12.240:53 -> don't need dns
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    platform: linux/arm64
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "192.168.12.240:53:53/tcp"
      - "192.168.12.240:53:53/udp"
      #- "192.168.12.240:67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "192.168.12.240:9999:80/tcp"
    environment:
      TZ: 'America/Los_Angeles'
      WEBPASSWORD: 'bruno123456'
      FTLCONF_LOCAL_IPV4: '172.19.0.2'
      PIHOLE_DNS_: '172.19.0.3#5335'
      #DNSSEC: 'true'
      #PIHOLE_DOMAIN: lan
    # Volumes store your data between container upgrades
    volumes:
      - '/home/<username>/Docker/pihole/etc-pihole:/etc/pihole'
      - '/home/<username>/Docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
      - '/home/<username>/Docker/pihole/etc-resolv.conf:/etc/resolv.conf'
      - '/etc/hosts:/etc/hosts:ro'
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.19.0.2
    #dns:
     #- 172.19.0.1

  unbound:
    container_name: unbound
    hostname: unbound
    image: mvance/unbound-rpi:latest
    volumes:
      - '/home/<username>/Docker/unbound/etc-unbound:/opt/unbound/etc/unbound'
    ports:
      - "5335:53/tcp"
      - "5335:53/udp"
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.19.0.3
    #dns:
      #- 172.19.0.1
    healthcheck:
      test: ["CMD-SHELL", "drill @127.0.0.11 cloudflare.com || exit 1"]


networks:
  default:
    name: pihole-default
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16
          gateway: 172.19.0.1
Enable firewall for your other docker subnets.
sudo ufw allow from 172.19.0.0/12 to any port 53

  
## commands.md

      
    Raw
  

              commands.md
            
          
    nslookup microsoft.com
dig msn.com @172.19.0.6 -p 5335
sudo lsof -i -P -n

  
## unbound.conf
server:
    # If no logfile is specified, syslog is used
    # logfile: "/opt/unbound/etc/unbound/unbound.log"

    # Level 0: No verbosity, only errors.
    # Level 1: Gives operational information.
    # Level 2: Gives detailed operational information including short information per query.
    # Level 3: Gives query level information, output per query.
    # Level 4:  Gives algorithm level information.
    # Level 5: Logs client identification for cache misses.
    verbosity: 5

    interface: 0.0.0.0@5335
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

    # Set the working directory for the program.
    directory: "/opt/unbound/etc/unbound"

    ###########################################################################
    # SECURITY SETTINGS
    ###########################################################################
    # Only give access to recursion clients from LAN IPs
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    access-control: fc00::/7 allow
    access-control: ::1/128 allow

    # Enable chroot (i.e, change apparent root directory for the current
    # running process and its children)
    chroot: "/opt/unbound/etc/unbound"

    ###########################################################################
    # WILDCARD INCLUDE
    ###########################################################################
    #include: "/opt/unbound/etc/unbound/*.conf"
	server:
	# If no logfile is specified, syslog is used
	# logfile: "/opt/unbound/etc/unbound/unbound.log"

	# Level 0: No verbosity, only errors.
	# Level 1: Gives operational information.
	# Level 2: Gives detailed operational information including short information per query.
	# Level 3: Gives query level information, output per query.
	# Level 4: Gives algorithm level information.
	# Level 5: Logs client identification for cache misses.
	verbosity: 5

	interface: 0.0.0.0@5335
	port: 53
	do-ip4: yes
	do-udp: yes
	do-tcp: yes

	# May be set to yes if you have IPv6 connectivity
	do-ip6: no

	# You want to leave this to no unless you have native IPv6. With 6to4 and
	# Terredo tunnels your web browser should favor IPv4 for the same reasons
	prefer-ip6: no

	# Use this only when you downloaded the list of primary root servers!
	# If you use the default dns-root-data package, unbound will find it automatically
	#root-hints: "/var/lib/unbound/root.hints"

	# Trust glue only if it is within the server's authority
	harden-glue: yes

	# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
	harden-dnssec-stripped: yes

	# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
	# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
	use-caps-for-id: no

	# Reduce EDNS reassembly buffer size.
	# IP fragmentation is unreliable on the Internet today, and can cause
	# transmission failures when large DNS messages are sent via UDP. Even
	# when fragmentation does work, it may not be secure; it is theoretically
	# possible to spoof parts of a fragmented DNS message, without easy
	# detection at the receiving end. Recently, there was an excellent study
	# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
	# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
	# in collaboration with NLnet Labs explored DNS using real world data from the
	# the RIPE Atlas probes and the researchers suggested different values for
	# IPv4 and IPv6 and in different scenarios. They advise that servers should
	# be configured to limit DNS messages sent over UDP to a size that will not
	# trigger fragmentation on typical network links. DNS servers can switch
	# from UDP to TCP when a DNS response is too big to fit in this limited
	# buffer size. This value has also been suggested in DNS Flag Day 2020.
	edns-buffer-size: 1232

	# Perform prefetching of close to expired message cache entries
	# This only applies to domains that have been frequently queried
	prefetch: yes

	# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
	num-threads: 1

	# Ensure kernel buffer is large enough to not lose messages in traffic spikes
	so-rcvbuf: 1m

	# Ensure privacy of local IP ranges
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: 172.16.0.0/12
	private-address: 10.0.0.0/8
	private-address: fd00::/8
	private-address: fe80::/10

	# Set the working directory for the program.
	directory: "/opt/unbound/etc/unbound"

	###########################################################################
	# SECURITY SETTINGS
	###########################################################################
	# Only give access to recursion clients from LAN IPs
	access-control: 127.0.0.1/32 allow
	access-control: 192.168.0.0/16 allow
	access-control: 172.16.0.0/12 allow
	access-control: 10.0.0.0/8 allow
	access-control: fc00::/7 allow
	access-control: ::1/128 allow

	# Enable chroot (i.e, change apparent root directory for the current
	# running process and its children)
	chroot: "/opt/unbound/etc/unbound"

	###########################################################################
	# WILDCARD INCLUDE
	###########################################################################
	#include: "/opt/unbound/etc/unbound/*.conf"