Содержание

Pi-hole

The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.

Once the installer has been run, you will need to configure your router to have DHCP clients use Pi-hole as their DNS server which ensures that all devices connecting to your network will have content blocked without any further intervention.

If your router does not support setting the DNS server, you can use Pi-hole's built-in DHCP server; just be sure to disable DHCP on your router first (if it has that feature available).

As a last resort, you can always manually set each device to use Pi-hole as their DNS server.

Документация: https://docs.pi-hole.net/
Docker image: https://hub.docker.com/r/pihole/pihole/
Бложик: https://pi-hole.net/blog/

# Обновить
pihole -up

Установка

Docker

https://github.com/pi-hole/docker-pi-hole

Админка на порту 5001, DNS на 53. Чтобы DNS не конфликтовал с systemd-resolve на хосте, нужно на хосте

sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
sudo systemctl restart systemd-resolved

https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#installing-on-ubuntu-or-fedora

Если systemd-resolve был выключен, то нужно привязать порт 53 к конкретному адресу хоста, иначе контейнеры не смогут разрешать внешние имена.

    ports:
      - 192.168.1.15:53:53/tcp
      - 192.168.1.15:53:53/udp

https://discourse.pi-hole.net/t/solve-dns-resolution-in-other-containers-when-using-docker-pihole/31413

  pihole:
    image: pihole/pihole
    container_name: pihole
    restart: unless-stopped
    environment:
      TZ: 'Europe/Moscow'
      WEBPASSWORD: 'Qwerty123456'
      WEB_PORT: 5001
      VIRTUAL_HOST: 'bva.dyndns.info'
      PIHOLE_DNS_: '8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844;208.67.222.222;208.67.220.220;2620:119:35::35
;2620:119:53::53;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b;1.1.1.1;1.0.0.1;2606:4700:4700::11
11;2606:4700:4700::1001'
      DNSSEC: true
      DNSMASQ_LISTENING: 'all'
    ports:
      - 192.168.1.15:53:53/tcp
      - 192.168.1.15:53:53/udp
      - 5001:5001
    volumes:
      - '~/volumes/pihole/pihole:/etc/pihole'
      - '~/volumes/pihole/dnsmasq:/etc/dnsmasq.d'

Локально

Методом № 2

# One-Step Automated Install
# Those who want to get started quickly and conveniently may install Pi-hole using the following command:
curl -sSL https://install.pi-hole.net | bash
# Alternative Install Methods
# Piping to bash is controversial, as it prevents you from reading code that is about to run on your system.
# Therefore, we provide these alternative installation methods which allow code review before installation:
# Method 1: Clone our repository and run
git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
cd "Pi-hole/automated install/"
sudo bash basic-install.sh
# Method 2: Manually download the installer and run
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh

Выяснить, в каком чёрном списке находится домен

root@orangepione:~# pihole -q -exact vk.com
 Exact match found in exact whitelist
   vk.com
 Exact matches for vk.com found in:
  - https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_1_Russian/filter.txt
  - https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_1_Russian/filter.txt
  - https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt
  - https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt

Ошибки, проблемы

Контейнер не стартует после перезагрузки хоста

Проблема возникает, когда DNS-порты привязаны к IP хоста. Если не указывать IP, всё работает.

    ports:
      - 192.168.1.15:53:53/tcp
      - 192.168.1.15:53:53/udp

Дело в том, что сеть не успевает полностью подняться до запуска контейнера и его запуск обламывается. Для решения можно использовать следующий костыль:

# Сделать override-файл для докер-демона, запускающий скрипт
systemctl edit docker
 
[Service]
# wait for the network to be up
ExecStartPre=/etc/systemd/system/docker.service.d/wait_for_network.sh
# Скрипт
cat << EOF > /etc/systemd/system/docker.service.d/wait_for_network.sh
#!/bin/bash
ipServerAddress="192.168.1.1" # Адрес роутера, например
cycleLength=1 # The length of a wait cycle in seconds
timeout=15    # Maximum number of seconds to wait before giving up
 
elapsedTime=0
ping -c 1 \$ipServerAddress > /dev/null 2>&1
while [ \$? -ne 0 ]; do
    if [ "\$elapsedTime" -ge "\$timeout" ]; then
        # Timeout
        exit 1
    fi
 
    elapsedTime=\$((elapsedTime + cycleLength))
    sleep \$cycleLength
    ping -c 1 \$ipServerAddress > /dev/null 2>&1
done
EOF
 
# Сделать скрипт запускаемым
chmod ug+x /etc/systemd/system/docker.service.d/wait_for_network.sh

https://discourse.pi-hole.net/t/solved-failed-to-allocate-and-map-port-53-53-after-system-restart/64872/6

DNSMASQ_WARN: reducing DNS packet size for nameserver XXX.XXX.XXX.XXX to 1232

echo "edns-packet-max=1232" > /etc/dnsmasq.d/99-edns.conf
pihole restartdns

https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803/9
https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803/41