Docker-compose example:
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "80:80/tcp"
- "443:443/tcp"
environment:
TZ: 'America/Chicago'
# WEBPASSWORD: 'set a secure password here or it will be random'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
dns:
- 127.0.0.1
- 1.1.1.1
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
Here is an equivalent docker run script.
- ServerIP no longer a required enviroment variable unless you run network 'host' mode! Feel free to remove it unless you need it to customize lighttpd
- --cap-add NET_ADMIN no longer required unless using DHCP, leaving in examples for consistency
Starting with the v4.1.1 release your Pi-hole container may encounter issues starting the DNS service unless ran with the following setting:
--dns=127.0.0.1 --dns=1.1.1.1
The second server can be any DNS IP of your choosing, but the first dns must be 127.0.0.1- A WARNING stating "Misconfigured DNS in /etc/resolv.conf" may show in docker logs without this.
- 4.1 required --cap-add NET_ADMIN until 4.2.1-1
These are the raw docker run cli versions of the commands. We provide no official support for docker GUIs but the community forums may be able to help if you do not see a place for these settings. Remember, always consult your manual too!
A Docker project to make a lightweight x86 and ARM container with Pi-hole functionality.
- Install docker for your x86-64 system or ARMv7 system using those links. Docker-compose is also recommended.
- Use the above quick start example, customize if desired.
- Enjoy!
This container uses 2 popular ports, port 53 and port 80, so may conflict with existing applications ports. If you have no other services or docker containers using port 53/80 (if you do, keep reading below for a reverse proxy example), the minimum arguments required to run this container are in the script docker_run.sh
If you're using a Red Hat based distribution with an SELinux Enforcing policy add :z
to line with volumes like so:
-v "$(pwd)/etc-pihole/:/etc/pihole/:z" \
-v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/:z" \
Volumes are recommended for persisting data across container re-creations for updating images. The IP lookup variables may not work for everyone, please review their values and hard code IP and IPv6 if necessary.
Port 443 is to provide a sinkhole for ads that use SSL. If only port 80 is used, then blocked HTTPS queries will fail to connect to port 443 and may cause long loading times. Rejecting 443 on your firewall can also serve this same purpose. Ubuntu firewall example: sudo ufw reject https
Automatic Ad List Updates - since the 3.0+ release, cron
is baked into the container and will grab the newest versions of your lists and flush your logs. Set your TZ environment variable to make sure the midnight log rotation syncs up with your timezone's midnight.
There are multiple different ways to run DHCP from within your Docker Pi-hole container but it is slightly more advanced and one size does not fit all. DHCP and Docker's multiple network modes are covered in detail on our docs site: Docker DHCP and Network Modes
There are other environment variables if you want to customize various things inside the docker container:
Docker Environment Var. | Description |
---|---|
ADMIN_EMAIL: <email address> Optional Default: '' |
Set an administrative contact address for the Block Page |
TZ: <Timezone> Recommended Default: UTC |
Set your timezone to make sure logs rotate at local midnight instead of at UTC midnight. |
WEBPASSWORD: <Admin password> Recommended Default: random |
https://pi.hole/admin password. Run docker logs pihole | grep random to find your random pass. |
DNS1: <IP> Optional Default: 8.8.8.8 |
Primary upstream DNS provider, default is google DNS |
DNS2: <IP> Optional Default: 8.8.4.4 |
Secondary upstream DNS provider, default is google DNS, no if only one DNS should used |
DNSSEC: <"true"|"false"> Optional Default: "false" |
Enable DNSSEC support |
DNS_BOGUS_PRIV: <"true"|"false"> Optional Default: "true" |
Enable forwarding of reverse lookups for private ranges |
DNS_FQDN_REQUIRED: <"true"|"false"> Optional Default: true |
Never forward non-FQDNs |
CONDITIONAL_FORWARDING: <"true"|"false"> Optional Default: "false" |
Enable DNS conditional forwarding for device name resolution |
CONDITIONAL_FORWARDING_IP: <Router's IP> Optional |
If conditional forwarding is enabled, set the IP of the local network router |
CONDITIONAL_FORWARDING_DOMAIN: <Network Domain> Optional |
If conditional forwarding is enabled, set the domain of the local network router |
CONDITIONAL_FORWARDING_REVERSE: <Reverse DNS> Optional |
If conditional forwarding is enabled, set the reverse DNS of the local network router (e.g. 0.168.192.in-addr.arpa ) |
ServerIP: <Host's IP> Recommended |
--net=host mode requires Set to your server's LAN IP, used by web block modes and lighttpd bind address |
ServerIPv6: <Host's IPv6> Required if using IPv6 |
If you have a v6 network set to your server's LAN IPv6 to block IPv6 ads fully |
VIRTUAL_HOST: <Custom Hostname> Optional Default: $ServerIP |
What your web server 'virtual host' is, accessing admin through this Hostname/IP allows you to make changes to the whitelist / blacklists in addition to the default 'https://pi.hole/admin/' address |
IPv6: <"true"|"false"> Optional Default: "true" |
For unraid compatibility, strips out all the IPv6 configuration from DNS/Web services when false. |
INTERFACE: <NIC> Advanced/Optional |
The default works fine with our basic example docker run commands. If you're trying to use DHCP with --net host mode then you may have to customize this or DNSMASQ_LISTENING. |
DNSMASQ_LISTENING: <local|all|NIC> Advanced/Optional |
local listens on all local subnets, all permits listening on internet origin subnets in addition to local. |
WEB_PORT: <PORT> Advanced/Optional |
This will break the 'webpage blocked' functionality of Pi-hole however it may help advanced setups like those running synology or --net=host docker argument. This guide explains how to restore webpage blocked functionality using a linux router DNAT rule: Alternative Synology installation method |
DNSMASQ_USER: <pihole|root> Experimental Default: root |
Allows running FTLDNS as non-root. |
TEMPERATUREUNIT : <c|k|f>Optional Default: c |
Set preferred temperature unit to c : Celsius, k : Kelvin, or f Fahrenheit units. |
WEBUIBOXEDLAYOUT: <boxed|traditional> Optional Default: boxed |
Use boxed layout (helpful when working on large screens) |
To use these env vars in docker run format style them like: -e DNS1=1.1.1.1
Here is a rundown of other arguments for your docker-compose / docker run.
Docker Arguments | Description |
---|---|
-p <port>:<port> Recommended |
Ports to expose (53, 80, 67, 443), the bare minimum ports required for Pi-holes HTTP and DNS services |
--restart=unless-stopped Recommended |
Automatically (re)start your Pi-hole on boot or in the event of a crash |
-v $(pwd)/etc-pihole:/etc/pihole Recommended |
Volumes for your Pi-hole configs help persist changes across docker image updates |
-v $(pwd)/etc-dnsmasq.d:/etc/dnsmasq.d Recommended |
Volumes for your dnsmasq configs help persist changes across docker image updates |
--net=host Optional |
Alternative to -p <port>:<port> arguments (Cannot be used at same time as -p) if you don't run any other web application. DHCP runs best with --net=host, otherwise your router must support dhcp-relay settings. |
--cap-add=NET_ADMIN Recommended |
Commonly added capability for DHCP, see Note on Capabilities below for other capabilities. |
--dns=127.0.0.1 Recommended |
Sets your container's resolve settings to localhost so it can resolve DHCP hostnames from Pi-hole's DNSMasq, also fixes common resolution errors on container restart. |
--dns=1.1.1.1 Optional |
Sets a backup server of your choosing in case DNSMasq has problems starting |
--env-file .env Optional |
File to store environment variables for docker replacing -e key=value settings. Here for convenience |
- A good way to test things are working right is by loading this page: https://pi.hole/admin/
- How do I set or reset the Web interface Password?
docker exec -it pihole_container_name pihole -a -p
- then enter your password into the prompt
- Port conflicts? Stop your server's existing DNS / Web services.
- Don't forget to stop your services from auto-starting again after you reboot
- Ubuntu users see below for more detailed information
- Port 80 is highly recommended because if you have another site/service using port 80 by default then the ads may not transform into blank ads correctly. To make sure docker-pi-hole plays nicely with an existing webserver you run you'll probably need a reverse proxy webserver config if you don't have one already. Pi-hole must be the default web app on the proxy e.g. if you go to your host by IP instead of domain then Pi-hole is served out instead of any other sites hosted by the proxy. This is the 'default_server' in nginx or 'default' virtual host in Apache and is taken advantage of so any undefined ad domain can be directed to your webserver and get a 'blocked' response instead of ads.
- You can still map other ports to Pi-hole port 80 using docker's port forwarding like this
-p 8080:80
, but again the ads won't render properly. Changing the inner port 80 shouldn't be required unless you run docker host networking mode. - Here is an example of running with jwilder/proxy (an nginx auto-configuring docker reverse proxy for docker) on my port 80 with Pi-hole on another port. Pi-hole needs to be
DEFAULT_HOST
env in jwilder/proxy and you need to set the matchingVIRTUAL_HOST
for the Pi-hole's container. Please read jwilder/proxy readme for more info if you have trouble.
- You can still map other ports to Pi-hole port 80 using docker's port forwarding like this