March 24, 2019

the lan stack

dnsmasq compose file

version: '3'
services:

  dnsmasq:
   restart: unless-stopped
   image: andyshinn/dnsmasq:latest
   container_name: dnsmasq
   volumes:
    - /home/blender/dnsmasq/dnsmasq.conf:/etc/dnsmasq.conf
    - /home/blender/dnsmasq/dnsmasq.leases:/etc/dnsmasq.leases
    - /home/blender/dnsmasq/resolv.dnsmasq:/etc/resolv.dnsmasq
    - /home/blender/dnsmasq/rfc6761.conf:/etc/rfc6761.conf
    - /home/blender/dnsmasq/hosts:/etc/hosts
    - /home/blender/dnsmasq/dnsmasq.log:/var/log/dnsmasq.log
   network_mode: "host"
   cap_add:
    - NET_ADMIN
  • dnsmasq.conf
interface=enp0s3

conf-file=/etc/rfc6761.conf
dhcp-leasefile=/etc/dnsmasq.leases
resolv-file=/etc/resolv.dnsmasq
log-facility=/var/log/dnsmasq.log

strict-order
domain=blender.net,10.2.1.0/24
local=/blender.net/

dhcp-lease-max=100
dhcp-option=enp0s3,3,10.2.1.1
dhcp-option=6,10.2.1.79
dhcp-authoritative
dhcp-range=enp0s3,10.2.1.100,10.2.1.199,255.255.255.0,1440m

dhcp-host=00:11:32:73:3C:7B,Sam,10.2.1.3,infinite

bogus-priv
stop-dns-rebind
cache-size=10000

log-dhcp
#log-queries

address=/katy/10.2.1.2
  • resolve.dnsmasq
nameserver 1.1.1.1
  • rfc6761.conf
# RFC6761 included configuration file for dnsmasq
#
# includes a list of domains that should not be forwarded to Internet name servers
# to reduce burden on them, asking questions that they won't know the answer to.

server=/bind/
server=/invalid/
server=/local/
server=/localhost/
server=/onion/
server=/test/

then everything goes through the cache stack through to either the pihole or the cache depot

the pihole config

#!/bin/bash
# Lookups may not work for VPN / tun0
IP_LOOKUP="$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')"
#IPv6_LOOKUP="$(ip -6 route get 2001:4860:4860::8888 | awk '{for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')"

# Just hard code these to your docker server's LAN IP if lookups aren't working
IP="${IP:-$IP_LOOKUP}"  # use $IP, if set, otherwise IP_LOOKUP
#IPv6="${IPv6:-$IPv6_LOOKUP}"  # use $IPv6, if set, otherwise IP_LOOKUP
#IPv6="fe80::a00:27ff:fe97:148f"

# Default of directory you run this from, update to where ever.
DOCKER_CONFIGS="$(pwd)"

echo "### Make sure your IPs are correct, hard code ServerIP ENV VARs if necessary\nIP: ${IP}\nIPv6: ${IPv6}"

# Default ports + daemonized docker container

docker run -d \
    --name pihole \
    -p 53:53/tcp \
    -p 53:53/udp \
    -p 67:67/udp \
    -p 80:80 \
    -p 443:443 \
    --cap-add=NET_ADMIN \
    -v "${DOCKER_CONFIGS}/pihole/:/etc/pihole/" \
    -v "${DOCKER_CONFIGS}/dnsmasq.d/:/etc/dnsmasq.d/" \
    -e ServerIP="${IP}" \
    -e TZ="Australia/Sydney" \
    -e DNS1="1.1.1.1" \
    -e DNS2="8.8.8.8" \
    -e WEBPASSWORD="stp802.1d" \
    --restart=unless-stopped \
    --dns=127.0.0.1 --dns=10.2.1.2 \
    pihole/pihole:latest

then the pihole finally sends stuff out to the internet