https://github.com/davidjenni/pi-hole-unbound
Secure recursive DNS resolver with pi-hole, unbound and traefik
https://github.com/davidjenni/pi-hole-unbound
dns dnssec docker-compose pi-hole recursive-dns traefik ubuntu-core unbound
Last synced: 2 months ago
JSON representation
Secure recursive DNS resolver with pi-hole, unbound and traefik
- Host: GitHub
- URL: https://github.com/davidjenni/pi-hole-unbound
- Owner: davidjenni
- License: mit
- Created: 2025-06-25T06:02:51.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2025-07-13T22:11:13.000Z (11 months ago)
- Last Synced: 2025-07-13T23:32:25.751Z (11 months ago)
- Topics: dns, dnssec, docker-compose, pi-hole, recursive-dns, traefik, ubuntu-core, unbound
- Language: Shell
- Homepage:
- Size: 21.5 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Secure recursive DNS resolver with pi-hole
Docker based stack with [Unbound recursive DNS resolver](https://unbound.docs.nlnetlabs.nl/en/latest/index.html)
and [pi-hole ad blocker](https://pi-hole.net/).
## Goals
- optimize privacy:
- DNS sink to filter/block unwanted content
- a recursive DNS with DNSSEC to shield visited sites from ISP's DNS
- docker-based for easy initial deployment and low-friction, regular updates
- forwarding to local DHCP/DNS host (e.g. Ubiquiti UDM) to resolve local network names
- TODO: deployable and upgradable via separate docker image on minimal config, immutable Ubuntu Core node
(no git nor curl etc. installed on docker host)
## local test for pihole
```bash
docker compose build
docker compose stop
docker compose up -d
docker compose ps
docker image prune -f --filter 'dangling=true'
dig -p 5300 @localhost github.com
```
test DNSSEC:
```bash
dig -p 5300 @localhost SOA com. +dnssec
dig -p 5300 @localhost cloudflare.com +dnssec
```
directly connect to container:
```bash
docker exec -it ns-dns-1 ash
```
## Deployment
### Manual deployment
- git clone this repo (or [download latest release as zip, then unzip](https://github.com/davidjenni/pi-hole-unbound/releases))
- Create your own *.prod.env file, use the checked in jenni.prod.env as starting point
- re-start compose stack (build & pull before stopping the already running DNS server!):
```bash
./deploy.sh
```
## TODOs
There's still work left, see [Issues](https://github.com/davidjenni/pi-hole-unbound/issues?q=is%3Aissue%20state%3Aopen%20label%3Afeature)
Any bugs, file via [Issues](https://github.com/davidjenni/pi-hole-unbound/issues).
## References
- [DNSSEC query and response process](https://learn.microsoft.com/en-us/windows-server/networking/dns/validate-dnssec-responses#including-dnssec-data)
- [DNSSEC troubleshooting with dig](https://developers.cloudflare.com/dns/dnssec/troubleshooting/#view-the-dnssec-chain-of-trust-with-dig)