Why use a Cloudflare tunnel for upstream privacy rather than just using DoT? Surely the level of protection is pretty much the same. For example, I'm using pfSense as my local DNS resolver, and it sends all its queries up to Quad9 via DoT. Still encrypted so the ISP can't see the requests, but no need for the added complexity of a tunnel. Or am I missing something? Is it because piHole can't do DoT?
nice video, there is version of Pi-hole and DoH quick install with docker compose online and you may want to check it, it have cloudflared, google built in. You mentioned you run a few pihole servers, how does your router defaults to them? and do you have an alternative dns in case all your pihole servers are down? Also how to you keep them in sync? thanks and keep it up with great content
Thanks, Mr. P. I'll check that out. My router is set to dish out DNS via DHCP, I have both piholes set. Nothing special to sync them, just a copy paste. I know there are solutions to sync but I haven't done that yet.
I didn't understand how the pihole dns resolver should be integrated with sophos, so the pihole can be used as the default dsn resolver for all traffic. Did I miss it? Once again, very helpful video
simplest and fastest tutorial to get pihole+traefik working together, amazing! just to add on some things: 1. Make sure DNS on the device/router is set to pihole IP 2. (this took me a while to figure out) Check browser settings for any "secure dns" option and disable it, otherwise it will not use the dns set on device/router
Thanks for the video, why did you decide to set up pi-hole as a DNS forwarder (pointing to cloudflare and quad9) instead of a DNS resolver through the cloudflare tunnel?
You're welcome. This creates DoH (DNS over HTTPS). It makes it more difficult for your ISP to track DNS queries and can help with ad tracking. It's by no means perfect though (was also an opportunity to introduce Cloudflare Tunnels which I feature further on in the Homelab Series).
Hi Jim. Amazing content. One question though. When you say Docker VM, are you referring to the internal docker host, or the vM that docker is running? Little unclear on that.
Hi Jim, that a great dns-solution. Maybe together with unbound... What if your internet connection is down? You should be able to use dns for internal systems, but can still access all internal servers and services with its https-fqdb that you configured wirh traefik or npm? In my homelab I have the problem that all my local (not exposed) fqdn´s (I use Traefik in Prod and Nginx Proxy Manager for Test) are not reachable any more after my internet connection goes down.
Great video. I already have Traefik set up, and I'm deploying it in docker swarm, but I set up Portainer on a different VM. Do I have to set up PiHole on my Traefik VM, or is there a way I can put PiHole on my Portainer VM and have it utilize Traefik from the Traefik VM?
@@Jims-Garage, thanks for the reply. I'm not sure what you mean about Traefik external service. I tried to search for that on the Traefik documentation page, and I couldn't find it. When you mention setting up your Proxmox in this manner, is there a particular video or file I should look at? Perhaps you are referring to the "File" configuration in Traefik. I'm currently using that to configure services like Joplin coming from the VM where I have docker/portainer installed, but I would like to configure Traefik so it can see the docker/portainer VM and then I could use the docker approach to configure Joplin (and other services) somewhat automatically, and also add more VMs on other systems as needed to the Traefik setup. I see your other video with Docker Swarm, and I'm going to see if that addresses what I'm trying to do. As for PiHole, I decided to go ahead and install it on the same VM as my Traefik server, and it's working great. Thanks for saving me a lot of time trying to figure that out myself.
I used both in parallel for a while, I quite liked adguard, but just made a choice and stuck with pihole. Tends to have a larger community, slightly less resource intensive, and IMO a nicer UI. I recommend you just try both and go with what you like best. There isn't much between them and Docker makes it simple to try.
I’m a noob and this I probably going to sound dumb, but I’m lost around 7:14 when you went from the yml file to the commmand line. What was I supposed to do in between that?
@@Jims-Garagealready got that, what folders am I supposed to be creating in order to run the yml file. I made it but have no idea where it goes or what do do with it
@@GenesisTyler749 you need a machine that is running Docker (see earlier video). You then need to copy my files from GitHub over to your docker machine (connect via SSH with putty), amend them to your setup, and then run the command in the video to start the container.
Hey there. Is the main benefit here with using the cloudflare tunnel to encrypt the upstream DNS queries? Doesnt this more-or-less achieve the same effect as DNS over TLS or DNS over HTTPS?
yes. I have installed. it work. but i don't go inside pihole to setup. you have some video for pihole, how to setup pihole? i have also looked video abotu traefik. it also work. thanks. is kubernet difficult to learn? you have some video, but is too too diffucult.... i think i stay by docker :-)@@Jims-Garage
I have zero domains at 'Domains on Adlist', and when I try to Update Gravity I'm getting 'DNS resolution is currently unavailable'. Any clue on what can be blocking this? EDIT: Issue sorted out. The /etc/resolv.conf had 127.0.0.11 instead of 127.0.0.1. Don't knw why this happened, but the solution was to mount a new resolv.conf file as a volume in the docker-compose.yml file
@@Jims-Garage it was due to a misconfigured /etc/resolv.conf, Once again, than you for your support. Don't know if you noticed, but I'm refactoring my entire home lab based on your videos. Thank you a lot
Curious... Getting a cert error on the pihole. I can confirm that is is routing through traefik, because the cert presented is the default traefik self-signed certificate. The nginx webserver from the previous step as well as the traefik dashboard are both sailing along smoothly with the cert from cloudflare.
Thanks Jim, awesome video ! Just one question, when I create a tunnel on cloudflare, they gave me a docker run command with a token, how your setup works without using this token ? I think I must pass this token somewhere on the docker-compose... What is weird is that the whole setup just works, I can see the pihole resolving and blocking the ads (I've pointed the portainer IP as DNS in my personal PC) Can you give me some light ? And again, thanks for the amazing videos ! Edit: I didnt need the port 53 fix and the piHole custom DNS. Just ran the docker compose and all worked out of the box.
I've edited the file to match the local config folders/files and ran docker compose up but I got "layers from manifest don't match image configuration"
Whoa great video! I did this setup and tried to use pi hole as the dns resolver for my wireguard instance. But I can't identify client thorugh the local ip assigned by wireguard (all traffic looks like it comes from 1 source). Do you have any suggestions?
Glad it helped! I need to know a little bit more about your setup before I can help you. How is wireguard deployed, are you trying to connect from outside - in (i.e., over the internet)? Essentially, if you're connecting from outside your network (over the internet), you'll be given an internal IP within the range WG is configured to give you (likely a 10.x.x.x). When you access internal services, your IP address is likely to be the host's IP address (e.g., your Docker machine). Check that you have the right firewall rules in place to access your pihole. For me, I'm able to leave DNS as default because my WG container uses the default DNS server assigned to the host machine.
There is an error somewhere. When I run the docker compose files, it creates a second network (pihole_pihole_internal) instead of (pihole_internal) regardless if I already created the ladder, and defaults to former. I had to change it manually to pihole_internal in portainer then delete the former network from the networks section. The same goes with the traefik compose file. I created 'proxy', but when I ran the docker compose, it created 'traefik_proxy' and defaulted to that. Once i changed those errors, everything is working great!
first of all thank you for the serie. i did all setup as you upload the videos, problem i'm facing is with Pihole. when i go to Local DNS >>>>DNS Records >>> and i add a damain and IP address, i get a green notification that said Custom DNS Added, but nothing is showing up under List of local DNS so i cannot move forward with accessing any of local my service... i search the web but can't find any solution
It's now fixed now, and I updated the GitHub config. I removed the security options section that prevented it running as root. This is typically the right thing to do, but pihole needs root permissions. You need to delete the container in portainer, and redeploy with the same command.
Great video!! Is there any way/reason to add Unbound to the setup for an extra layer of security? Or does the tunnel remove the need of a dedicated recursive DNS server?
Greetings Jim, thanks for your efforts on all these video and config postings. I've only just installed docker on Ubuntu server 20.04...then portainer last week, then home assistant. It all works good. I am a beginner with virtualization. I want to add pihole and follow these instructions but I think I am missing prerequisite stuff. Should I back up in the series and get a domain setup with cloudflare plus deploy traefik first. Somewhat apprehensive. Thanks for any direction you can provide.
Thanks. Yes I'd purchase a domain (literally the cheapest is fine) and put everything behind Traefik with SSL. It's pretty much one video worth of additional learning.
Hey Jim. Thanks for the great tutorials. I'm learning lots. After following this guide, I'm not seeing any activity through pihole. could you offer some suggestions what might be wrong? Both pihole and CF containers are running and I can access pihole web interface.
If you’re using dhcp then you’ll need the router/server providing it to tell clients what to use for their DNS servers. If you have machines plugged into a router or switch then router this device will likely have a default provider set by your ISP and as the gateway device will likely tell clients to use it as their DNS server. It will then forward to the ISP DNS and they will harvest the queries. You need to find the instructions to change the settings on your device to override the client DNS server to be the pihole device. If you’re using static IP addresses then you can enter the details in the relevant section where you set the static IP.
@@pantoqwerty thanks for your advice, my router config was the problem. After updating the DNS server settings queries started flowing through pihole. Still experiencing some issues but hopefully I can work it out from here
I don't know what audio recording equipment you have, but I cannot watch your videos, I recommend using a boom mic or a lapel mic so that your voice is louder.
man, you not need proxy to access pihole admin interface if pihole stay inside cloudflare tunnel. Is redundant. I made this mistake too, but if you remove the proxy, no problem, make the test.
How do I add this pihole docker container to my PCs DNS server. Do i need to add the IP of the server? Or do I add the IP of the docker network "proxy" IP or pihole_internal IP@@Jims-Garage
Ulitmately I cannot get the local DNS to resolve when I make it in the PIhole Online interface. If i create a local DNS through cloudflare it will resolve.@@Jims-Garage
I don't see why not, although I'm not familiar with it (had a quick glance). Rogue device detection is probably better at the firewall level. You can explicitly limit traffic using Mac addresses (this isn't infallible, however, due to Mac spoofing).
Appreciate the feedback, could you elaborate? The Traefik section was covered in previous videos (the idea is that you follow the videos in order so I don't have to retread ground). What specifically did you want to see more of in PiHole? This will give you a secure, default setup.
I needed to add an addprefix label to get the proxy working via DNS. Otherwise I would see 'Bad gateway'. - "traefik.http.middlewares.pihole-admin.addprefix.prefix=/admin" - "traefik.http.routers.pihole.middlewares=pihole-admin"
Another great video, thank you. I'm literally rebuilding my entire network using this series and it's been very helpful.
Thanks, Steve. Appreciate the feedback
Another superb video. My whole homelab has been started over completely based on this series.
Great, appreciate the feedback 🙂
I got it to work. Make sure to change both IPV 4 and IPV 6 dns server to the pihole server's IP
Great, thanks for the update.
@@Jims-Garage i went on your doscord and recieved some awesome help. Thanks for the content and keep up the work
Why use a Cloudflare tunnel for upstream privacy rather than just using DoT? Surely the level of protection is pretty much the same. For example, I'm using pfSense as my local DNS resolver, and it sends all its queries up to Quad9 via DoT. Still encrypted so the ISP can't see the requests, but no need for the added complexity of a tunnel. Or am I missing something? Is it because piHole can't do DoT?
I agree, that's a good way of doing it. It was twofold mainly. The popularity of PiHole, plus it not being able to natively support DoT.
nice video, there is version of Pi-hole and DoH quick install with docker compose online and you may want to check it, it have cloudflared, google built in. You mentioned you run a few pihole servers, how does your router defaults to them? and do you have an alternative dns in case all your pihole servers are down? Also how to you keep them in sync? thanks and keep it up with great content
Thanks, Mr. P. I'll check that out.
My router is set to dish out DNS via DHCP, I have both piholes set. Nothing special to sync them, just a copy paste. I know there are solutions to sync but I haven't done that yet.
I didn't understand how the pihole dns resolver should be integrated with sophos, so the pihole can be used as the default dsn resolver for all traffic. Did I miss it? Once again, very helpful video
Correct, set the DNS in Sophos to your PiHole IP. All devices will then use the PiHole.
simplest and fastest tutorial to get pihole+traefik working together, amazing!
just to add on some things:
1. Make sure DNS on the device/router is set to pihole IP
2. (this took me a while to figure out) Check browser settings for any "secure dns" option and disable it, otherwise it will not use the dns set on device/router
Thanks for the video, why did you decide to set up pi-hole as a DNS forwarder (pointing to cloudflare and quad9) instead of a DNS resolver through the cloudflare tunnel?
You're welcome. This creates DoH (DNS over HTTPS). It makes it more difficult for your ISP to track DNS queries and can help with ad tracking. It's by no means perfect though (was also an opportunity to introduce Cloudflare Tunnels which I feature further on in the Homelab Series).
Hi Jim. Amazing content. One question though. When you say Docker VM, are you referring to the internal docker host, or the vM that docker is running? Little unclear on that.
Thanks. The docker VM is the machine that docker is installed on (i.e. the one where PiHole is)
@@Jims-Garage Thanks!
Hi! Cool video. Love the custom interface. Is that made by you?
No, it's a star trek the next generation theme that's a part of pihole. Very few people know about it, find it in settings.
Hi Jim, that a great dns-solution. Maybe together with unbound... What if your internet connection is down? You should be able to use dns for internal systems, but can still access all internal servers and services with its https-fqdb that you configured wirh traefik or npm? In my homelab I have the problem that all my local (not exposed) fqdn´s (I use Traefik in Prod and Nginx Proxy Manager for Test) are not reachable any more after my internet connection goes down.
Yes, this solution works without internet connection. Add records to pihole, these are checked before reaching out to Cloudflare
You should explain more details in pihole domain a records added for absolute beginner friendly tutorial
Thanks for the feedback. What specifically are you trying to do? A records should be simple to add.
Great video. I already have Traefik set up, and I'm deploying it in docker swarm, but I set up Portainer on a different VM. Do I have to set up PiHole on my Traefik VM, or is there a way I can put PiHole on my Portainer VM and have it utilize Traefik from the Traefik VM?
Yes, have a look at Traefik external service. I use Traefik for my Proxmox as an example
@@Jims-Garage, thanks for the reply. I'm not sure what you mean about Traefik external service. I tried to search for that on the Traefik documentation page, and I couldn't find it. When you mention setting up your Proxmox in this manner, is there a particular video or file I should look at? Perhaps you are referring to the "File" configuration in Traefik. I'm currently using that to configure services like Joplin coming from the VM where I have docker/portainer installed, but I would like to configure Traefik so it can see the docker/portainer VM and then I could use the docker approach to configure Joplin (and other services) somewhat automatically, and also add more VMs on other systems as needed to the Traefik setup. I see your other video with Docker Swarm, and I'm going to see if that addresses what I'm trying to do.
As for PiHole, I decided to go ahead and install it on the same VM as my Traefik server, and it's working great. Thanks for saving me a lot of time trying to figure that out myself.
Can you show how to make pi-hole your DNS resolver, and use DNSSEC plus DOT?
This video provides DoH (instead of DoT), but the effect is the same.
Interested and curious to understand your opinion on using pihole vs AdGuard home
I used both in parallel for a while, I quite liked adguard, but just made a choice and stuck with pihole.
Tends to have a larger community, slightly less resource intensive, and IMO a nicer UI.
I recommend you just try both and go with what you like best. There isn't much between them and Docker makes it simple to try.
I’m a noob and this I probably going to sound dumb, but I’m lost around 7:14 when you went from the yml file to the commmand line. What was I supposed to do in between that?
Hey, let me try to help you. You need to connect to your Docker host via SSH (I recommend Putty for starting out - VSCode later on).
@@Jims-Garagealready got that, what folders am I supposed to be creating in order to run the yml file. I made it but have no idea where it goes or what do do with it
I’ve followed setup by step, but lost you at 7:05
@@GenesisTyler749 you need a machine that is running Docker (see earlier video). You then need to copy my files from GitHub over to your docker machine (connect via SSH with putty), amend them to your setup, and then run the command in the video to start the container.
Hey there. Is the main benefit here with using the cloudflare tunnel to encrypt the upstream DNS queries? Doesnt this more-or-less achieve the same effect as DNS over TLS or DNS over HTTPS?
Yes, this counts as DNS over HTTPS
nice, thanks. I try to install
Did it work?
yes. I have installed. it work. but i don't go inside pihole to setup.
you have some video for pihole, how to setup pihole?
i have also looked video abotu traefik. it also work. thanks.
is kubernet difficult to learn?
you have some video, but is too too diffucult.... i think i stay by docker :-)@@Jims-Garage
@@khanhthedag7269 get familiar with Docker first, then try Docker Swarm, then Kubernetes.
I have zero domains at 'Domains on Adlist', and when I try to Update Gravity I'm getting 'DNS resolution is currently unavailable'. Any clue on what can be blocking this? EDIT: Issue sorted out. The /etc/resolv.conf had 127.0.0.11 instead of 127.0.0.1. Don't knw why this happened, but the solution was to mount a new resolv.conf file as a volume in the docker-compose.yml file
Try restarting both containers. Check Cloudflared logs if that doesn't work.
@@Jims-Garage it was due to a misconfigured /etc/resolv.conf, Once again, than you for your support. Don't know if you noticed, but I'm refactoring my entire home lab based on your videos. Thank you a lot
Curious... Getting a cert error on the pihole. I can confirm that is is routing through traefik, because the cert presented is the default traefik self-signed certificate.
The nginx webserver from the previous step as well as the traefik dashboard are both sailing along smoothly with the cert from cloudflare.
I get the warning "network proxy not found". I dont have such network. How to set it? Thanks
It's whatever your proxy network is, change it to that. If you don't know what that is it's worthwhile watching my Traefik video.
@@Jims-Garage Thanks
Hi Jim. Could we get a video on traefik + cloudflare tunnel?
Check later on, I don't recommend using tunnels.
@Jims-Garage I'm behind cgnat. IPV6 is not an option since my provider just get me a /64 ip.
I am not running Pi-Hole in container can I still use it?
Yes, you can use Cloudflare Tunnels without PiHole.
Thanks Jim, awesome video !
Just one question, when I create a tunnel on cloudflare, they gave me a docker run command with a token, how your setup works without using this token ?
I think I must pass this token somewhere on the docker-compose... What is weird is that the whole setup just works, I can see the pihole resolving and blocking the ads (I've pointed the portainer IP as DNS in my personal PC)
Can you give me some light ? And again, thanks for the amazing videos !
Edit: I didnt need the port 53 fix and the piHole custom DNS. Just ran the docker compose and all worked out of the box.
Yes, exactly. This is an outbound tunnel, not inbound, that's why it requires minimal configuration.
I've edited the file to match the local config folders/files and ran docker compose up but I got "layers from manifest don't match image configuration"
Whoa great video! I did this setup and tried to use pi hole as the dns resolver for my wireguard instance. But I can't identify client thorugh the local ip assigned by wireguard (all traffic looks like it comes from 1 source). Do you have any suggestions?
Glad it helped! I need to know a little bit more about your setup before I can help you. How is wireguard deployed, are you trying to connect from outside - in (i.e., over the internet)? Essentially, if you're connecting from outside your network (over the internet), you'll be given an internal IP within the range WG is configured to give you (likely a 10.x.x.x). When you access internal services, your IP address is likely to be the host's IP address (e.g., your Docker machine). Check that you have the right firewall rules in place to access your pihole. For me, I'm able to leave DNS as default because my WG container uses the default DNS server assigned to the host machine.
There is an error somewhere. When I run the docker compose files, it creates a second network (pihole_pihole_internal) instead of (pihole_internal) regardless if I already created the ladder, and defaults to former. I had to change it manually to pihole_internal in portainer then delete the former network from the networks section. The same goes with the traefik compose file. I created 'proxy', but when I ran the docker compose, it created 'traefik_proxy' and defaulted to that. Once i changed those errors, everything is working great!
Thanks, I'll check and amend.
Added name: to the network section. That should fix it, needed to be compose v3.5 or greater.
first of all thank you for the serie. i did all setup as you upload the videos, problem i'm facing is with Pihole. when i go to Local DNS >>>>DNS Records >>> and i add a damain and IP address, i get a green notification that said Custom DNS Added, but nothing is showing up under List of local DNS so i cannot move forward with accessing any of local my service... i search the web but can't find any solution
It's a file permission error. Let me test a new config and update to fix.
It's now fixed now, and I updated the GitHub config. I removed the security options section that prevented it running as root. This is typically the right thing to do, but pihole needs root permissions.
You need to delete the container in portainer, and redeploy with the same command.
Great video!! Is there any way/reason to add Unbound to the setup for an extra layer of security? Or does the tunnel remove the need of a dedicated recursive DNS server?
I'm going to look into unbound soon. Hopefully something I can retro fit.
@Jims-Garage How did you get on not sure if missed another video be good to incorporate unbound 😊
Looking at docker compose need to point pihole at unbound then unbound config to forward requests to cloudflared 😊
Can you add "Nginx Proxy Manager" to that docker file to allow access to your internal server via the tunnel?
I haven't tested it but I cannot see why it wouldn't work. Give it a go and let me know.
Greetings Jim, thanks for your efforts on all these video and config postings. I've only just installed docker on Ubuntu server 20.04...then portainer last week, then home assistant. It all works good. I am a beginner with virtualization. I want to add pihole and follow these instructions but I think I am missing prerequisite stuff. Should I back up in the series and get a domain setup with cloudflare plus deploy traefik first. Somewhat apprehensive. Thanks for any direction you can provide.
Thanks. Yes I'd purchase a domain (literally the cheapest is fine) and put everything behind Traefik with SSL. It's pretty much one video worth of additional learning.
Thanks for getting back to me so promptly. I subscribed right away and enjoy your content immensely.
Hey Jim. Thanks for the great tutorials. I'm learning lots. After following this guide, I'm not seeing any activity through pihole. could you offer some suggestions what might be wrong? Both pihole and CF containers are running and I can access pihole web interface.
If you’re using dhcp then you’ll need the router/server providing it to tell clients what to use for their DNS servers. If you have machines plugged into a router or switch then router this device will likely have a default provider set by your ISP and as the gateway device will likely tell clients to use it as their DNS server. It will then forward to the ISP DNS and they will harvest the queries.
You need to find the instructions to change the settings on your device to override the client DNS server to be the pihole device.
If you’re using static IP addresses then you can enter the details in the relevant section where you set the static IP.
@@pantoqwerty thanks for your advice, my router config was the problem. After updating the DNS server settings queries started flowing through pihole. Still experiencing some issues but hopefully I can work it out from here
What about to use Unbound in between, is it possible and do it make sense?
Not if you want it to act as a recursive resolver. It's one or the other.
I don't know what audio recording equipment you have, but I cannot watch your videos, I recommend using a boom mic or a lapel mic so that your voice is louder.
Thanks, should be fixed in subsequent videos.
How loud you want the video? It’s clear in my end super clear in my honest opinion
man, you not need proxy to access pihole admin interface if pihole stay inside cloudflare tunnel. Is redundant. I made this mistake too, but if you remove the proxy, no problem, make the test.
I am confused. I can access the admin with local ip but when i put any try to use the local dns nothing will resolve.
I'm not sure what you mean. This just routes DNS queries over HTTPS for DOH. It's an egress tunnel, not ingress.
How do I add this pihole docker container to my PCs DNS server. Do i need to add the IP of the server? Or do I add the IP of the docker network "proxy" IP or pihole_internal IP@@Jims-Garage
Ulitmately I cannot get the local DNS to resolve when I make it in the PIhole Online interface. If i create a local DNS through cloudflare it will resolve.@@Jims-Garage
Could Pi-Alert be added to this at all?
I don't see why not, although I'm not familiar with it (had a quick glance).
Rogue device detection is probably better at the firewall level. You can explicitly limit traffic using Mac addresses (this isn't infallible, however, due to Mac spoofing).
@@Jims-Garage Nice thanks, I should probably watch your firewall video then ☺
@@m.epictures6344 if you're serious about network security (rogue devices etc), it's pretty much a must. Happy to assist.
can you please make one video for adguard home please...
I'll look into it 👍
How to tunnel DNS traffic itself via cloudflare tunnel?
Simply run this config. You can see that the DNS resolver specified is the Cloudflare Tunnel - It will send all requests through the tunnel.
unfortunately unclear and omits important details .. both the Traefik and pihole instructions are very disappointing😕
Appreciate the feedback, could you elaborate? The Traefik section was covered in previous videos (the idea is that you follow the videos in order so I don't have to retread ground). What specifically did you want to see more of in PiHole? This will give you a secure, default setup.
I needed to add an addprefix label to get the proxy working via DNS. Otherwise I would see 'Bad gateway'.
- "traefik.http.middlewares.pihole-admin.addprefix.prefix=/admin"
- "traefik.http.routers.pihole.middlewares=pihole-admin"
Yes, good spot! I forgot to add that to the config, let me change it. Otherwise it's pihole.domain.com/admin/login.php