Sign in Subscribe

Domain Name cannot be resolved for Wireguard and Pi-Hole on the same Docker Host

tonani

2 min read
Domain Name cannot be resolved for Wireguard and Pi-Hole on the same Docker Host

I encountered an issue when I was trying to set up Wireguard and Pi-Hole to work together on the same docker host. The specific issue was that if both docker containers exist on their own but on different networks, VPN clients connected to the Wireguard server cannot seem to have domain names resolved. You can see that Wireguard was trying to locate a root nameserver all the time. You will see from Pi-hole's WebUI -> Tools -> Tail pihole.log with so many littering NS "." entries blasting over from Wireguard. Once you stop the Wireguard container, the log becomes "quiet" again.

The problem seems to arise from the Wireguard docker image "hard-coded" to use host DNS via CoreDNS from Docker networking. The simplest way to resolve this is to put the Pi-hole container back on the docker host network. This way, the CoreDNS setup in the Wireguard container will be able to talk directly to the host DNS. So, the easiest solution is to add the line to docker-compose.yaml to allow Pi-Hole to use your docker host network.

version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    hostname: dns2
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    network_mode: host # <-----
    #ports:
    #  - "53:53/tcp"
    #  - "53:53/udp"
    #  - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
    #  - "8080:80/tcp"
    ...

A few benefits and drawbacks to putting Pi-hole on the host network. If you have set up your pi-hole to do DHCP as well, this is also the only setup you can do to have your IP handed out. However, the Pi-hole docker image is written to allow WebUI to communicate via Port 80. When you place your container on host networking you also lose the port mappings. This is somewhat "wasteful" if you also wish to set up a reverse proxy on the same machine and you might need your port 80 to be opened from the outside, which is something worth considering.

Sign up for more like this.

Enter your email
Subscribe