Docker version

[godshades]

Hi, thanks for a great project
Would you mind if make a docker version of this pj
Or tutorial how to use with adguard (docker)

[trinib]

Thanks.. my plan was to make these projects more understandable and get it working, I thought about building a docker container at some point , I know it is super easy but for a while I'm focus on my app development and not planning to make one now for there is a lot of guides on docker and these projects.

But the whole idea of this repo was for people to understand this network stuff better and other people to contribute to make it better so I will create a help issue for a docker image if anyone is interested. 🙏🙏🙏

[oijkn]

Thanks to your great work I was able to set up a Docker with all the stuff except the VPN. It is installed on my raspberry via the PiVPN script. I'm going to continue an observation phase to see if everything works well and I'll publish my Docker.

[oijkn]

In my case I don't need to use a VPN in a docker. So at first I will share my work without this option. On the other hand I use OpenVPN because with a PC that does not have administrator rights it works while with Wireguard it is not the case even if it is faster.

[oijkn]

Hi @trinib,

Sorry for the wait but I was busy with other personal projects.
Good news ! The Docker version is online and available here : https://hub.docker.com/r/oijkn/adguardhome-doh-dot

If you have any comments or questions don't hesitate to open an issue or to contact me.

Thanks again for your great work and sharing :)

[trinib]

@oijkn thanks I'll try it out in a while

[Monirzadeh]

Hi @trinib,

Sorry for the wait but I was busy with other personal projects. Good news ! The Docker version is online and available here : https://hub.docker.com/r/oijkn/adguardhome-doh-dot

If you have any comments or questions don't hesitate to open an issue or to contact me.

Thanks again for your great work and sharing :)

hi @oijkn
i try to deploy that but i get in trouble
for now i have my macvlan with name 'mymacvlanexist' how should i connect that to that 'mymacvlanexist' instead of create new one?

i think i should change this two part to connect network to 'mymacvlanexist' , but i don't know how.

    networks:
      macvlan0:
        ipv4_address: 192.168.1.110                                    # IP of the container for AdGuardHome, configure it to your needs

and

networks:
  macvlan0:
    driver: macvlan
    driver_opts:
      parent: eth0                                                     # Parent interface, configure it depending on your interface name
    ipam:
      config:
        - subnet: 192.168.1.0/24                                       # Subnet of the container
          gateway: 192.168.1.1                                         # Gateway of the network
          ip_range: 192.168.1.100/28                                   # Usable Host IP Range: 192.168.1.97 - 192.168.1.110
          aux_addresses:
            rpi-srv: 192.168.1.100                                     # Reserved for RPi Server (IP of the host)

[oijkn]

@Monirzadeh can you list your network with : docker network ls and then show me detail with docker network inspect <network_name> ?

[trinib]

@oijkn Everything installed ok but this keeps happening(restarting)

Using Pi raspberry 64bit, installed docker for debian from https://docs.docker.com/engine/install/debian/

It stated clone repo to docker data directory. I used location /var/lib/docker/ 🤷‍♂️ and I needed to be in sudo su root privilege mode You meant in docker-compose.yml. 😅

I did not change anything in file. I kept 192.168.1.110. My network has a [192.168.100.xxx] type address, do not know if that means anything

for nameserver in /etc/resolv.conf, 192.168.1.110 gets removed after restart so I used this guide : https://www.tecmint.com/set-permanent-dns-nameservers-in-ubuntu-debian/

BTW you have docker-compose up -d when docker compose up -d is the working command for me

let me know if you see what I did wrong

EDITED

crap I did not set path in volumes section 😅

[trinib]

hi @oijkn i try to deploy that but i get in trouble for now i have my macvlan with name 'mymacvlanexist' how should i connect that to that 'mymacvlanexist' instead of create new one?

i think i should change this two part to connect network to 'mymacvlanexist' , but i don't know how.

    networks:
      macvlan0:
        ipv4_address: 192.168.1.110                                    # IP of the container for AdGuardHome, configure it to your needs

and

networks:
  macvlan0:
    driver: macvlan
    driver_opts:
      parent: eth0                                                     # Parent interface, configure it depending on your interface name
    ipam:
      config:
        - subnet: 192.168.1.0/24                                       # Subnet of the container
          gateway: 192.168.1.1                                         # Gateway of the network
          ip_range: 192.168.1.100/28                                   # Usable Host IP Range: 192.168.1.97 - 192.168.1.110
          aux_addresses:
            rpi-srv: 192.168.1.100                                     # Reserved for RPi Server (IP of the host)

did you ran docker pull oijkn/adguardhome-doh-dot first ? cause when i did i got that error

[Monirzadeh]

@Monirzadeh can you list your network with : docker network ls and then show me detail with docker network inspect <network_name> ?

NETWORK ID     NAME        DRIVER    SCOPE
randomnumber1   MacConfig   null      local
randomnumber2   MyMacVlan   macvlan   local
randomnumber3   bridge      bridge    local
randomnumber4   host        host      local
randomnumber5   none        null      local

inspect that not contain Adgurde but some container connect to this macvlan
docker network inspect MyMacVlan output

[
    {
        "Name": "MyMacVlan",
        "Id": "randomnumber2",
        "Created": "2022-05-24T00:22:58.945708161+04:30",
        "Scope": "local",
        "Driver": "macvlan",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "192.168.1.0/26",
                    "IPRange": "192.168.1.2/24",
                    "Gateway": "192.168.1.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": "MacConfig"
        },
        "ConfigOnly": false,
        "Containers": {
            "containerid": {
                "Name": "Radarr",
                "EndpointID": "....",
                "MacAddress": "virtualmacaddress",
                "IPv4Address": "192.168.1.4/26",
                "IPv6Address": ""
            },
        },
        "Options": {
            "parent": "enp2s0"
        },
        "Labels": {}
    }
]

i use Portainer to manage containers

[Monirzadeh]

hi @oijkn i try to deploy that but i get in trouble for now i have my macvlan with name 'mymacvlanexist' how should i connect that to that 'mymacvlanexist' instead of create new one?
i think i should change this two part to connect network to 'mymacvlanexist' , but i don't know how.

    networks:
      macvlan0:
        ipv4_address: 192.168.1.110                                    # IP of the container for AdGuardHome, configure it to your needs

and

networks:
  macvlan0:
    driver: macvlan
    driver_opts:
      parent: eth0                                                     # Parent interface, configure it depending on your interface name
    ipam:
      config:
        - subnet: 192.168.1.0/24                                       # Subnet of the container
          gateway: 192.168.1.1                                         # Gateway of the network
          ip_range: 192.168.1.100/28                                   # Usable Host IP Range: 192.168.1.97 - 192.168.1.110
          aux_addresses:
            rpi-srv: 192.168.1.100                                     # Reserved for RPi Server (IP of the host)

did you ran docker pull oijkn/adguardhome-doh-dot first ? cause when i did i got that error

i use Portainer and yes image downloaded

[Monirzadeh]

replace that to place you want to store data for example

    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /containersFiles/adguardhome/conf:/opt/AdGuardHome/conf          # Configure '<path_to_data>' to your needs
      - /containersFiles/adguardhome/work:/opt/AdGuardHome/work          # Configure '<path_to_data>' to your needs
      - /containersFiles/unbound/root.hints:/var/lib/unbound/root.hints  # Configure '<path_to_data>' to your needs

above config link
/opt/AdGuardHome/conf path in container to /containersFiles/adguardhome/conf path in host machine

[trinib]

replace that to place you want to store data for example

    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /containersFiles/adguardhome/conf:/opt/AdGuardHome/conf          # Configure '<path_to_data>' to your needs
      - /containersFiles/adguardhome/work:/opt/AdGuardHome/work          # Configure '<path_to_data>' to your needs
      - /containersFiles/unbound/root.hints:/var/lib/unbound/root.hints  # Configure '<path_to_data>' to your needs

above config link /opt/AdGuardHome/conf path in container to /containersFiles/adguardhome/conf path in host machine

[oijkn]

HI,

@trinib Your main problem seems to be that you are on a 64 bit architecture while my image is for 32 bit. I will try to build a multi-arch image to solve this problem.

Then if you are in a 192.168.100.0/24 subnet you have to adapt the network configuration accordingly. So you have to replace 192.168.1.110 by 192.168.100.110. I guess your gateway should be 192.168.100.1, right?

I realized, that I forgot in the README to indicate the modification of the network parameters in the files located in the network directory of the Github (I will make an update of the README).

And for <path_to_data>, I mean the real path where you will install the doker stuff for AdGuardHome. Example : /data/docker/adguardhome/. I usually use the /data of my HDD to store all my docker :)

@Monirzadeh I think you have to use something like that :

version: "2"

services:
  adguardhome:
    <all previous config...>
    networks:
      - MyMacVlan

networks:
  MyMacVlan:
    external: true

[Monirzadeh]

@oijkn thanks
now i get same error that @trinib get as you mention it is becuse of image is 32bit i will wait to build a 64bit version.
where do you announce 64bit version?

[trinib]

HI,

@trinib Your main problem seems to be that you are on a 64 bit architecture while my image is for 32 bit. I will try to build a multi-arch image to solve this problem.

Then if you are in a 192.168.100.0/24 subnet you have to adapt the network configuration accordingly. So you have to replace 192.168.1.110 by 192.168.100.110. I guess your gateway should be 192.168.100.1, right?

I realized, that I forgot in the README to indicate the modification of the network parameters in the files located in the network directory of the Github (I will make an update of the README).

And for <path_to_data>, I mean the real path where you will install the doker stuff for AdGuardHome. Example : /data/docker/adguardhome/. I usually use the /data of my HDD to store all my docker :)

@Monirzadeh I think you have to use something like that :

version: "2"

services:
  adguardhome:
    <all previous config...>
    networks:
      - MyMacVlan

networks:
  MyMacVlan:
    external: true

Ahh i though it was these type of issues (architecture/network address) . I'll do adjustments and see how it goes. What about docker-compose up -d fixed to docker compose up -d (no-dash)

[trinib]

@oijkn Thanks so much again for the contribution.🔥🎉. when i add your docker links to readme and i'll finally close this💩

[trinib]

@oijkn when ever you feel like it or if you want to, it would be cool to make one with DNScrypt and Knot(soon to add, being setup/tested by @jo20201) with AGH. Those two are very customizable alternatives to cloudflared tunnel and unbound, to tell which has better security is hard for anyone to say unless you are network programmer and actually spends time comparing it lol.

I want DNScrypt and Knot for users who want extra features and like configuring stuff. it will be a personal preference option more advanced, unless in the future any becomes obsolete

[oijkn]

@trinib ok I'll have a look at it as soon as possible

@trinib @Monirzadeh Can you type this command : dpkg --print-architecture and give me the result please ? Thank

[Monirzadeh]

dpkg --print-architecture

amd64

[trinib]

/usr/local/etc/stubby/stubby.yml

ok i will start again with a clean os +1
but one more question.
are you sure unbound send request to cloudflare?
when i just set unbound as upstream, never get DoH pass. can you review that part too?
thanks

Unbound send request as DoT TLS just

so what happen when 1.1.1.1 test DoH and we have unbound in upstream. my point is: when 1.1.1.1 send request to AGH than it send first to unbound that can't response by unbound so i get

Using DNS over HTTPS (DoH) | No

but AGH should send that to cloudflare not unbound it is why i can't get Using DNS over HTTPS (DoH) | No

lol it is cloudflare tunnel or dnscrpyt works with DoH dns servers

1.1.1.1 is just resolver address of cloudflare dns ..

you need to do more reading in #17

[trinib]

@Monirzadeh is everything working now?

[Monirzadeh]

@Monirzadeh is everything working now?

better than before but a little mix
in general i get less error from stubby now
pass this test without problem for now
but two place i still has problem

1. base on your document with stubby unbound cloeadflare for DOH i should get 3 yes in https://1.1.1.1/help but i can't get that
2. in this test i get different result. if i set stubby only i get better coverage. with your document same as before. sometimes sha380-ED448 get pass sometime fails.

i should review and read your link again an test some more things.
in your documentation something is a little confusing for me
here you want us to set

Upstream:
127.0.0.1:53
127.0.0.1:5053
127.0.0.1:8053
Bootstrap DNS:
127.0.0.1:53
127.0.0.1:5053
127.0.0.1:8053

or bootstrap should be empty or just

Upstream:
127.0.0.1:53
127.0.0.1:5053
127.0.0.1:8053
Bootstrap DNS:
127.0.0.1:5053
127.0.0.1:8053

maybe i test DNScrypt proxy to see how things going on or even Knot Resolver.
do you have better idea?

[trinib]

Have you tried just adding 127.0.0.1:5053 to see if DoH is showing. if all is working one by one and not together then its something up with your network., or try dnscrypt

Add Upstream and Bootstrap DNS server options

AGH do have much explanation how it actually works in play but from what i could find in google

In computing the term "bootstrap" can mean to initiate a self-sustaining process (the source is this posting). A bootstrap DNS server is a DNS server that allows other domain name entries (such non-IP addresses) to be found by finding a DNS server.

When a DNS server queries other DNS servers, it's making an “upstream” query. Queries for a domain can go “upstream” until they lead back to domain's authority, or “authoritative name server.” An authoritative name server is where administrators manage server names and IP addresses for their domains.

[trinib]

in general i get less error from stubby now

What other errors ? you mean DoH not showing right ? ... if any other let me know to fix in wiki

[Monirzadeh]

in general i get less error from stubby now

What other errors ? you mean DoH not showing right ? ... if any other let me know to fix in wiki

sometime stubby not response. get this when test upstream

Server "127.0.0.1:8053": could not be used, please check that you've written it correctly

[trinib]

So sometimes it works ?

do you have parallel request on ?

[Monirzadeh]

o you have parallel request

yes parallel request is on
i will report all situation after all wiki change to give you a better idea. i install all on rpi to find the problem and than if every thing work fine move all of them to docker.

[Monirzadeh]

@trinib
stubby and unbound all of them build on device not package manager
use stubby dnssec mechanism instead of use unbound
DNSStubListener=no same as your guide here you say off but screanshot say no i set no

if i just set 127.0.0.1:5053 get this

Connected to 1.1.1.1 | Yes
Using DNS over HTTPS (DoH) | Yes
Using DNS over TLS (DoT) | No
https://dnssec.vs.uni-due.de/ PASS

---

127.0.0.1:8053 too slow

Connected to 1.1.1.1	No
Using DNS over HTTPS (DoH)	No
Using DNS over TLS (DoT)	No
Using DNS over WARP	No
https://dnssec.vs.uni-due.de/ PASS

---

127.0.0.1:53

Connected to 1.1.1.1	Yes
Using DNS over HTTPS (DoH)	No
Using DNS over TLS (DoT)	Yes
https://dnssec.vs.uni-due.de/ PASS

---

all together(127.0.0.1:53 127.0.0.1:5053 127.0.0.1:8053)

Connected to 1.1.1.1	Yes
Using DNS over HTTPS (DoH)	No
Using DNS over TLS (DoT)	Yes
https://dnssec.vs.uni-due.de/ PASS

@jo20201 what do you think. as i see some test randomly pass.

now https://dnssec.vs.uni-due.de/ pass on all of them but i will test that a little more if anything change report here.
stubby get all no in 1.1.1.1/help test
vpn part not setup just adguard , stubby , unbound, cloudflare

[trinib]

it seems the device is not resolving properly .. is it android or windows

[Monirzadeh]

it seems the device is not resolving properly

@trinib it is Linux machine. what can be the problem?

@jo20201 it is the result of all of them together. so you think it not pass because if ipv6? and everything is fine for you? why is change sometime? or i can't get doh yes 1.1.1.1 when all of them active together?

[trinib]

it seems the device is not resolving properly

@trinib it is Linux machine. what can be the problem?

@jo20201 it is the result of all of them together. so you think it not pass because if ipv6? and everything is fine for you? why is change sometime? or i can't get doh yes 1.1.1.1 when all of them active together?

hmm try removing ipv6 stuff

[Monirzadeh]

@trinib
i do based on this guide

something wired happen. all the same but sometime get 3 yes in 1.1.1.1 BUT from my isp provider not cloudflare. i don't want even one response from my provider.
i don't trust them at all.

[trinib]

have you tried using other devices to check results on 1.1.1.1?

[trinib]

@trinib i do based on this guide

something wired happen. all the same but sometime get 3 yes in 1.1.1.1 BUT from my isp provider not cloudflare. i don't want even one response from my provider. i don't trust them at all.

this sounds like you have dns leak somewhere on the system

[Monirzadeh]

i test again and i get randomly 3 yes with cloudflare on both device.
i want test other combination like DNScrypt or Knot Resolver what do you think?

[trinib]

can you change dns to pi address on your router ? if so try that else try unbound and dns crypt ..

[Monirzadeh]

it is exactly what it is.
my machine ---> router ---> Adguard
should i test any other combination or you want to test anything else?

[trinib]

it is exactly what it is. my machine ---> router ---> Adguard should i test any other combination or you want to test anything else?

ok so you do not add pi address manually on devices ?

[Monirzadeh]

it is exactly what it is. my machine ---> router ---> Adguard should i test any other combination or you want to test anything else?

ok so you do not add pi address manually on devices ?

no all request go to my router. some container that point directly but i don't test them.
for test i change settings and directly to AGH but same result.
if you don't want any more test i start testing other combination.

side note: is it possible AGH drop response if it came from other source like my provider?

[trinib]

you did not mention anything about a container ? are you running this like i said ?

[Monirzadeh]

you did not mention anything about a container ? are running this like i said ?

no i say that in wrong way.
i install adguard on rpi as your document. i want say i have some container that directly point to adguard nothing else.
as i said before try to work everything on rpi directly and than move to docker.

[trinib]

i think you need to add pi address on the device's dns.

[Monirzadeh]

i think you need to add pi address on the device's dns.

i do that and same result noting change.
if you don't wanna more test. i start working on other combination

[trinib]

hmmm try unbound(DoT) and dnscrypt(DoH).. or make an account on vultur and setup linux on a vps to see if its really your network is the issue.

sign up with my referral link https://www.vultr.com/?ref=9113990-8H to get 100usd free. You will have to spend at least 5 usd upfront to get the free 100usd added to your account.

[Monirzadeh]

hmmm try unbound(DoT) and dnscrypt(DoH).. or make an account on vultur and setup linux on a vps to see if its really your network is the issue.

sign up with my referral link https://www.vultr.com/?ref=9113990-8H to get 100usd free. You will have to spend at least 5 usd upfront to get the free 100usd added to your account.

thanks
i start working on other combination and report them here.
one small fix in this guide step 4. it is better to replace variable instead of line number. maybe config change in future and it is not good to point just line number.
second why you say do sudo rm stubby.yml?
three /etc/stubby/ is for user that install stubby from package manager. it is better to mention to user that build stubby too.

[trinib]

thanks
i start working on other combination and report them here.
one small fix in this guide step 4. it is better to replace variable instead of line number. maybe config change in future and it is not good to point just line number.
second why you say do sudo rm stubby.yml?
three /etc/stubby/ is for user that install stubby from package manager. it is better to mention to user that build stubby too.

🤣🤣🤣 my bad ... thanks again .. i will fix.

[trinib]

@Monirzadeh this suppose to be a issue about docker conversations .. you can discuss here #15

or just create new discussion

[Monirzadeh]

@oijkn hi
can you help me how should I run unbound-anchor to generate root.key in Dockerfile?
I use Run /usr/sbin/unbound-anchor or CMD ["/bin/sh", "-c", "unbound-anchor -a /var/lib/unbound/root.key" ] but none of them generate root.key

[Monirzadeh]

@oijkn hi can you help me how should I run unbound-anchor to generate root.key in Dockerfile? I use Run /usr/sbin/unbound-anchor or CMD ["/bin/sh", "-c", "unbound-anchor -a /var/lib/unbound/root.key" ] but none of them generate root.key

sudo unbound-anchor

Error: error building at STEP "RUN sudo unbound-anchor": error while running runtime: exit status 127
if connect to container I can run that, but I can't do that while build image in docker file