Pihole and Unbound in Docker Containers - Unbound Not Receiving Requests

Question

I'm trying to run 2 Docker containers on Raspberry pi 3, one for Unbound and one for Pihole. The idea is that Pihole will first block any requests before using Unbound as its DNS server. I've been following Pihole's documentation to get this running found here and have got both containers starting, and pihole working. However, when running docker exec pihole dig pi-hole.net @127.0.0.1 -p 5333 or -p 5354 I get a response of

; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.net @127.0.0.1 -p 5354
;; global options: +cmd
;; connection timed out; no servers could be reached

I theorized this could be to do with the pihole container not being able to communicate with the Unbound container through localhost, so updated my docker-compose to try and correct this using the netowkr bridge. However after that I still get the same error, no matter what ports I try. I'm new Docker and Unbound so this has been a bit of a dive in at the deep end! My docker-compose.yml and unbound.conf are below.

docker-compose.yml

version: "3.7"

services:
  unbound:
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    container_name: unbound
    image: masnathan/unbound-arm
    ports:
      - 8953:8953/tcp
      - 5354:53/udp
      - 5354:53/tcp
      - 5333:5333/udp
      - 5333:5333/tcp
    volumes:
      - ./config/unbound.conf:/etc/unbound/unbound.conf
      - ./config/root.hints:/var/unbound/etc/root.hints
    restart: always
    networks:
      - unbound-pihole
  pihole:
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - 53:53/udp
      - 53:53/tcp
      - 67:67/udp
      - 80:80
      - 443:443
    volumes:
      - ./config/pihole/:/etc/pihole/
    environment:
      - ServerIP=10.0.0.20
      - TZ=UTC
      - WEBPASSWORD=random
      - DNS1=127.0.0.1#5333
      - DNS2=no
    restart: always 
    networks:
      - unbound-pihole

networks:
  unbound-pihole:
    driver: bridge

unbound.conf

server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

port: 5333
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/unbound/etc/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines
num-threads: 1

# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

Thanks!

Answer 1

From the docs https://nlnetlabs.nl/documentation/unbound/unbound.conf/ under the access-control section:

  By default only localhost is allowed, the rest is refused.   The
  is  refused, because that is protocol-friendly. The DNS
  protocol is not designed to handle dropped packets due  to  pol-
  icy,  and  dropping  may  result in (possibly excessive) retried
  queries.

The unbound server, by default listen for connections from localhost only. in this case, the request to the DNS server can allow be accepted from inside the docker container running unbound.

Therefore, to allow the DNS to be resolved by the unbound in the docker-compose, add the following to the unbound.conf

server:
   access-control: 0.0.0.0/0 allow