Last updated on 18 March 2025
Host
Drop the compose below into your Project YAML section.
YAML
services:
pihole:
image: pihole/pihole:latest
container_name: pihole-host
cap_add:
- CAP_NET_RAW
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
# - CAP_NET_ADMIN #uncomment if you want to use DHCP
- CAP_SYS_NICE
- CAP_SYS_TIME
environment:
- PIHOLE_UID=1234 #CHANGE_TO_YOUR_UID
- PIHOLE_GID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- FTLCONF_webserver_api_password=YOURPASSWORD
- FTLCONF_webserver_port=8000
- DNSMASQ_USER=pihole
volumes:
- /volume1/docker/pihole:/etc/pihole
network_mode: host
labels:
- com.centurylinklabs.watchtower.enable=false
restart: unless-stoppedWe are now changing some settings to the YAML based on your User IDs and Timezone etc
| Section | Explanation |
|---|---|
| PIHOLE_UID= | This UID is the one you obtained when setting up your dockerlimited user in the earlier guide at the start of the page. This tells Pi-hole to run under this user rather than root and gives it access to the folders we created. |
| PIHOLE_GID= | As per the above this line will be the GID you obtained earlier. |
| TZ= | You will need to change this line to your own timezone code – you can find the correct list of ones to use on wikipedia.org/wiki/List_of_tz_database_time_zones |
| FTLCONF_webserver_ api_password= | Change this to the password you would like to use for the Web UI |
| FTLCONF_webserver_port | I have used port 8000 as the default you can amend this if you wish, if you do amend the port keep this in mind when you access the UI later. |
You can now jump ahead to Page 5 for the final configuration.
Followed the guide and it worked perfectly! Now it’s a few weeks later and I went to log into pihole and the password I set and was using does not work. I restarted the project, no luck.
I tried to reset the password using the instructions the page gives “sudo pihole setpassword” but pihole is not found. I think it’s because I’m logged in as my admin account in a terminal window and I should be the dockerlimited account (which is what I used in the yaml) but am not sure. Any guidance on how to reset the password? Feel really dumb lol.
Hey – We have had this a few times in Discord it feels like its a bug that has carried forward from the initial release..
Step should be..
1) Stop the Project and remove the password line from the compose
2) Build the Project (Save and say Yes to pop up)
3) Then in Container Manager > Pihole Container > Action > Open Terminal > Create..
4) Click on the bash window that is created enter the command “pihole setpassword” and it will let you set a password
Thanks for this guide!
i was struggling a bit, but in the end the bridge mode worked for me.
But I could not figure out why unbound was not complying.
turned out that unbound and pi hole is running in separate containers. Unbound for me refused to expose port 5335 to anybody, and pi hole was not able to reach the unbound container on either my nas ip (like my own subnet ip: 192.168.0.122 for example), neither on 127.0.0.1.
what i ended up doing is: since unbound was exposing port 53, and unbound and pi hole was on the same docker network, setting
unbound#53
as the only upstream DNS server in the pi hole did the trick.
i am not sure if i was doing something wrong, or if it is a good idea to do it this way, (i have no idea what i am doing) but at least it is working now.
Thanks for the update – Until I can do some more thorough testing here, I am removing the Unbound element of the guide. I have been really lacking time recently and that has shown in the quality of the guide Unbound element. I usually spend a month or more using in real life before doing guide updates.. You are likely doing this correctly and it’s my error.
Thanks for these… I’ve been running Synology pihole (macvlan) for a while and just setup tailscale…
However once my PC is added to Tailscale, I cannot access webpage or ping pihole
I can ping everything else on same subnet, just the pihole is not responding
Synology is set as Exit node
pihole ip is in the Tailscale DNS
I’ve also set pihole Settings > DNS > Interface Settings >
was local
now permit all origins
Also tried “allow local network access” on the tailscale menu…
Once I disconnect the PC from Tailscale, ping/web to pihole works.
Is there something I missed?
Keep in mind when Pi-hole is in macvlan the Host (your NAS) cannot access it along with anything running on the NAS. To combine with Tailscale you will need to run in Host or Bridge mode.
Hi,
I have a little issue i can’t resolve.
I followed the mcvlan guide and it’s up and running.
But the issue is the following.
I’ am able to browse my local network but can’t go outside so no websites are available.
When i go into the PiHole settings and set google as my dns everything is working.
I think there is an issue with the unbound in my docker but don’t know where to look.
Any thoughts?
Hey – let me come back to you shortly, I may have made an error in the combination of both network wise.
Thx.
I case it may help to rule out a user error.
Here’s my yaml.
[SNIP]
Hey snipped your compose – see White Swan’s comment for the fix – I will be adjust the guide very shortly!!
Thx to you two guys for the fix, it’s up and running.
My DS932+ has something to kill the time and i can rest my Raspberry.
Only thing i noticed after installation and still monitoring.
I had to change the port in the custom dns setting from #5335 to #53.
Don’t know why but did so after still seeing ads and wondered why.
After changing the port it worked.
See my replies above to similar comments such as ZarqEon.
Hi
Your unbound.conf file contains the following
server:
interface: 0.0.0.0
port: 53
When I set up unbound following the macvlan method for pihole, the dns service does not resolve addresses, and I’ve had to reinstate 1.1.1.1 as my dns provider in pihole.
I don’t think it’s related, but I had previously set up pihole through macvlan using your tutorial, and I now want to install unbound too.
Hi
The issue is that Unbound is installed on a bridge network, while Pi-hole is running on a Macvlan network. Containers on Macvlan networks cannot communicate directly with the host (your Synology DSM, in this case).
I’ve found a workable solution: place Unbound on the same Macvlan network as Pi-hole. This ensures that both Pi-hole and Unbound can communicate with each other directly, as they would both be on the same network segment. This can be done as follows:
unbound:
image: klutchell/unbound
container_name: unbound
ports:
– “5335:53/tcp”
– “5335:53/udp”
volumes:
– /volume1/docker/unbound:/etc/unbound/custom.conf.d
networks:
macvlan:
ipv4_address: 192.168.0.130
of course substituting the desired ip address for your unbound instead of 192.168.0.130
Then, the instructions for Point Pi-hole at your Unbound instance (Optional) change to:
Click on Settings, then DNS. You will need to turn off any existing public DNS providers if any are ticked (Usually Google). Then click the Custom DNS drop down and enter your chosen Unbound IP address:
For example 192.168.0.130
Thank you beat me to the punch, been AFK all day 🙁
I will get the mistake fixed ASAP.
Happy to contribute; here are some points:
– In “If you used Macvlan enter the ip you used for the Unbound container followed by #5335” on page 5 – for me #53 works, not #5335
– In terms of updating the router DNS, I’m using pihole so the router DNS points to the pihole which is on a macvlan, not (for) “Macvlan = The address you chose for the container on the line ‘ipv4_address:’ ” , and the pihole specifies the ip address for Unbound; is there a different way it should be done?
– The Unbound logs consistently report problems with DNSSEC
I’d appreciate your input
Hey, see my reply to ZarqEon. – I am pulling the Unbound element of the guide until I can do further tests here.
Based on our Discord group, the above should have worked with #5353, but something is not right.