Finally tried #pihole with #docker. Everything works flawlessly, but I realized as a nasty surprise that docker bypasses #ufw, so I could potentially open my DNS server to the world.
Even they are several and complicated lists of rules to make ufw catch this, luckily pihole developers created an option "settings→DNS→Allow only local requests" that only lets the local network query the server.
Oops, I was wrong, that only allows access from localhost and the docker subnet.
The solution comes directly from docker's documentation: there is a chain, DOCKER-USER, that can be used to filter local traffic:
iptables -I DOCKER-USER -i wlan0 ! -s 192.168.1.0/24 -j DROP
https://docs.docker.com/network/iptables/#restrict-connections-to-the-docker-host
