docker-pihole 2022.1 defaults to running FTL (dnsmasq) as a non-root user, and adds some capabilities to the pihole-FTL executable (among other things, so pihole can create a listening socket on port 53!)
From what I can tell, the way they add those capabilities is compatible with running in Docker, but not compatible with running in a lightweight VM (the way fly.io does).
An alternative to kurt’s solution (“run as root”) is to change pihole-docker’s startup code to fix the permissions to work in fly. I have this in my Dockerfile, and it resolved the issue for me on fly. (I’m also dropping some other caps because I’m not using pihole for DHCP):
# Add 'permitted' cap to setcap command (setcap ...+ei to setcap ...+eip) and
# drop some of the permissions (CAP_NET_RAW, CAP_NET_ADMIN)
RUN set -ex \
&& sed -i -E -e 's/(setcap.*\+ei)([^p])/\1p\2/' \
-e 's/CAP_NET_(RAW|ADMIN),?//g' \
/bash_functions.sh