DEV Community

loading...

Pi-hole in Azure Container Instances

ganesshkumar profile image Ganessh Kumar ・2 min read

A simple guide to deploy Pi-hole, a black hole for Internet advertisements, in Azure Container Instances.

  • We use pi-hole's docker image.
  • We persist configurations and data across the container instances. To do so, we will use Azure Storage to mount file volumes in the containers.

1. Install Azure CLI and set your subscription

> az login

> az account set --subscription <subscription_id>

2. Create a Resource Group

> az group create --name <rg_name> --location <location>

3. Create a Storage account

> az storage account create --resource-group <rg_name> --name <storage_name> --location <location> --sku Standard_LRS

4. Create two file shares in the storage account created in the last step

az storage share create --account-name <storage_name> --name etc-pihole

az storage share create --account-name <storage_name> --name etc-dnsmasq

5. Obtain the storage account key

STORAGE_KEY=$(az storage account keys list --resource-group <rg_name> --account-name <storage_name> --query "[0].value" --output tsv)

5. Since our container will require a good number of configuration, let's use a yaml file

deploy-pi-hole.yaml

name: <container_group_name>
apiVersion: '2018-10-01'
location: <location>
tags: {}
properties:
  containers:
  - name: <container_name>
    properties:
      image: pihole/pihole:latest
      ports:
      - protocol: UDP
        port: 53
      - protocol: UDP
        port: 67
      - protocol: TCP
        port: 80
      - protocol: TCP
        port: 443
      environmentVariables:
      - name: TZ
        value: Asia/Kolkata
      - name: WEBPASSWORD
        value: <custom_large_string>
      resources:
        requests:
          memoryInGB: 1
          cpu: 1
      volumeMounts:
      - name: pihole
        mountPath: /etc/pihole/
        readOnly: false
      - name: dnsmasq
        mountPath: /etc/dnsmasq.d/
        readOnly: false
  restartPolicy: Always
  ipAddress:
    ports:
    - protocol: UDP
      port: 53
    - protocol: UDP
      port: 67
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443
    type: public
    dnsNameLabel: <custom_dnsname>
  osType: Linux
  volumes:
  - name: pihole
    azureFile:
      shareName: etc-pihole
      readOnly: false
      storageAccountName: <storage_name>
      storageAccountKey: <value of $STORAGE_KEY>
  - name: dnsmasq
    azureFile:
      shareName: etc-dnsmasq
      readOnly: false
      storageAccountName: <storage_name>
      storageAccountKey: <value of $STORAGE_KEY>

Replace the place holders in the yaml file.

  • will be used as the password when you log in to pi-hole's dashboard.
  • will be used in the generated FQDN in the following format <custom_dnsname>.<location>.azurecontainer.io

6. Create the container instance

az container create --resource-group <rg_name> --file deploy-pi-hole.yaml

7. Get the IP address of the pi-hole running as container instance.

az container show --resource-group <rg_name> --name <container_group_name> --query ipAddress.ip --output tsv

Update: It has been 10 days since I started using pi-hole and it has blocked ~31% of my DNS queries so far.

Pi-hole stats

If you found this article useful, check out my other articles from my blog, https://ganesshkumar.com/blog. Thank you for reading!

Discussion (8)

Collapse
smurfpandey profile image
Neeraj Verma • Edited

Looks like your pi-hole instance is accessible on public internet. Leaving a open DNS resolver is a huge no. You should close the Port 53, and setup VPN to securely access the pihole instance.

Read this to know why leaving pihole publicly accessible is a very bad idea.
github.com/beesecurity/How-I-Hacke...

Collapse
ganesshkumar profile image
Ganessh Kumar Author • Edited

That's a good idea to run it behind a VPN. I know that by leaving it in public network, anyone can talk to this DNS. Is there any other vulnerability beyond that?

Edit: I have explored more about this. The password I am using is large enough to not let bruteforce algorithms to crack it. I am planning to put the container behind a virtual network while blocking 80 and 443 while letting the DNS to be a public DNS. Unfortunately, the region where my containers are running doesn't support this yet. I have to move my resources to another region before attempting to put it behind a virtual network and a security group.

Collapse
engineerer profile image
Kai Boschung

Thanks for the great article! The idea of Pi-Hole hooked me.
I further automated the installation through PowerShell dev.to/expertsinside/automated-pi-...

But I couldn't get it working... I was wondering if you had the same issue I mentioned in my blog post.

Collapse
ganesshkumar profile image
Ganessh Kumar Author

PowerShell script is a nice idea. I will try to create an Azure Deploy button next -docs.microsoft.com/en-us/azure/azu...

No, I haven't tried installing pi-hold manually. Never came across this issue. Exactly one of the reasons why I rely heavily on containers.

Collapse
engineerer profile image
Kai Boschung

I didn't set up manually, but exactly as you explained in your post.
The instance then never worked.
Maybe because of the "latest" tag of the container image I used ultimately a different Linux base image. I guess.

Collapse
srebella profile image
Santiago Rebella

Thanks for the article! I always wanted to get my hands into the PiHole, and this is a good kickstart. However I could create all the pihole and services in Azure, but i am having an issue with the gravity database on Azure file share.
Somehow after installing the PiHole, the database is empty, and I am finding impossible to fill the blocklist.
So it works but you can't block the ads.

Collapse
mikemilzz profile image
πŸ…œπŸ…˜πŸ…šπŸ…”πŸ…œπŸ…˜πŸ…›πŸ…©πŸ…©

This is a great idea. Any idea what the cost is to keep this running?

Collapse
ganesshkumar profile image
Ganessh Kumar Author

It comes to around $30 dollars per month. The CPU utilization of the container group is very less. I am planning to deploy few self-hosted applications together in the same container group. That should bring down the cost of running this significantly.

Forem Open with the Forem app