DEV Community

Ganessh Kumar
Ganessh Kumar

Posted on

Pi-hole in Azure Container Instances

A simple guide to deploy Pi-hole, a black hole for Internet advertisements, in Azure Container Instances.

  • We use pi-hole's docker image.
  • We persist configurations and data across the container instances. To do so, we will use Azure Storage to mount file volumes in the containers.

1. Install Azure CLI and set your subscription

> az login

> az account set --subscription <subscription_id>

2. Create a Resource Group

> az group create --name <rg_name> --location <location>

3. Create a Storage account

> az storage account create --resource-group <rg_name> --name <storage_name> --location <location> --sku Standard_LRS

4. Create two file shares in the storage account created in the last step

az storage share create --account-name <storage_name> --name etc-pihole

az storage share create --account-name <storage_name> --name etc-dnsmasq

5. Obtain the storage account key

STORAGE_KEY=$(az storage account keys list --resource-group <rg_name> --account-name <storage_name> --query "[0].value" --output tsv)

5. Since our container will require a good number of configuration, let's use a yaml file

deploy-pi-hole.yaml

name: <container_group_name>
apiVersion: '2018-10-01'
location: <location>
tags: {}
properties:
  containers:
  - name: <container_name>
    properties:
      image: pihole/pihole:latest
      ports:
      - protocol: UDP
        port: 53
      - protocol: UDP
        port: 67
      - protocol: TCP
        port: 80
      - protocol: TCP
        port: 443
      environmentVariables:
      - name: TZ
        value: Asia/Kolkata
      - name: WEBPASSWORD
        value: <custom_large_string>
      resources:
        requests:
          memoryInGB: 1
          cpu: 1
      volumeMounts:
      - name: pihole
        mountPath: /etc/pihole/
        readOnly: false
      - name: dnsmasq
        mountPath: /etc/dnsmasq.d/
        readOnly: false
  restartPolicy: Always
  ipAddress:
    ports:
    - protocol: UDP
      port: 53
    - protocol: UDP
      port: 67
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443
    type: public
    dnsNameLabel: <custom_dnsname>
  osType: Linux
  volumes:
  - name: pihole
    azureFile:
      shareName: etc-pihole
      readOnly: false
      storageAccountName: <storage_name>
      storageAccountKey: <value of $STORAGE_KEY>
  - name: dnsmasq
    azureFile:
      shareName: etc-dnsmasq
      readOnly: false
      storageAccountName: <storage_name>
      storageAccountKey: <value of $STORAGE_KEY>

Replace the place holders in the yaml file.

  • will be used as the password when you log in to pi-hole's dashboard.
  • will be used in the generated FQDN in the following format <custom_dnsname>.<location>.azurecontainer.io

6. Create the container instance

az container create --resource-group <rg_name> --file deploy-pi-hole.yaml

7. Get the IP address of the pi-hole running as container instance.

az container show --resource-group <rg_name> --name <container_group_name> --query ipAddress.ip --output tsv

Update: It has been 10 days since I started using pi-hole and it has blocked ~31% of my DNS queries so far.

Pi-hole stats

If you found this article useful, check out my other articles from my blog, https://ganesshkumar.com/blog. Thank you for reading!

Discussion (11)

Collapse
engineerer profile image
Kai Boschung

Thanks for the great article! The idea of Pi-Hole hooked me.
I further automated the installation through PowerShell dev.to/expertsinside/automated-pi-...

But I couldn't get it working... I was wondering if you had the same issue I mentioned in my blog post.

Collapse
ganesshkumar profile image
Ganessh Kumar Author

PowerShell script is a nice idea. I will try to create an Azure Deploy button next -docs.microsoft.com/en-us/azure/azu...

No, I haven't tried installing pi-hold manually. Never came across this issue. Exactly one of the reasons why I rely heavily on containers.

Collapse
engineerer profile image
Kai Boschung

I didn't set up manually, but exactly as you explained in your post.
The instance then never worked.
Maybe because of the "latest" tag of the container image I used ultimately a different Linux base image. I guess.

Collapse
smurfpandey profile image
Neeraj Verma • Edited on

Looks like your pi-hole instance is accessible on public internet. Leaving a open DNS resolver is a huge no. You should close the Port 53, and setup VPN to securely access the pihole instance.

Read this to know why leaving pihole publicly accessible is a very bad idea.
github.com/beesecurity/How-I-Hacke...

Collapse
ganesshkumar profile image
Ganessh Kumar Author • Edited on

That's a good idea to run it behind a VPN. I know that by leaving it in public network, anyone can talk to this DNS. Is there any other vulnerability beyond that?

Edit: I have explored more about this. The password I am using is large enough to not let bruteforce algorithms to crack it. I am planning to put the container behind a virtual network while blocking 80 and 443 while letting the DNS to be a public DNS. Unfortunately, the region where my containers are running doesn't support this yet. I have to move my resources to another region before attempting to put it behind a virtual network and a security group.

Collapse
srebella profile image
Santiago Rebella

Thanks for the article! I always wanted to get my hands into the PiHole, and this is a good kickstart. However I could create all the pihole and services in Azure, but i am having an issue with the gravity database on Azure file share.
Somehow after installing the PiHole, the database is empty, and I am finding impossible to fill the blocklist.
So it works but you can't block the ads.

Collapse
balauppaloori profile image
Bala Uppaloori

Same issue here!! dont know how the author got to block all those ads. perhaps it was a different/specific version that is broken later?

Collapse
balauppaloori profile image
Bala Uppaloori • Edited on

There seems to be something missing with this installation. Whether we specify latest or a specific version, the gravity db seems to be corrupt. It doesnt accept any adlist, or individual domain. I have searched high and low, found some solutions and they all need ssh to the container. Even after that, the gravity db columns are missing, making this whole exercize a waste of time, because you cant block anything. This would just be a skeleton pihole, sadly looking all the ads being served!! :( Any thoughts?

Collapse
balauppaloori profile image
Bala Uppaloori

Is there a way to ssh into the pihole container? My gravity db seems to be broken and needs a rebuild. Thanks!

Collapse
mikemilzz profile image
🅜🅘🅚🅔🅜🅘🅛🅩🅩

This is a great idea. Any idea what the cost is to keep this running?

Collapse
ganesshkumar profile image
Ganessh Kumar Author

It comes to around $30 dollars per month. The CPU utilization of the container group is very less. I am planning to deploy few self-hosted applications together in the same container group. That should bring down the cost of running this significantly.