A simple guide to deploy Pi-hole, a black hole for Internet advertisements, in Azure Container Instances.
- We use pi-hole's docker image.
- We persist configurations and data across the container instances. To do so, we will use Azure Storage to mount file volumes in the containers.
1. Install Azure CLI and set your subscription
> az login
> az account set --subscription <subscription_id>
2. Create a Resource Group
> az group create --name <rg_name> --location <location>
3. Create a Storage account
> az storage account create --resource-group <rg_name> --name <storage_name> --location <location> --sku Standard_LRS
4. Create two file shares in the storage account created in the last step
az storage share create --account-name <storage_name> --name etc-pihole
az storage share create --account-name <storage_name> --name etc-dnsmasq
5. Obtain the storage account key
STORAGE_KEY=$(az storage account keys list --resource-group <rg_name> --account-name <storage_name> --query "[0].value" --output tsv)
5. Since our container will require a good number of configuration, let's use a yaml file
deploy-pi-hole.yaml
name: <container_group_name>
apiVersion: '2018-10-01'
location: <location>
tags: {}
properties:
containers:
- name: <container_name>
properties:
image: pihole/pihole:latest
ports:
- protocol: UDP
port: 53
- protocol: UDP
port: 67
- protocol: TCP
port: 80
- protocol: TCP
port: 443
environmentVariables:
- name: TZ
value: Asia/Kolkata
- name: WEBPASSWORD
value: <custom_large_string>
resources:
requests:
memoryInGB: 1
cpu: 1
volumeMounts:
- name: pihole
mountPath: /etc/pihole/
readOnly: false
- name: dnsmasq
mountPath: /etc/dnsmasq.d/
readOnly: false
restartPolicy: Always
ipAddress:
ports:
- protocol: UDP
port: 53
- protocol: UDP
port: 67
- protocol: TCP
port: 80
- protocol: TCP
port: 443
type: public
dnsNameLabel: <custom_dnsname>
osType: Linux
volumes:
- name: pihole
azureFile:
shareName: etc-pihole
readOnly: false
storageAccountName: <storage_name>
storageAccountKey: <value of $STORAGE_KEY>
- name: dnsmasq
azureFile:
shareName: etc-dnsmasq
readOnly: false
storageAccountName: <storage_name>
storageAccountKey: <value of $STORAGE_KEY>
Replace the place holders in the yaml file.
- will be used as the password when you log in to pi-hole's dashboard.
- will be used in the generated FQDN in the following format
<custom_dnsname>.<location>.azurecontainer.io
6. Create the container instance
az container create --resource-group <rg_name> --file deploy-pi-hole.yaml
7. Get the IP address of the pi-hole running as container instance.
az container show --resource-group <rg_name> --name <container_group_name> --query ipAddress.ip --output tsv
Update: It has been 10 days since I started using pi-hole and it has blocked ~31% of my DNS queries so far.
If you found this article useful, check out my other articles from my blog, https://ganesshkumar.com/blog. Thank you for reading!
Top comments (11)
Thanks for the great article! The idea of Pi-Hole hooked me.
I further automated the installation through PowerShell dev.to/expertsinside/automated-pi-...
But I couldn't get it working... I was wondering if you had the same issue I mentioned in my blog post.
PowerShell script is a nice idea. I will try to create an Azure Deploy button next -docs.microsoft.com/en-us/azure/azu...
No, I haven't tried installing pi-hold manually. Never came across this issue. Exactly one of the reasons why I rely heavily on containers.
I didn't set up manually, but exactly as you explained in your post.
The instance then never worked.
Maybe because of the "latest" tag of the container image I used ultimately a different Linux base image. I guess.
Looks like your pi-hole instance is accessible on public internet. Leaving a open DNS resolver is a huge no. You should close the Port 53, and setup VPN to securely access the pihole instance.
Read this to know why leaving pihole publicly accessible is a very bad idea.
github.com/beesecurity/How-I-Hacke...
That's a good idea to run it behind a VPN. I know that by leaving it in public network, anyone can talk to this DNS. Is there any other vulnerability beyond that?
Edit: I have explored more about this. The password I am using is large enough to not let bruteforce algorithms to crack it. I am planning to put the container behind a virtual network while blocking 80 and 443 while letting the DNS to be a public DNS. Unfortunately, the region where my containers are running doesn't support this yet. I have to move my resources to another region before attempting to put it behind a virtual network and a security group.
Thanks for the article! I always wanted to get my hands into the PiHole, and this is a good kickstart. However I could create all the pihole and services in Azure, but i am having an issue with the gravity database on Azure file share.
Somehow after installing the PiHole, the database is empty, and I am finding impossible to fill the blocklist.
So it works but you can't block the ads.
Same issue here!! dont know how the author got to block all those ads. perhaps it was a different/specific version that is broken later?
There seems to be something missing with this installation. Whether we specify latest or a specific version, the gravity db seems to be corrupt. It doesnt accept any adlist, or individual domain. I have searched high and low, found some solutions and they all need ssh to the container. Even after that, the gravity db columns are missing, making this whole exercize a waste of time, because you cant block anything. This would just be a skeleton pihole, sadly looking all the ads being served!! :( Any thoughts?
Is there a way to ssh into the pihole container? My gravity db seems to be broken and needs a rebuild. Thanks!
This is a great idea. Any idea what the cost is to keep this running?
It comes to around $30 dollars per month. The CPU utilization of the container group is very less. I am planning to deploy few self-hosted applications together in the same container group. That should bring down the cost of running this significantly.