Running a Pi-hole securely on Azure

Pi-hole is a popular DNS resolver, advertised as a black hole for Internet advertisements. I use it as a DNS filter for parental control as well as an ad and tracking domain filter.

As a learning project, I tried to run Pi-hole securely, with HTTPS (only) admin access, on the Azure Container Instances (ACI) service. I created an ARM Template, so you can deploy an instance, in a single step. Get the ARM Template from GitHub

The Template, explained

The ARM template, as published on GitHub, has some parameters to allow customization. With this, you can deploy multiple instances if needed. Then, it deploys what’s needed, in one swoop.

Deployment of the “Pi-hole Template” via Azure ARM Templates

Here’s how it works:

  • It creates a new or uses an existing Resource Group
  • It creates a new storage account, with 3 volumes: 2 volumes for the Pi-hole, and 1 for the nginx configuration.
  • Creates a new container group, with one container for the Pi-hole image, and one for the nginx sidecar image.
  • The container group only publicly exposes ports
    • 443 (for the admin GUI, via nginx, passed to Pi-hole port 80 internally)
    • 53 (for the DNS queries, passed to Pi-hole port 53)
  • Port 67 (for DHCP) is not used in my scenario, and Port 80 is only used within the container group.
  • The nginx volume contains a pre-created and preloaded SSL public and private key and a self-signed certificate for use within the nginx container. With this, you can connect using HTTPS (using TLS) to the Pi-hole admin GUI. NOTE: however, for use beyond test purposes, you should replace this key and certificate with your own for privacy reasons.
  • The public IP address is determined automatically by the azure deployment process, and not required within the template. It stays the same as long as the container group runs in ACI.

After deployment, your deployment should automatically start to run. Get the IP address from the container group details. You can then go to the admin panel as usual via

https://your-ip-address/admin

Known limitations

The database access to store blacklist as well as the teleporter do not work.

Resources