Let’s start with a simple statement: I like Pi-hole!
I use it at my home network to enhance my browsing experience. Initially running on a Raspberry 4 2 Gb, now running it on two HP Thin Client T520 devices. These boxes are light, low power, low profile but work flawlessly running Ubuntu Server and Pi-hole. After configuring them as recursive DNS servers using unbound I am no longer using any forwards either. How to configure Pi-hole as recursive DNS servers can be found here.
In my job as an Azure Architect I am doing a lot of research, development and testing of scenarios identified by customers. This involves a lot of deploying Hub and Spoke network topologies for which it would be convenient to have my own DNS servers as well. Additionally, it would also be nice to have a Pi-hole environment available for either mobile phones or for my laptop device when accessing Wi-Fi networks outside my home without depending on the DNS infrastructure available. This may be especially true for public Wi-Fi networks which are hornet nests for malicious activity, so making it harder would help and I believe having my own DNS servers would help a lot.
Fortunately, it is pretty easy to achieve this in the public cloud. I use Azure a lot and this post applies to Azure only, but a similar scenario can be deployed using AWS or GCP.
Having a small isolated network containing at least two DNS servers would be sufficient. Here’s the list of Azure services needed to deliver such an environment:
- A single Virtual Network (VNet) which uses the internal IP addresses of the DNS servers for name resolution
- A subnet to host the DNS servers
- Two Virtual Machines running a Linux distribution supported by Pi-hole, I use Ubuntu Server LTS from the Azure Marketplace. The VM size I use is Standard B1s. More machines and/or different sizes may be considered
- One additional Jumpbox VM for additional management if needed (optional)
- A Bastion Host including a Bastion subnet
- A Public IP address
- A public facing Azure Load Balancer that forwards TCP and UDP port 53
- A Network Security Group to filter traffic
During the basic install of Pi-hole, existing DNS servers may be needed (Google DNS, Cloudflare etc.) so these are required during initial deployment. Once Pi-hole is running on each machine, these servers can be removed
Most of this stuff is pretty straightforward like deploying the Virtual Machines. Bastion can be used to establish SSH sessions to install Pi-hole. Bastion prevents the need of any direct exposure of Virtual Machines to the public Internet.
To configure the two Load Balancing rules needed (one for TCP 53 and one for UDP 53) the recommended settings can be used. The following relevant settings can be configured with the following settings:
- Session persistence: None
- Floating IP: Disabled
- SNAT: Use the recommended setting with Outbound rules
As the settings overview shows, it is completely stateless and any DNS server can handle a request. Session persistence is therefore not needed.
The Outbound Rules configuration uses a single rule with the default settings
Once finished, you have your own public recursive DNS solution with Pi-hole running in Azure. All you need is the public IP address of the Azure Load Balancer. And the costs are not too bad either.
Hope this helps!
Marc Westerink's blog 