Running Pi-Hole in AWS

September 22, 2022

3 minutes

For those of you that may not be familiar with Pi-Hole, it is a DNS resolver that you run on your network to prevent adware. It operates very simply…. you point your clients to it for DNS, it compares that against a list of know tracking/ad sites. If it matches it fails to resolve the DNS query… if it doesn’t match it resolves DNS using an upstream provider. It also caches previous DNS queries, reducing lookup time by keeping it locally. Please visit the Pi-Hole site for more info.

I have been using Pi-Hole for well over a year. It is pretty miraculous, just how much of my data is sent to ad/tracker sites. It is very typical for me to see nearly 20% of my requests blocked. It is even more on the network I have setup for my elementary aged son. The games he plays are LOADED with trackers and adware!! I don’t have any illusion that I have anonymity or true privacy online. It just doesn’t exist. (for the security nerds, yes I know of Tor and anonymous VPN networks… etc., however those require a lot of effort). However, I do prefer to limit my exposure as much as possible. This is why I run Pi-Hole. I also have recently converted to the Brave browser as another layer of protection. I love Pi-Hole because it uses DNS and therefore restricts trackers even on IoT devices.

The most common way to run Pi-Hole is on Raspberry Pi devices. I am a HUGE fan of the Raspberry Pi lineup! In fact, if you have kid that is interested in IT, get them one and teach them basic Linux right away! I ran four different Raspberry Pi’s on my network (two per VLAN for redundancy). In fact, I even ran Pi-Hole on Pi Zero’s! I am always looking for reasons to tinker with things, which led me to think… “why not do this in AWS?” Now before I take you down that rabbit hole, let me mention that Pi-hole is most efficient the closer it is to your network. This is especially true when it comes to the caching feature. So I know I am sacrificing some latency to move Pi-Hole to the cloud. I decided to do this for two reasons. 1/ Greater confidence in 24/7 uptime. 2/ Just a desire to run something else in AWS.

So how did I do it… well its very simple. In fact, it is very well documented on the following site. I don’t want to rehash what this other author did, but do want to highlight that you should not run an open resolver. You are setting yourself up for some heartache if you do. So please focus on his advice around security groups. I may cover some best practices around running different services in different accounts in a future blog post. It is preferred that you don’t run services like this under the root account.

So how is it working? GREAT! DNS resolution is fast and I haven’t had any downtime. It was a fun, quick project and I was able to turn off some fans that were making noise in my house!