Octelium Logo
Documentation
Running and Deploying Pi-Hole

Octelium provides a L-7 aware DNS mode where you can provide secure access to internal as well as public, including commercial, DNS servers with application-layer aware access control and visibility (read more about the DNS mode here). For example, you can very easily deploy and serve a Pi-hole container (read more about managed containers here) as a Service as follows:

1
kind: Service

2
metadata:

3
  name: pihole

4
spec:

5
  mode: DNS

6
  config:

7
    upstream:

8
      container:

9
        port: 53

10
        image: pihole/pihole:latest

11
        env:

12
        - name: FTLCONF_dns_listeningMode

13
          value: all

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Once connected to the Cluster via octelium connect (read more here), you can now test the DNS server pihole, for example, as follows:

dig @pihole google.com

It's noteworthy to point out that the Cluster's DNS Server which resolves DNS queries for the all connected Users (read more here) is itself a DNS Service with the name dns.octelium. This DNS server can additionally resolve queries outside the Cluster domain by proxying the requests to fallback servers that can be set via the ClusterConfig (read more here). We can, for example, deploy a Pi-hole server as a typical Kubernetes service and serve it as a fallback server to control and secure DNS queries for all connected octelium clients as follow:

1
apiVersion: apps/v1

2
kind: Deployment

3
metadata:

4
  name: pihole

5
spec:

6
  selector:

7
    matchLabels:

8
      app: pihole

9
  template:

10
    metadata:

11
      labels:

12
        app: pihole

13
    spec:

14
      containers:

15
      - name: pihole

16
        image: pihole/pihole:latest

17
        ports:

18
        - containerPort: 53

19
          protocol: UDP

20
        env:

21
        - name: FTLCONF_dns_listeningMode

22
          value: all

23
---

24
apiVersion: v1

25
kind: Service

26
metadata:

27
  name: pihole

28
spec:

29
  selector:

30
    app: pihole

31
  ports:

32
    - name: dns

33
      port: 53

34
      targetPort: 53

35
      protocol: UDP

You can now apply the creation of the deployment and service via kubectl apply as follows:

kubectl apply -f PATH/TO/K8S_RESOURCES.YAML

Now we finally refer to the Kubernetes service as a fallback upstream as follows:

1
kind: ClusterConfig

2
metadata:

3
  name: default

4
spec:

5
  dns:

6
    fallbackZone:

7
      servers:

8
      - dns://pihole.default.svc

And as always, you apply the changes via octelium apply.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms