How to fix Pi-hole blocking Azure OpenAI calls

How to fix Pi-hole blocking Azure OpenAI calls

A simple solution for a frustrating bug hunt

TLDR;

If you’re using Pi-hole for ad-blocking and find that it’s preventing your access to Azure OpenAI Service, the solution is to whitelist Azure OpenAI domains in Pi-hole’s settings. This issue arises because Pi-hole, which blocks ad-serving domains at the DNS level, can also block legitimate services like Azure OpenAI. The fix involves accessing Pi-hole’s admin interface and adding openai.azure.com to the whitelist, ensuring uninterrupted access to Azure OpenAI for your services, which relies on Azure OpenAI for features like Semantic Kernel for natural language processing. Remember to share this workaround with anyone facing similar issues!

Introduction

If you use Pi-hole to block ads and trackers on your network, you might have encountered a problem when calling the Azure OpenAI Service. Pi-hole is a great tool that can improve your browsing experience and privacy, but it can also interfere with some legitimate services that use the same domains as some of the blocked ads. I’m using the settings published by Jussi Roine, just in case you also want to start your ad-free browsing experience.

How does Pi-Hole work?

To quote their documentation:

Pi-Hole blocks requests made to ad domains from your network, before the requests ever leave your network. Your client devices can’t connect to domains that host ads, but can connect to domains that host useful content.

http://www.raspberrypi.com

Pi-Hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. It is a network-wide ad blocker that works by intercepting DNS requests and filtering out known ad-serving domains. This means that when you try to access a website that contains ads, Pi-Hole will block the ad-serving domains and prevent the ads from being displayed on your device.

Visual Studio Output

CommunityBotForOneDrive v2

One of the cloud services we use in the v2 of our Community Bot for OneDrive project is Azure OpenAI. Over the last couple of weeks, we moved the old project to a new code base. We decoupled things and removed the monolithic bot approach.

We also changed the translation feature and introduced Semantic Kernel to our solution. Semantic Kernel is a tool that allows you to interact with Azure OpenAI using natural language queries and commands, such as “generate a summary of this article” or “find me a picture of a cat”. We will use it moving forward for our multi-language approach. We struggled with existing translation services across multiple cloud vendors because our base information is formatted in Markdown, and all “pre-gpt” services gave us a proper headache with that format. That changed with gpt3.5, the base model we are currently experimenting with.

To make things future-proof and allow us to play with different models, cloud ones and local ones, we used Ollama and Semantic Kernel as our AI stack.

bot architecture

The Problem

However, if Pi-hole is enabled on your network, you might find that Semantic Kernel cannot connect to the Azure OpenAI Service and returns an error message instead.

Finding the culprit here took quite some time. The code base worked for weeks already and stopped connecting to the Azure OpenAI Serivce suddenly last week. We still got the same error after looking at the code and moving a couple of libraries to their latest version. We tried to change the way we reach out to Azure OpenAI Service, but no change.

System.AggregateException: ‘Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443))

exception details

Maybe it’s me, but that didn’t help when reading it for the first time. After googling the exception for quite some time, a forum post mentioned that the exception is based on DNS issues. That rang a bell. I’ve been running Pi-Hole for years, but I updated the Raspberry Pi host and its software stack only a few days ago. I went to the admin page, turned the ad blocking off for 5 minutes and voilà, our test console connected to the cloud and worked.

Here is a screenshot of the Pi-Hole dashboard listening to the DNS requests of the test console:

bot architecture

The long term solution

Fortunately, there is a simple solution to this problem. You can whitelist the domains that Azure OpenAI uses to bypass Pi-hole’s blocking and allow Semantic Kernel to work as intended. Whitelisting is a process of adding exceptions to Pi-hole’s filtering rules so that certain domains are always allowed to connect, regardless of whether they are on the blocklist. To whitelist the domains that Azure OpenAI uses, you need to follow these steps:

  • Log in to your Pi-hole admin interface, which is usually located at http://pi.hole/admin or http://your-Pi-hole-IP-address/admin.
  • Click on the “Domains” tab on the left sidebar.
  • Enter openai.azure.com in the domain field
  • Click on “Add domain as wildcard”
  • Click on the “Add to whitelist” button.

You can also add your specific FQDN of your endpoint, but as I will use different enpoints in the future it felt easier to just add the whole subdomain to the whitelist.

That’s it! You have successfully whitelisted the Azure OpenAI Service’s domains and fixed the problem with Pi-hole blocking your calls.

bot architecture

I hope this post was helpful and informative. If you liked it, please share it with your friends and colleagues who might also use Pi-hole and the Azure OpenAI Service. If you have any questions or feedback, please leave me a DM or a tweet. Thank you for reading!