How to fix Pi-hole blocking Azure OpenAI calls
A simple solution for a frustrating bug hunt
TLDR;
If you’re using Pi-hole for ad-blocking and find that it’s preventing your access to Azure OpenAI Service, the solution is to whitelist Azure OpenAI domains in Pi-hole’s settings. This issue arises because Pi-hole, which blocks ad-serving domains at the DNS level, can also block legitimate services like Azure OpenAI. The fix involves accessing Pi-hole’s admin interface and adding openai.azure.com to the whitelist, ensuring uninterrupted access to Azure OpenAI for your services, which relies on Azure OpenAI for features like Semantic Kernel for natural language processing. Remember to share this workaround with anyone facing similar issues!
Introduction
If you are using Pi-hole to block ads and trackers on your network, you might have encountered a problem when trying to call the Azure OpenAI Service. Pi-hole is a great tool that can improve your browsing experience and privacy, but it can also interfere with some legitimate services that use the same domains as some of the blocked ads. I’m using the settings published by Jussi Roine, just in case you want also start your ad free browsing experience.
How does Pi-Hole work?
To quote their documentation:
Pi-Hole blocks requests made to ad domains from your network, before the requests ever leave your network. Your client devices can’t connect to domains that host ads, but can connect to domains that host useful content.
Pi-Hole is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software. It is a network-wide ad blocker that works by intercepting DNS requests and filtering out known ad-serving domains. This means that when you try to access a website that contains ads, Pi-Hole will block the ad-serving domains and prevent the ads from being displayed on your device.
CommunityBotForOneDrive v2
One of the cloud service we use in the v2 of our Community Bot for OneDrive project is Azure OpenAI. Over the last couple of weeks we moved the old project to a new code base. We decoupled things and removed the monolithic bot approach.
As we also change the translation feature we introduce Semantic Kernel to our solution. Semantic kernel is a tool that allows you to interact with Azure OpenAI using natural language queries and commands, such as “generate a summary of this article” or “find me a picture of a cat”. We will use it moving forward for our multi language approach. We struggeld with existing translation services across multiple cloud vendors because our base information is formatted in Markdown and all “pre-gpt” services gave us a proper head ache with that format. That changed with gpt3.5 which is the base model we are curently experimenting with.
To make things future proof and to maybe allow us to play with different models, cloud ones and local ones using ollama, we went for Semantic Kernel as our AI library.
The Problem
However, if you have Pi-hole enabled on your network, you might find that semantic kernel cannot connect to the Azure OpenAI Service and returns an error message instead.
Finding the culprit here took quite some time. The code base worked for weeks already and stopped connecting to the Azure OpenAI Serivce suddenly last week. After looking at the code and moving a couple of libraries to their latest version, we still got the same error. We tried to change the way we reach out to Azure OpenAI Service but no change.
System.AggregateException: ‘Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443)) (The requested name is valid, but no data of the requested type was found. (XYZ.openai.azure.com:443))
exception details
Maybe it’s me, but that didn’t help when reading it for the first time. After googeling the exception for quite some time, a forum post mentioned that the excpetion is based on DNS issues. That rang a bell. I’m runnig Pi-Hole for years now, but I updated the whole raspberry pi host and it’s software stack only a few days ago. Went to the admin page, turned ad blocking off for 5 minutes and e voila, our test console connect to the cloud and worked.
Here a screenshot of the Pi-Hole dashboard listening to the DNS requests of the test console:
The long term solution
Fortunately, there is a simple solution to this problem. You can whitelist the domains that Azure OpenAI uses to bypass Pi-hole’s blocking and allow semantic kernel to work as intended. Whitelisting is a process of adding exceptions to Pi-hole’s filtering rules, so that certain domains are always allowed to connect, regardless of whether they are on the blocklist or not. To whitelist the domains that Azure OpenAI uses, you need to follow these steps:
- Log in to your Pi-hole admin interface, which is usually located at http://pi.hole/admin or http://your-Pi-hole-IP-address/admin.
- Click on the “Domains” tab on the left sidebar.
- Enter openai.azure.com in the domain field
- Click on “Add domain as wildcard”
- Click on the “Add to whitelist” button.
You can also just add your specific FQDN of your endpoint, but as I will use different enpoints in the future it felt easier to just add the whole subdomain to the whitelist.
That’s it! You have successfully whitelisted the domains that the Azure OpenAI Service uses and fixed the problem with Pi-hole blocking your calls.
I hope this blog post was helpful and informative. If you liked it, please share it with your friends and colleagues who might also use Pi-hole and the Azure OpenAI Service. If you have any questions or feedback, please leave me a DM or a tweet. Thank you for reading!