Attack by pizzaseo.com?

hello,
I have install pi-hole on my netwrok , and I'm using vpn connection to my routers,
so the only connection to port 53 (PI-hole) is from my vpn netwrok.
everything work great for a week ~
today I have open the gui admin and saw this:

2021-07-20 14:00:20	RRSIG	pizzaseo.com	hosted-by-hostdzire.com	OK (forwarded to dns.google#53)	N/A (0.0ms)

2 questions:

  1. how could it be ? the netwrok is close fot udp\tcp 53 outside my VPN netwrok
  2. how can I block it?

Thanks ,

Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

I have created a debug file
this is the token
Your debug token is: https://tricorder.pi-hole.net/f024uz6omk

Thanks,

I think I have found the problem .....
there was a filrewall rule of UDP 0.0.0.0 accept in my router....

Your debug log looks normal.

Run from your Pi-hole host machine, what is the output of the following commands?

echo ">top-clients (20) >quit" | nc localhost 4711
grep -n pizzaseo.com /var/log/pihole.log

Also after I have close the firewall rule of 0.0.0.0 udp accept , I still get this problem
this is the what I get when I run the command you told me:

> echo ">top-clients (20) >quit" | nc localhost 4711
0 14693 10.136.198.238
1 1548 10.136.109.89
2 1430 10.226.201.154
3 669 10.136.196.213
4 667 10.136.109.42
5 529 10.226.192.123
6 522 10.226.201.151
7 401 95.211.172.74 hosted-by-hostdzire.com  --- this is not something that should be 
8 374 127.0.0.1 localhost
9 350 10.136.109.76
10 310 10.136.197.188
11 307 24.56.19.27 ip24-56-19-27.ph.ph.cox.net  --- this is not something that should be 
12 214 10.136.137.135
13 211 85.136.231.165 85.136.231.165.dyn.user.ono.com  --- this is not something that should be 
14 186 10.136.198.178
15 159 10.136.137.43
16 123 10.136.136.66
17 112 10.136.102.201
18 106 10.226.200.137
19 99 99.16.128.76 99-16-128-76.lightspeed.crlkil.sbcglobal.net  --- this is not something that should be

abd also this

48035:Jul 20 11:56:07 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48036:Jul 20 11:56:07 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48037:Jul 20 11:56:53 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48038:Jul 20 11:56:53 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48039:Jul 20 11:56:58 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48040:Jul 20 11:56:58 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48041:Jul 20 11:57:06 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48042:Jul 20 11:57:06 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48043:Jul 20 11:57:08 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48044:Jul 20 11:57:08 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48045:Jul 20 11:57:36 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48046:Jul 20 11:57:36 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48047:Jul 20 11:57:39 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48048:Jul 20 11:57:39 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48049:Jul 20 11:57:51 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48050:Jul 20 11:57:51 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48051:Jul 20 11:58:23 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48052:Jul 20 11:58:23 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48053:Jul 20 11:59:05 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48054:Jul 20 11:59:05 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48055:Jul 20 11:59:11 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48056:Jul 20 11:59:11 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48057:Jul 20 11:59:20 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48058:Jul 20 11:59:20 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4
48059:Jul 20 11:59:43 dnsmasq[5905]: query[RRSIG] pizzaseo.com from 24.56.19.27
48060:Jul 20 11:59:43 dnsmasq[5905]: forwarded pizzaseo.com to 8.8.4.4

I have reboot the Pi-Hole
and still I get connection from this address
how could it be ?

it's 100% block
only 10.226.0.0/16 and 10.136.0.0/16 can access my pi from port 53

I have also added firewall rules on my Centos OS 7 (up until now it was disable)
this is what I have added :

sudo firewall-cmd --zone=public --permanent --list-ports
53/udp 22/tcp 53/tcp 80/tcp

also added this rule:
sudo iptables -A INPUT -p udp --dport 53 -m string --algo kmp --string "pizzaseo" -j DROP

I have reboot , jsust to be sure and safe and it's seem to stop

do I need to do anything else?

That doesn't seem to be the case.
You seem to be running an open resolver, which would pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

I am aware that you don't intend to run your Pi-hole as an open resolver, but we can't help you much in firewalling your cloud instance correctly, as that will be highly individual based on your provider, the software you run on that node and your personal preferences (apart from being a network configuration issue entirely separate from Pi-hole).

In general, it may be advantageous to follow a deny-all policy and allow just those connections that your VPN server would require.

You could take a look at some sample rule sets for an OpenVPN configuration for some ideas and inspirations, but note that those are specific for OpenVPN, and that your cloud provider may limit access to your firewall configuration or require certain rules to be present.

EDIT: And don't forget to save your firewall rules so they'd survive a reboot (specifically if you are using iptables).

I understand ,
I have try to "play" with the firewall and it's seem to be working now
mayne it take sme time to the firewall rules to be applied or something
but now it's seem to be working and I only get request from my own vpn clients

Thank you for the help (I learn new commands on the way - so it wasn't for nothing :slight_smile: )