Attack by

I have install pi-hole on my netwrok , and I'm using vpn connection to my routers,
so the only connection to port 53 (PI-hole) is from my vpn netwrok.
everything work great for a week ~
today I have open the gui admin and saw this:

2021-07-20 14:00:20	RRSIG	OK (forwarded to	N/A (0.0ms)

2 questions:

  1. how could it be ? the netwrok is close fot udp\tcp 53 outside my VPN netwrok
  2. how can I block it?

Thanks ,

Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

I have created a debug file
this is the token
Your debug token is:


I think I have found the problem .....
there was a filrewall rule of UDP accept in my router....

Your debug log looks normal.

Run from your Pi-hole host machine, what is the output of the following commands?

echo ">top-clients (20) >quit" | nc localhost 4711
grep -n /var/log/pihole.log

Also after I have close the firewall rule of udp accept , I still get this problem
this is the what I get when I run the command you told me:

> echo ">top-clients (20) >quit" | nc localhost 4711
0 14693
1 1548
2 1430
3 669
4 667
5 529
6 522
7 401  --- this is not something that should be 
8 374 localhost
9 350
10 310
11 307  --- this is not something that should be 
12 214
13 211  --- this is not something that should be 
14 186
15 159
16 123
17 112
18 106
19 99  --- this is not something that should be

abd also this

48035:Jul 20 11:56:07 dnsmasq[5905]: query[RRSIG] from
48036:Jul 20 11:56:07 dnsmasq[5905]: forwarded to
48037:Jul 20 11:56:53 dnsmasq[5905]: query[RRSIG] from
48038:Jul 20 11:56:53 dnsmasq[5905]: forwarded to
48039:Jul 20 11:56:58 dnsmasq[5905]: query[RRSIG] from
48040:Jul 20 11:56:58 dnsmasq[5905]: forwarded to
48041:Jul 20 11:57:06 dnsmasq[5905]: query[RRSIG] from
48042:Jul 20 11:57:06 dnsmasq[5905]: forwarded to
48043:Jul 20 11:57:08 dnsmasq[5905]: query[RRSIG] from
48044:Jul 20 11:57:08 dnsmasq[5905]: forwarded to
48045:Jul 20 11:57:36 dnsmasq[5905]: query[RRSIG] from
48046:Jul 20 11:57:36 dnsmasq[5905]: forwarded to
48047:Jul 20 11:57:39 dnsmasq[5905]: query[RRSIG] from
48048:Jul 20 11:57:39 dnsmasq[5905]: forwarded to
48049:Jul 20 11:57:51 dnsmasq[5905]: query[RRSIG] from
48050:Jul 20 11:57:51 dnsmasq[5905]: forwarded to
48051:Jul 20 11:58:23 dnsmasq[5905]: query[RRSIG] from
48052:Jul 20 11:58:23 dnsmasq[5905]: forwarded to
48053:Jul 20 11:59:05 dnsmasq[5905]: query[RRSIG] from
48054:Jul 20 11:59:05 dnsmasq[5905]: forwarded to
48055:Jul 20 11:59:11 dnsmasq[5905]: query[RRSIG] from
48056:Jul 20 11:59:11 dnsmasq[5905]: forwarded to
48057:Jul 20 11:59:20 dnsmasq[5905]: query[RRSIG] from
48058:Jul 20 11:59:20 dnsmasq[5905]: forwarded to
48059:Jul 20 11:59:43 dnsmasq[5905]: query[RRSIG] from
48060:Jul 20 11:59:43 dnsmasq[5905]: forwarded to

I have reboot the Pi-Hole
and still I get connection from this address
how could it be ?

it's 100% block
only and can access my pi from port 53

I have also added firewall rules on my Centos OS 7 (up until now it was disable)
this is what I have added :

sudo firewall-cmd --zone=public --permanent --list-ports
53/udp 22/tcp 53/tcp 80/tcp

also added this rule:
sudo iptables -A INPUT -p udp --dport 53 -m string --algo kmp --string "pizzaseo" -j DROP

I have reboot , jsust to be sure and safe and it's seem to stop

do I need to do anything else?

That doesn't seem to be the case.
You seem to be running an open resolver, which would pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

I am aware that you don't intend to run your Pi-hole as an open resolver, but we can't help you much in firewalling your cloud instance correctly, as that will be highly individual based on your provider, the software you run on that node and your personal preferences (apart from being a network configuration issue entirely separate from Pi-hole).

In general, it may be advantageous to follow a deny-all policy and allow just those connections that your VPN server would require.

You could take a look at some sample rule sets for an OpenVPN configuration for some ideas and inspirations, but note that those are specific for OpenVPN, and that your cloud provider may limit access to your firewall configuration or require certain rules to be present.

EDIT: And don't forget to save your firewall rules so they'd survive a reboot (specifically if you are using iptables).

I understand ,
I have try to "play" with the firewall and it's seem to be working now
mayne it take sme time to the firewall rules to be applied or something
but now it's seem to be working and I only get request from my own vpn clients

Thank you for the help (I learn new commands on the way - so it wasn't for nothing :slight_smile: )