Binding to an interface is bad

I recently had to reinstall one of my pi-holes and I noticed this part of the configuration regarding binding to an interface.

I always kinda thought it was "good" to bind to an interface to ensure you could control the source of traffic. Can someone point me to why this is "bad" in this context?

The linked documentation has several occurences of interface (but none of the word bad). I think it also makes a decent job to explain each option - of course, that's the way I read it, and there's always room for improvement.

Could you please detail which paragraph triggered your query in particular?

@Bucking_Horn Thanks for the reply. I guess the part I want to better understand is this.

I'm wondering why these are "potentially dangerous". I'm fine if you just point me to some links to read up on this, but when I googled things like "bind to interface dns security" I couldn't find anything that helped me understand why this is dangerous.

If you bind to an interface rather than to a specific IP address, you may receive traffic that that doesn't match your IP's associated subnet.

On some occassions, this may be desirable (e.g. if your home network is split into several VLANs, or if a VPN is involved), but in general, you wouldn't want to deal with traffic that isn't meant for you.

If you'd also permit all origins, traffic may also include DNS requests from external public networks, and -as mentioned in our docs- you would risk to run an open resolver that could be misused (e.g. in DNS amplification attacks). Of course, you'd also have to have opened port 53 for public inbound traffic in that case (which may well be the case if you'd run your Pi-hole on a cloud instance without proper firewalling).

Note that the Pi-hole team strongly discourages to run Pi-hole as an open resolver, and we won't provide support in that case.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.