GeoIP protected Open Pi-Hole using Fail2Ban

Hi'

Because i wanted to run a PiHole that is usable by all my friends I bought a small virtual server in the cloud. Then I installed Debian and Pi-Hole and opened port 53 and everybody was happy... for a little while :confused:

Suddenly the Pi-Hole was slow, and I discovered that it was beeing used for "DNS traffic amplification attack" :rage: I took it down, and started a search for easy solutions to the problem. During this search, i found that all the "ANY" queries came from countries outside Denmark, and an ida spawned:

I needed a "Geo Fence" (just like Trump's crazy wall project) and that fence should only let queries that origin from Denmark be processed by the Pi-Hole!

After some tinkering, i got it up and running, and now i would like to know your thoughts about the idea/solution... I know it probably is a bit dirty solution - but it seems to work for me :grin:

See Access control using Fail2Ban and geoip at my wiki for an explanation on how i did.

Peace in the valley :pray:

Anyone could buy a VPS inside the fence and still use that as an amplification node. Best solution is still a VPN from your clients to the DNS server, or DNSCrypt and only give your clients the key...

That is certainly true and when that happens I will need to add a DROP rule to iptables manually... VPN is a great solution in some situations where the 'hassle' of configuring the VPN client is worth the gain.

It is on the other hand extremely easy for my Danish friends (and everybody else in Denmark) :wink: to change the DNS server setting in their home routers facing the Internet, and in a jiffy become (almost) ad-free on the internal LAN - no matter what device uses that LAN.

I can even get easy adblocking at work because the DNS setting can be changed on my office workstation :innocent:

Isn't that a bit too late ?
If you plug holes after, your system probably was already used for an attack.

Here is a nice howto for OpenVPN:

1 Like

We have also spoken about this in the past
https://pi-hole.net/2016/09/15/tips-for-accessing-your-pi-hole-remotely/

Thank you for the link, I have been running Pi-Hole and OpenVPN for a long time so i know the pros and cons :wink:

You miss the essential point - I need / want a solution to ad-blocking that does not require any IT skills to implement.

An open Pi-Hole meets that demand.

If amplification attacks that have source IP inside my GeoIP fence start to be a problem, then i will find another solution or tweak the one i already got.
Fail2Ban is very powerfull and flexible :slight_smile:

Yes, i know - but does that mean I cannot start a new thread on the subject of making easy Ad-Blocking avilable to a lot of people?

The blog tips you link to are great and sane, but IMO not nessesarily the whole truth... sometimes it is okay to go ahead despite the risk of some colatteral damage.

Before we continue here, I have to make this quite plain:

We do not support open resolvers because of the number of threats they impose for both the server and all others on the Internet.

So, the obvious question is be: How can you do what you want without being an open resolver? Note that also a "GeoIP-limited" open resolver is an open resolver...

I'm aware that you don_'t want and why you don't want to use some proper way which would inevitably require a VPN connection. The only other way to achieve what you want seems to be to explicitly allow the IP addresses of your users on an individual basis. I'm still not sure if I'd consider this as a truly not-open resolver (only if you are sure about the identities of your users and about their attitudes). Everything you do in this respect is certainly in a gray area.

2 Likes

I did not ask for support :wink:

I asked for the Community's thoughts... so far I only got response from "the top of the foodchain" here but thats okay - and thank you - all you have written is good and sane. It did not bring any new stuff on the table for me, but thats okay. I posted this in "Customizing Pi-Hole" because i never expected any support to customized versions of Pi-Holes. I did not post it to piss anybody off - I just wanted to share a solution that works for me at this time.

Besides the purpose that i made it for - the "Fail2Ban GeoIP fence" can be used for many other purposes with a little tweaking, so maybe someone stumble upon it at some time in the future and who knows what then happens...

--
Peace in the valley

1 Like

I know, and I'm sorry if I caused confusion - after all I'm not a native speaker and seemingly I meant something different by "support" than you think I what I wanted to say (maybe replace/append support with condone).

I'm, however, still convinced that even a Geo-fenced server is a bad thing as it can still be used for amplification attacks. After all, dnsmasq was not meant to be operated facing the public internet (not even a part of it).

No need to say that - we are not angry here, but only very skeptical - also concerning data security, since you have quite some power if you are running a DNS service for people (esp. if they have little to no IT background).

3 Likes

^ Was about to say something similar.
I wouldnt want to make use of this open resolver if the owner doesnt realize what troubles he might cause for someone else and categorises this as "collateral damage".
Who want to do his banking and other sensitive dealings using this DNS setup which is lacking the needed protection/securing/hardening on all fronts.

Please folks, dont see this thread as a solution because its not!

1 Like

I know it's an old topic but what you can do is whitelist instead of blacklist.

That is what i did. I had an server in azure and blacklist all ip's except mine and anyone with myn premission.
That worked very well.

Do you mean the B/W lists from Pi-hole or maybe a firewall provided by Azure ?

o yeah was a little vaug on that sorry.
No i used the firewall. drop all except from my list of whitelisted ip's.

1 Like

Yes, that would work if one or a few well-known IPs needed access to the 'semi public' Pi-Hole.

Merry Christmas :christmas_tree: