My Pi-Hole is accessible externally; therefore, I would prefer a secured system that cannot be attacked by brute-forcing and other approaches. I, personally, would prefer if I could enable an .htaccess-like behavior that, before any content and files are sent to the outside world, an additional login/password request is requested.
I am aware of the power of a good password +2FA - but alone knowing what is hosted on this web service through sniffing is something I wish to prevent.
By exposing your Pi-hole to public Internet, you risk running your Pi-hole as a publically available open resolver.
Open resolvers pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.
The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.
The recommended way to allow secure remote access to your Pi-hole is via authenticated, secure VPN connections, which arguably would also be safer than .htaccess policies.
Thank you for this important notice and warning.
I am aware of these kinds of attacks. Therefore, I am only opening 853 DNS over HTTPS, such as HTTPS 443 for a web panel to the outside. DNS over HTTPS is something i need on my mobile Android devices to access my Pi-Hole. While i am aware of VPN, i am prioritizing latency in this case as i do not wish to send my mobile traffic through my home network.
As far as I know, the service on 853 is not as vulnerable to attacks as the regular service on 53, starting with the required TCP handshake.
I just saw that from your other post (though Port 853 would be used for DNS-over-TLS, which is also what smartphones would commonly use).
That's correct, a TLS connection would at least mitigate the risk of DNS amplification attacks.
Your Pi-hole's DNS server would still be publicly accessible, though.
If that's what you intend, deploying a VPN server next to Pi-hole may indeed counteract that intention.
There should be no discernible difference in latency.
Using plain Do53 over a VPN connection, it may even be lower than TLS, depending on your VPN software.
You can configure VPN clients to route only DNS requests (and optionally requests to your home network's private IP range) through it, so apart from DNS, all other traffic will be routed through your smartphone's gateway, see e.g. Wireguard - Pi-hole documentation.
In contrast to just adding .htaccess policies, this would also provide you with secure remote access to your home network.
This sounds interesting. I will look into this. Thanks.