In what cases could Pi-hole accidentally become an open DNS resolver accessible from the internet?
In this article it says:

High-level Overview

Using a VPN is a responsible, respectful, and safe way to access your Pi-hole's capabilities remotely. Setting up a DNS server has become a simple task with Pi-hole's automated installer, which has resulted in many people knowingly--or unknowingly--creating an open resolver, which aids in DNS Amplification Attacks.

My question is in what cases could a device running pihole end up as an open dns resolver? How does one even do that accidentally by using the setup wizard?
Unless you install pihole on a public server or open a port on your router, this should never be the case right?

I mean if you do a standard installation on a raspberry pi behind a router in local network, it shouldn't pose any security risk even if you allow requests from all sources in settings. So I'm a bit confused as to what exactly they meant in the article and what configurations people use so that pihole ends up an open resolver. That's not something I want to happen.

Also, I ran the command nmap -sU -p 53 -sV -P0 --script "dns-recursion" x.x.x.x (ip address of pihole) with nmap and the result was that recursion is enabled. Recursion is associated with the risk of exploiting dns for DDoS and such.
Is this result expected on pihole with default config? I guess it is. After all, the pihole is a recursive resolver answering to every device on the local network.

Sorry for all these questions. But I want to make sure my pihole is not an open resolver

If you put the Pi-hole server in a DMZ or open port 53 on your router and forward it to the Pi-hole server.

If you run nmap on the Pi-hole server itself then you will see that result. If you run that nmap command and use an external IP address, your WAN address, and you see that result then you need to worry a bit.

Check a port scan tool for an open port 53. GRC | ShieldsUP! — Internet Vulnerability Profiling   using the custom port 53.

Would running the nmap command on my public ip from inside my network even produce meaningful results? Wouldn't the scan have to be initiated from outside my network (internet)?

By the way, I just ran the command on my public ip with the following result:

Is that a result one should expect? It worries me a bit that it shows the status on 53 to be open.
But my firewall definitely doesn't have that port open. I also checked with several port checkers.
Is that because I'm on my local network? I mean the devices inside this network can reach DNS on my router...

Yes, because you can reach your external IP via your internal network, and you have access to your internal services via the same internal network, so, from inside, you can see those services against that IP.

Try the GRC scan mentioned by Dan. That's coming from an external network and so all it can see is whatever is exposed at the IP address. That's typically your home router and has firewalling enabled and configured to prevent unsolicited incoming connections.

That's what I meant earlier. Testing from inside the network with nmap doesn't really produce a meaningful result in the context of testing if the dns is an open resolver because port 53 will of course be shown as open.

I already ran GRC and everything is fine :slight_smile:

Kind of. It depends on the router/firewall. If you have a router that does hairpin NAT and sees traffic destined for the WAN IP and intercepts to keep it all on the LAN then effectively there is no difference. If your router can not do hairpin then you'll see the traffic actually go out the WAN interface and try to come back in the WAN interface.

A quick and dirty check that doesn't cover all the bases is to run a traceroute to the WAN IP and see what intermediary hops it passes through.

But in the end a remote check like ShieldsUP will show what ports are seen as open from the internet at large.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.