Listen on all interfaces, permit all origins

I’ve got pihole set up on a virtual server and allowed port 53 on the firewall. It is accessible on the internet and works great.

Secondly I’ve got WireGuard VPN on the same server and use pihole to serve DNS to my VPN clients. As the VPN traffic comes in through a different interface I must set DNS to the public IP unless I tell pihole to “Listen on all interfaces”, then I can use the private IP of the server and this works

There is however a warning message about doing so but I can not understand what risks are involved. Internet traffic can already use my server for DNS if they wish and the other interface is only available to VPN clients so I can’t see what the problem might be. Is there something I am missing?

“Note that the last option should not be used on devices which are directly connected to the Internet”

We don't provide any support for open resolvers. There is a very high likelihood that you'll be used in attacks on other DNS servers.

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

Ahhh okay, so the warning message is about potentially exposing the DNS service to the internet not about making things less secure when the service is already on the internet. Is that correct?

It did feel risky to expose the service in the first place tbh. Thanks for getting back to me

If pihole is already directly connected to the internet without proper firewall this is already insecure und risky. Setting " Listen on all interfaces, permit all origins" doesn't make it worse - it was already bad before.

Okay brill thanks for clarifying. The link was a good read as well