Massive requests - tail log (open DNS resolver)

Help
1

Hello guys,

I use pihole since some time and it is amazing.
But yesterday I checkt after some time the pihole live tail again via SSH "pihole -t" and found a lot of strange requests, looks like a botnet attack (jk1l.ru).

In the normal query log and clients log (beside the scanning servers with 1 request) everything looks normal.
Than I checked my VPS via "tcptrack -i eth0" and on the server are only a few IPs connected.

I don´t know how I can block this many requests. Tried some things via "iptables" and connected my VPS provider but they can´t see no DDOS attack.

pihole_tail
pihole_tail1257×885 116 KB

It would be great if you have some idea to help me.

Thanks guys

Debug Token: jr4he3bs9k

2

It would be best if you close port 53 from being exposed to the web ...

Looks like indeed someone is using your DNS server (Pi-hole in this case) for all those requests.

1 Like
3

Hi RamSet,

Thanks for you respond.

I have a dynamic IP address and some other friends use also the pihole VPS.
If I close the port they will have no access to this wonderful filter.

But I tried to close the port via iptables, command: "-A INPUT -p tcp -m tcp -m multiport -j DROP ! --dports 10000,80,8080,3000,22"

port_result
port_result1531×569 69.3 KB

open_ports

Via SSH I can see that I still have requests. The port scanner told me that port 53 is closed.

What can I do guys?

Thank you

4

If I understand this correctly, your Pi-Hole is hosted on a public VPS, and it's open so that your friends can use it? Are the friends logging into the Pi-Hole VPS through a VPN?

5

You can install a VPN server and provide the with authentication detail (and of course close 53). You can set-up the VPN server so that it processes ONLY the DNS requests (having no impact on speed at all). That way, only people connected to the VPN DNS will be able to use the Pi-hole as DNS.

You are receiving DNS requests from (what seems like) random IPs

ip: "70.94.80.51"
hostname: "cpe-70-94-80-51.kc.res.rr.com"
city: "Grandview"
region: "Missouri"
country: "US"
loc: "38.8858,-94.5330"
postal: "64030"
name: "Time Warner Cable Internet LLC"
domain: "twcable.com"
route: "70.94.0.0/17"
type: "isp"

ip: "77.218.254.152"
hostname: "m77-218-254-152.cust.tele2.se"
city: "Stockholm"
region: "Stockholm"
country: "SE"
loc: "59.3333,18.0500"
postal: "173 11"
asn: Object
asn: "AS1257"
name: "TELE2"
domain: "tele2.com"
route: "77.216.0.0/14"

If these are NOT your friends (and I doubt that both or all of them are querying for that domain), your iptables rule does not work.

Consider a VPN server ...
Here is a guide to get you started:

https://docs.pi-hole.net/guides/vpn/overview/

6

Hi jfb,

Yes exactly, I have the Pi-Hole installed on a VPS Debian 9 server.
My friends use it like me its set up globally in our router (fritzbox) to filter everything in the network (like mobile phones).

We don´t use a VPN for this, this could help because its a static IP but needs a VPN account for each home.
I also thought on a Geoip filter in iptables...

Thanks

7

This is a very bad practice. Open DNS resolvers are quickly found on the internet and used for a variety of nefarious purposes.

You should close this resolver immediately, or protect it with a VPN. Or, move it to a local device inside your router and firewall and tell your friends to get their own.

In addition to the links in the thread below, you can search the internet for any number of discussions on why open DNS resolvers cause significant problems.

1 Like
8

Hi guys,

As far as I know it is only possible to setup in my router "FritzBox 7390" a VPN sever.
This means I can connect with my phone to my home router but nothing else like a Tomato router and OpenVPN.

So if i setup a VPN as a DNS shield I can not connect with my Fritbox to the VPS by default, just only with the devices directly (setup every device).

Maybe the best thing is to buy a Raspberry Pi and have it behind my router only?

Thanks for your quick help - amazing

9

You should install the VPN on the VPS.

Open the VPN connection (for DNS resolution only) to the VPS hosting the Pi-hole and VPN.

There is a way to run the VPN server for DNS queries only. No traffic re-routing or masking (instructions are in the guide above).

2 Likes
10

Thanks a lot, I will check this out. :wink:
I have also other services on my VPS like owncloud but with iptables it should work.

11

Just a quick update from my side maybe other users will have the same thing.
I turned off the server completely for a half day. The botnet leaved my DNS because of connection time out this will give me some time to set up the VPN solution. Furthermore I blocked all ".gov" domains via wildcard in case the bots will come back. It seems the FritBox router will only support IPSec which is more for company networks (Connecting the FRITZ!Box with a company's VPN | AVM International). This means OpenVPN will not work and I have to find a way for IPSec and the right Iptables because I have other services running which I will not block like owncloud...

1 Like
12

Even if the VPS would be behind your FritzBox, having OpenVPN installed (on the VPS) should not matter for FritzBox.

All that your FritzBox would do, is forward the traffic on the set VPN port, to the server, regardless of content, protocol or encryption.

If you can port forward, you should have no problems runnig/using OpenVPN

1 Like
13

Hi Ramset,

Thanks for your quick feedback.

I don´t know if I have understood it right.

This is my current setup:

setup
setup600×612 143 KB

I want to install on each device OpenVPN.
So I tried to allow only my city/country IP range for the whole VPS.
This will minimize the attack risk from somewhere else and is maybe a good compromise between VPN...

Iptable rules (example):

Before the block rules, I added my VPN provider (Iptables Accept) with a static IP address in case I can not connect again (backdoor).

Accept rules:

iptables -A INPUT -s 188.x.x.x -j ACCEPT

Block rules:

City: iptables -A INPUT ! -s 82.165.0.0/16-j DROP (82.165 this is always the same)

Or:

Country: iptables -I INPUT -m geoip --src-cc IN,US,CN,RU -j DROP

Results:

It works I can connect with my dynamic IP to my internet VPS via SSH and HTTP.
All the other IPs would be blocked, testet via VPN provider.
But the DNS via Port: 53 is somehow not reachable I get no results from Pi-Hole, but I don´t know why?

I would like to say, hey everything is not in my IP range and is not my static VPN provider IP - drop
In the Pi-Hole live tail log I can see that my router IP is connected for request but I get not results

Thanks guys for this amazing help.

Cheers

14

I tried via pihole -r to repair my installation.
and got with the city rule above the message

DNS resolution is currently not available.
My Debian 9 VPS generate to following file in /etc/resolv.conf

image

image
image832×999 18.2 KB

Maybe this will help a lot to figure out whats going on.

Cheers and thanks

15

Hello guys,

I guess I have found a solution until now it looks very good.
Furthermore I have confirmed this via my VPN provider.

So the city dynamic IP Iptables rules have to look like this:

-iptables A INPUT -p udp -m tcp ! -s 82.165.0.0/16 --dport 53 -j DROP
-iptables A INPUT -p udp -m udp ! -s 82.165.0.0/16 --dport 53 -j DROP

More about IP range: https://www.mediawiki.org/wiki/Help:Range_blocks

This is because the open DNS port works on Port 53. The attackers goes to this port.
So block everything which is not in my IP range and goes to this port. which is nearly everything.

Maybe you we should do the same with IPv6....

I´m not sure why -iptables A INPUT ! -s 82.165.0.0/16 -j DROP
does not worked because its nearly the same...

Cheers
Gitulu

17

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.