I use pihole since some time and it is amazing.
But yesterday I checkt after some time the pihole live tail again via SSH "pihole -t" and found a lot of strange requests, looks like a botnet attack (jk1l.ru).
In the normal query log and clients log (beside the scanning servers with 1 request) everything looks normal.
Than I checked my VPS via "tcptrack -i eth0" and on the server are only a few IPs connected.
I don´t know how I can block this many requests. Tried some things via "iptables" and connected my VPS provider but they can´t see no DDOS attack.
If I understand this correctly, your Pi-Hole is hosted on a public VPS, and it's open so that your friends can use it? Are the friends logging into the Pi-Hole VPS through a VPN?
You can install a VPN server and provide the with authentication detail (and of course close 53). You can set-up the VPN server so that it processes ONLY the DNS requests (having no impact on speed at all). That way, only people connected to the VPN DNS will be able to use the Pi-hole as DNS.
You are receiving DNS requests from (what seems like) random IPs
Yes exactly, I have the Pi-Hole installed on a VPS Debian 9 server.
My friends use it like me its set up globally in our router (fritzbox) to filter everything in the network (like mobile phones).
We don´t use a VPN for this, this could help because its a static IP but needs a VPN account for each home.
I also thought on a Geoip filter in iptables...
This is a very bad practice. Open DNS resolvers are quickly found on the internet and used for a variety of nefarious purposes.
You should close this resolver immediately, or protect it with a VPN. Or, move it to a local device inside your router and firewall and tell your friends to get their own.
In addition to the links in the thread below, you can search the internet for any number of discussions on why open DNS resolvers cause significant problems.
As far as I know it is only possible to setup in my router "FritzBox 7390" a VPN sever.
This means I can connect with my phone to my home router but nothing else like a Tomato router and OpenVPN.
So if i setup a VPN as a DNS shield I can not connect with my Fritbox to the VPS by default, just only with the devices directly (setup every device).
Maybe the best thing is to buy a Raspberry Pi and have it behind my router only?
Just a quick update from my side maybe other users will have the same thing.
I turned off the server completely for a half day. The botnet leaved my DNS because of connection time out this will give me some time to set up the VPN solution. Furthermore I blocked all ".gov" domains via wildcard in case the bots will come back. It seems the FritBox router will only support IPSec which is more for company networks (Connecting the FRITZ!Box with a company's VPN | AVM International). This means OpenVPN will not work and I have to find a way for IPSec and the right Iptables because I have other services running which I will not block like owncloud...
I want to install on each device OpenVPN.
So I tried to allow only my city/country IP range for the whole VPS.
This will minimize the attack risk from somewhere else and is maybe a good compromise between VPN...
Iptable rules (example):
Before the block rules, I added my VPN provider (Iptables Accept) with a static IP address in case I can not connect again (backdoor).
Accept rules:
iptables -A INPUT -s 188.x.x.x -j ACCEPT
Block rules:
City: iptables -A INPUT ! -s 82.165.0.0/16-j DROP (82.165 this is always the same)
Or:
Country: iptables -I INPUT -m geoip --src-cc IN,US,CN,RU -j DROP
Results:
It works I can connect with my dynamic IP to my internet VPS via SSH and HTTP.
All the other IPs would be blocked, testet via VPN provider.
But the DNS via Port: 53 is somehow not reachable I get no results from Pi-Hole, but I don´t know why?
I would like to say, hey everything is not in my IP range and is not my static VPN provider IP - drop In the Pi-Hole live tail log I can see that my router IP is connected for request but I get not results
This is because the open DNS port works on Port 53. The attackers goes to this port.
So block everything which is not in my IP range and goes to this port. which is nearly everything.
Maybe you we should do the same with IPv6....
I´m not sure why -iptables A INPUT ! -s 82.165.0.0/16 -j DROP
does not worked because its nearly the same...