This bit below:
That should do it?
That did the trick:
pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
;; connection timed out; no servers could be reached
Now make it persistent by putting it in for example new file:
/etc/network/if-pre-up.d/my-iptables-rules
EDIT: Ohw you might want to add the interface to that iptables rule or else all DNS traffic gets dropped.
Reboot and test with openresolver.com.
Ohw I forgot one thing, DNS is closed now for UDP thats used for the amp attacks.
But TCP is still open for the public just so you know:
pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
Also not really advised to do so 
Oh i’ll edit it in a bit 
Btw when visiting https://pihole.deltabot.me/ i get still an error, can’t get the error404 to appear there. Even putted the error404 index.html in /var/www/html/
Anyone has any suggestions?
Btw the openresolver thing is ok for now, it's not really a big issue for me and almost broke my pihole so xD
Visiting a bare root URL like your link will automatically redirect to /admin/. You will not see the block page for htttps as that's considered a man in the middle attack, unless your clients have your Certificate Authority installed in their browsers.
Mhm, intresting, i've never realised that would be a thing with PiHole.
So, i still would prefer to show the user the error404, that has the link to the correct page /admin/. Would that still be possible with some small code edits?
Or, to have the / redirect to /admin/? Currently showing that error isn't preferable 
https://pihole.deltabot.me/ already redirects to https://pihole.deltabot.me/admin/
If you want it to do / show something else then you will need to modify the webserver to do as such.
Hey Dan,
I don't know how this happend, but your tottaly right! I tried a clean browser (no cookies etc) and for me and my phone it didn't redirect it to /admin/.
I'm super happy with the result and can't thank each of you enough for all your help and time you've putted into answer my questions!
One final thing i might be able to submit a pull for, is to add the same favicon from /admin/ to the this page:
If that's ok i can see if i can submit a pull for that 
PS.
https://www.openresolver.nl/?host=deltabot.me
https://www.openresolver.nl/?host=pihole.deltabot.me
Both are now good @deHakkelaar!
1 Like
Oops I gave you that hearth too quickly.
No its worse.
UDP is open again:
pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
And TCP as well so you know:
pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
Mhm strange, i did encounter issues with cloudflare with my website when i did that. I think it's b/c cloudflare and my webserver need to use that port:
( i can always try again if you think i'm wrong )
As long as you run an open resolver, your susceptible to participating in a DDoS attack.
They will find your server quick enough and you'll be wondering where the load and queries are coming from.
Worst case, your server gets kicked by the VPS provider.
Mm ok, i'll try to once again block it and see if my website goes down.
I'm sorry but i do think the port is really needed for cloudflare to work properly.
Don't worry about DDOS however, we only permit remote login of specific user accounts and we only use for those few accounts keys.
We also run fail2ban and we have a DDOS protection service, so interms of security i think we should be ok (we also run the latest modern linux OS)
I hope your ok that i'm gonna remove the two blocks, it's not possible to block it on the OUTPUT?
iptables -I INPUT -p tcp --dport 53 -j DROP
iptables -I INPUT -p udp --dport 53 -j DROP
As said before:
Best is to close down everything with the firewall and only allow trusted IP's.
Trusted IP's could be the servers from Cloudflare who are hitting your DNS setup.
Let Cloudflare take the full grunt of an DDoS attack if any.
Some poor advise maybe but try install some text based Firewall software on the VPS:
apt search firewall
And configure firewall to only allow the Cloudflare servers to connect to 53 UDP & TCP.
I cant advise you on which one because the way I setup a firewall (if needed) is way more complicated and bit difficult to explain here.
Sorry had to twice before i realised what i was doing.
iptables -t filter -A FORWARD -d 1.0.0.1 -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 1.1.1.1 -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 1.0.0.1 -p tcp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 1.1.1.1 -p tcp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 127.0.0.1 -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 127.0.0.1 -p tcp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 53 -j DROP
This should do the trick.
Its still open:
pi@noads:~ $ date && dig +short test.openresolver.com TXT @64.52.86.238
Thu 28 Feb 22:58:48 CET 2019
"open-resolver-detected"
EDIT: Ohw and I dont believe 1.0.0.1 and 1.1.1.1 are the ones hitting you.
Check your Pi-hole logs when testing eg:
pihole -t
Or:
grep <DOMAIN_NAME> /var/log/pihole.log
Or check Cloudflare web site for instructions/server lists etc.
I forwarded this to a friend of mines, we will look at it when we have time which iptables command have to be inserted to only permit cloudflares ip on port 53 and deny the rest.
https://www.cloudflare.com/ips-v4
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
https://www.cloudflare.com/ips-v6
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
Its still open:
pi@noads:~ $ date
Fri 1 Mar 18:55:31 CET 2019
pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
pi@noads:~ $ dig +short version.bind TXT @64.52.86.238 CHAOS
"dnsmasq-pi-hole-2.80"
pi@noads:~ $ dig +short pi.hole @64.52.86.238
64.52.86.238
They will find you soon or they might have already!