Its still open:
pi@noads:~ $ date && dig +short test.openresolver.com TXT @64.52.86.238
Thu 28 Feb 22:58:48 CET 2019
"open-resolver-detected"
EDIT: Ohw and I dont believe 1.0.0.1 and 1.1.1.1 are the ones hitting you.
Check your Pi-hole logs when testing eg:
pihole -t
Or:
grep <DOMAIN_NAME> /var/log/pihole.log
Or check Cloudflare web site for instructions/server lists etc.
https://www.cloudflare.com/ips-v4
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
https://www.cloudflare.com/ips-v6
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
Its still open:
pi@noads:~ $ date
Fri 1 Mar 18:55:31 CET 2019
pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"
pi@noads:~ $ dig +short version.bind TXT @64.52.86.238 CHAOS
"dnsmasq-pi-hole-2.80"
pi@noads:~ $ dig +short pi.hole @64.52.86.238
64.52.86.238
They will find you soon or they might have already!
Its this easy to find open resolvers on your network segment to be used for your DDoS attack:
pi@noads:~ $ sudo nmap -sU -p53 64.52.86.0/24 | grep 'udp open' | wc -l
26
Use below one to check listeners/daemons:
sudo netstat -nltup
And decide which ones should be opened up in the firewall and to whom.
You've got all the tools to test.
UFW also configures iptables I believe so you can verify:
sudo iptables -L -n
EDIT: I dont have/use UFW so I wouldnt know how to configure properly.
But I believe UFW is popular for firewall.
Ohw and most firewalls allow logging to be enabled.
So you can see if any of the Cloudflare traffic gets dropped.
108.162.192.0/1 includes the range 0.0.0.0 - 127.255.255.255 which opens your resolver to just about half the global internet.
And 197.234.204.0/2 is 192.0.0.0 - 255.255.255.255 which effectively gets you the other half. Your firewall is way, way to permissive, to the point that it's entirely ineffective.
Your allow rules are so wide open that they don't really block anyone. Your firewall has massive holes punched in it. Where are you getting the CIDR ranges for your IPv4 allow rules?
Webservers use port 80 & 443. DNS uses port 53, do not open port 53.
I'll be blunt, unless you know exactly what you are trying to accomplish and know security and ports extensively you should not be running an open resolver. You will be abused and you will cause damage and harm to others. Do not do this. We will not provide you with any assistance to accomplish this goal.
Close 4711, you're allowing the pihole-FTL API to expose your entire setup. https://docs.pi-hole.net/ftldns/telnet-api/
Yep, now you just have to secure the open SMTP server and you are mostly configured.
Yeah Dan already picked out a few mistakes ... it should be below:
108.162.192.0/18
I would recheck the rules!
And since 53 is denied, you no longer are using the Pi-hole. Is there anything else Pi-hole related that we can help you with?
Its still open:
pi@noads:~ $ date && dig +short test.openresolver.com TXT @64.52.86.238
Sat 2 Mar 18:42:53 CET 2019
"open-resolver-detected"
All the code is here for you to alter and pull:
$ crontab -e
0 19 * * * echo -e $(date) $(dig +short test.openresolver.com TXT @64.52.86.238) | mail -s 'Re: [Pi-hole Userspace] [Help] Nginx error404 from pihole' -r XXXXX@dehakkelaar.nl replies@support.pi-hole.net
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.