Pi-hole on root server - Open recursive resolver

Proton23 · December 15, 2017, 2:59pm

Hi,

I installed pi-hole on my root server, even though nobody told me it's not a good idea pi-hole-on-a-dedicated-server-with-running-web-server, I’m not quite sure if indeed it is.

Since last night I have the same problem as described here
I'm blocking those requests, but they are still coming in.

http://openresolver.com/ tells me, I'm having a problem

Open recursive resolver detected on 217.217.217.217
IP address 217.217.217.217 is vulnerable to DNS Amplification attacks.

Is there another way to fix it, than bringing it down?

Best regards

DanSchaper · December 15, 2017, 3:21pm

The best way is to lock things down with a VPN. Open resolvers are a bad idea and can lead to issues like the one that you are seeing.

https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-server

DL6ER · December 15, 2017, 4:11pm

There is no need to bring it down, close the port 53 on your server to the outside world and use a VPN to connect your computers to your root servers as @DanSchaper suggested.

Proton23 · December 15, 2017, 4:48pm

Okay, thanks for the reply.
Maybe I'm wrong, but I think VPN is not an option because it's still a public server running my domain, right?
So I guess the best solution is just to buy another pi or put it on my synology.

Best regards

DanSchaper · December 15, 2017, 4:54pm

The VPN secures communications from the clients to the servers. So you would have to have VPN software installed on all the clients and that creates a virtual private network between the clients and the server. The Pi-hole would be only connected to the VPN end point and not open to everyone as it is now. If you can install it locally though that would be the easiest solution.