So I am planning on adding a second DNS server for my pihole, which is running a DHCP server.
If I was to add a VPS's IP address which has a second instance of pihole then use ufw to allow only my home IP address to connect to the server over port 53, would that that be advisable?
Although my home IP address can change, I could use a script such as this one found here.
Alternatively, I could have my home Pihole connect via something like wireguard, however I am unsure on how to configure that without routing all of my traffic through that.
Overall, is it safe and effective to host a second pihole elsewhere, then allow access via port 53 to only my home IP
The main threat to a publicly exposed VPS is from automated scripts looking for open ports, then hitting the services on them with traffic and exploits to see what is available and what can be broken into. You want to ensure that only you and your authorised devices can access your VPS Pi-hole.
If you use a firewall then you can run the services (such as DNS and SSH) on the public facing interface and use the firewall to restrict access to your home IP.
If you use a VPN you can have only that exposed to the public interface and keep all the other services internal to the server. Then you can send selected traffic through the VPN securely from your home IP or from anywhere and access the services.
Pi-hole has a guide for WireGuard and the default mode in this setup is for just the DNS traffic to go over WireGuard. So you could use that as a starting point for just having your DNS traffic hit your PI-hole VPS, and see how it goes from there.
For your scenario I think your idea is good. You could start by getting Pi-hole working on your VPS and ensuring that only your IP can access it, using the firewall and dynamic DNS. If you have a Synology NAS on your network, that can also act as a useful dynamic DNS client to get a hostname that resolves to your current public IP (see Control Panel > External Access > DDNS).
The key thing is to make sure your Pi-hole DNS service doesn't become available for third-parties to use, because it will be found and abused very quickly.
You'd still expose port 53, and IP addresses can be spoofed.
The main concern here is that you expose Pi-hole to be misused as an an open resolver, posing a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack .
Note that the Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.
As chrislph has pointed out, the recommended way to access a cloud-based Pi-hole would be via authenticated, secure VPN connections exclusively.
An alternative approach would be to host a public Pi-hole behind a DNS-over-TLS (DoT) proxy on port 853, as DoT would effectively eliminate the risk of amplification misusage.
The same would be true for a DNS-over-HTTPS (DoT) proxy.
Some cloud providers may offer the necessary software and instruction how to do this, and we also received reports from users successfully adding Pi-hole to such a solution, e.g. Specifying UDP Bind Address - #22 by matan129.