I have pihole set up on rpi3, I have some old routers on different places, they don't support openvpn and all of them have dynamic ip addres, what about opening port 53 if i follow this guide to secure my pi https://strongarm.io/blog/secure-open-dns-resolver/
Why do you need to forward the Pi-hole? Are the routers in different locations? If so, it would be best security-wise to not risk the open resolver and just add a Pi Zero at every location running Pi-hole, or even have the router's connect to a VPN which uses Pi-hole.
yes, more than 15 routers are there on different location, most of them are very basic so I can change only the DNS settings, do you think those iptables are effective against amplification attacks?
most of them don't have L2TP/IPsec vpns (provided by isp)
Edit:
What do you think about this? GitHub - smurfmonitor/dns-iptables-rules: DNS Amplification IPTABLES block lists
We obviously don't condone open resolvers as the risk is pretty great for amplification attacks. We don't get in to the details of how to set that kind of scenario up, so you won't get a confirmation of the effectiveness of an iptables list. It's just not something that we are able to comment on if you can not secure the transit via other methods.
I totally agree with you, i found this http://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=197 7.99usd sounds like a good deal!
The NanoPi line to make for excellent Pi-hole devices. I personally run the Neo series and have had no issues with the Armbian distribution on the Neo.
Is the 256mb ram version sufficient for snappy web interface?
I don't know, the only Neo devices I run are all with 512M RAM. The $2USD difference just made sense to boost up. And with that the device runs without any issues and the response is quite fast.
thanks! I will look into it
Sure, the Duo looks like it would cost more with the needed peripherals for the device, (Shield, GPIO Ethernet and a few other pieces of kit to make it run.)