I am running pihole on a server in the cloud, and I want to make sure I am securing the server so I am not a part of DNS amplification attacks.
I have a server that has both pihole and Wireguard (a VPN server) running. Pihole is configured with a blocklist and then sends requests to cloudflare DNS. Pihole does not have DHCP activated.
At home, my router points to pihole’s external IP address for DNS.
When I’m not home, I connect to Wireguard VPN (port 51820) and wireguard is configured to use pihole for DNS.
I knew when I started this configuration that putting a DNS server in the cloud, it needs to be secured. Otherwise, I would be part of DNS amplification attacks. I waited a few days to see what that would look like.
Starting a few days ago, I noticed tons of traffic from external clients. To stop this, I set port 53 to only allow connections from my home IP address.
This has worked for me at home, but of course I am no longer able to connect outside of my home.
My primary use case is connecting my phone when I’m on a cellular network. Is this possible at all, to, for example, whitelist a range of IPs in my region?
Outside of that, are there any suggestions on how I could work around this problem?
Or, in general any security advice or best practices for securing pihole in the cloud?